Integer-overflow in CStretchEngine::CStretchEngine |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6534202604650496 Fuzzer: tokenfuzz_pdf_curated Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: CStretchEngine::CStretchEngine CFX_ImageStretcher::StartStretch CFX_ImageStretcher::Start Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (1353.17 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94HEbPPWiCWRL2EkC8OhivKr99HFm8PONLrB2mUei6AeebFV8W-Vuxqd5XdXsAxVySyIH7Wf1Xh4xR4x8lVyurkRnRYEs5tJNBdcmiZGYYGAestaiXw1I5NygFJ1nUabirjRl_96bWt9y6uNuVQF_55XtBnFvqCnzd01Wsx3KhI7h8btEo?testcase_id=6534202604650496 Issue manually filed by: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 12 2016
Issue 618696 has been merged into this issue.
,
Aug 12 2016
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium.git/+/229d05df5bc5deb3890b26b614113c25d9b6935e commit 229d05df5bc5deb3890b26b614113c25d9b6935e Author: weili <weili@chromium.org> Date: Fri Aug 12 02:43:58 2016 Fix an integer overflow in CStretchEngine constructor When the source bitmap's width and height are large, the multiplication could easily overflow a signed integer. Change to use 'long long' type for calculation to avoid that. BUG= chromium:635663 Review-Url: https://codereview.chromium.org/2240723002 [modify] https://crrev.com/229d05df5bc5deb3890b26b614113c25d9b6935e/BUILD.gn [modify] https://crrev.com/229d05df5bc5deb3890b26b614113c25d9b6935e/core/fxge/dib/fx_dib_engine.cpp [add] https://crrev.com/229d05df5bc5deb3890b26b614113c25d9b6935e/core/fxge/dib/fx_dib_engine_unittest.cpp [modify] https://crrev.com/229d05df5bc5deb3890b26b614113c25d9b6935e/pdfium.gyp
,
Aug 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e5d65196d13bbea473bd8c8b0cc481e12155543f commit e5d65196d13bbea473bd8c8b0cc481e12155543f Author: thestig <thestig@chromium.org> Date: Fri Aug 12 04:09:23 2016 Roll PDFium 85af2a3..d0b6ed1 https://pdfium.googlesource.com/pdfium.git/+log/85af2a3..d0b6ed1 BUG= 603489 , 635565 , 635663 TBR=ochang@chromium.org Review-Url: https://codereview.chromium.org/2237223003 Cr-Commit-Position: refs/heads/master@{#411548} [modify] https://crrev.com/e5d65196d13bbea473bd8c8b0cc481e12155543f/DEPS
,
Aug 12 2016
This doesn't seem to be a regression. But fixed now.
,
Aug 13 2016
ClusterFuzz has detected this issue as fixed in range 411529:411868. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6534202604650496 Fuzzer: tokenfuzz_pdf_curated Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: CStretchEngine::CStretchEngine CFX_ImageStretcher::StartStretch CFX_ImageStretcher::Start Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=411529:411868 Minimized Testcase (1353.17 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94HEbPPWiCWRL2EkC8OhivKr99HFm8PONLrB2mUei6AeebFV8W-Vuxqd5XdXsAxVySyIH7Wf1Xh4xR4x8lVyurkRnRYEs5tJNBdcmiZGYYGAestaiXw1I5NygFJ1nUabirjRl_96bWt9y6uNuVQF_55XtBnFvqCnzd01Wsx3KhI7h8btEo?testcase_id=6534202604650496 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 15 2017
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mmohammad@chromium.org
, Aug 8 2016Status: Assigned (was: Untriaged)