Undefined-shift in CFX_BitStream::GetBits |
|||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5698067565379584 Fuzzer: ochang_search_index_mutator Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: CFX_BitStream::GetBits CPDF_HintTables::ReadPageHintTable CPDF_HintTables::LoadHintStream Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=400269:400408 Minimized Testcase (153.53 Kb): https://cluster-fuzz.appspot.com/download/AMIfv949pKaIkWNwIzZ_KOe2ME__S1YLcMp7ZiToD_XFubRZE5HDU1YDKQ8PapB1G9lxzAdh4c3iij1P3-clu4CZ7k9I1fHps87GBozXlwd8fE9zZstRxl7MMwhP53y6c7pF9tx91fU6fXlPSjSG56dGMT_hQvrcT4qCN8Zo1uTSZoC_-EJqVTc?testcase_id=5698067565379584 Issue manually filed by: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/10dc6fda67bd76a43446e915b9640eb2a11f6640 commit 10dc6fda67bd76a43446e915b9640eb2a11f6640 Author: thestig <thestig@chromium.org> Date: Mon Aug 15 20:14:54 2016 Roll PDFium d0b6ed1..1099b29 https://pdfium.googlesource.com/pdfium.git/+log/d0b6ed1..1099b29 BUG=409472,617135, 635438 , 637119 TBR=ochang@chromium.org Review-Url: https://codereview.chromium.org/2249733002 Cr-Commit-Position: refs/heads/master@{#412028} [modify] https://crrev.com/10dc6fda67bd76a43446e915b9640eb2a11f6640/DEPS
,
Aug 15 2016
,
Aug 17 2016
ClusterFuzz has detected this issue as fixed in range 411957:412168. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5698067565379584 Fuzzer: ochang_search_index_mutator Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: CFX_BitStream::GetBits CPDF_HintTables::ReadPageHintTable CPDF_HintTables::LoadHintStream Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=400269:400408 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=411957:412168 Minimized Testcase (153.53 Kb): https://cluster-fuzz.appspot.com/download/AMIfv949pKaIkWNwIzZ_KOe2ME__S1YLcMp7ZiToD_XFubRZE5HDU1YDKQ8PapB1G9lxzAdh4c3iij1P3-clu4CZ7k9I1fHps87GBozXlwd8fE9zZstRxl7MMwhP53y6c7pF9tx91fU6fXlPSjSG56dGMT_hQvrcT4qCN8Zo1uTSZoC_-EJqVTc?testcase_id=5698067565379584 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 22 2016
Re-Opening the issue as Clusterfuzz has detected the crash again, Clusterfuzz update in the next comment.
,
Aug 22 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6100519917715456 Fuzzer: libfuzzer_pdf_hint_table_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: CFX_BitStream::GetBits CPDF_HintTables::ReadPageHintTable HintTableForFuzzing::Fuzz Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=413192:413325 Minimized Testcase (0.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97yi1PU2VFxumYAbcQgK-YdnhyHuLEVDQFZzdW-30MWlqospWLeYFWR735hmDlCXxzW1p3-dFgqEjpUC9OpFd2xE4WS_4ve4eo0Aq0GgHCicL952mdRES1j9U0-OqZcRb_yvAjJWZ4QFm_JEINKsTdeQYi6zw?testcase_id=6100519917715456 Additional requirements: Requires Gestures Issue manually filed by: durga.behera See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6e465d61f28c8a3d9ddf3714f9ba64662989a36a commit 6e465d61f28c8a3d9ddf3714f9ba64662989a36a Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Tue Aug 23 02:24:56 2016 Roll src/third_party/pdfium/ a73b8fee8..7da24e66c (1 commit). https://pdfium.googlesource.com/pdfium.git/+log/a73b8fee8751..7da24e66c6e7 $ git log a73b8fee8..7da24e66c --date=short --no-merges --format='%ad %ae %s' 2016-08-22 thestig Fix more integer overflows inside ReadPageHintTable(). BUG= 637119 TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2264363002 Cr-Commit-Position: refs/heads/master@{#413636} [modify] https://crrev.com/6e465d61f28c8a3d9ddf3714f9ba64662989a36a/DEPS
,
Aug 23 2016
,
Aug 23 2016
ClusterFuzz has detected this issue as fixed in range 413431:413647. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6100519917715456 Fuzzer: libfuzzer_pdf_hint_table_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: CFX_BitStream::GetBits CPDF_HintTables::ReadPageHintTable HintTableForFuzzing::Fuzz Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=413192:413325 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=413431:413647 Minimized Testcase (0.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97yi1PU2VFxumYAbcQgK-YdnhyHuLEVDQFZzdW-30MWlqospWLeYFWR735hmDlCXxzW1p3-dFgqEjpUC9OpFd2xE4WS_4ve4eo0Aq0GgHCicL952mdRES1j9U0-OqZcRb_yvAjJWZ4QFm_JEINKsTdeQYi6zw?testcase_id=6100519917715456 Additional requirements: Requires Gestures See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 23 2016
Re-Opening the issue as Clusterfuzz has detected the crash again, Clusterfuzz update in the next comment.Thank you
,
Aug 23 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5799638466822144 Fuzzer: libfuzzer_pdf_hint_table_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: CFX_BitStream::GetBits CPDF_HintTables::ReadPageHintTable HintTableForFuzzing::Fuzz Minimized Testcase (0.28 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95lIQrPlRyvBaAqEm_9mZP-D-1SRw7JB0VZ4_V-bZjNZaV7XXgqgjXMCk8jzDpciPStsGf6xcUyu9iSIzCZ-912UXW309TF0bM5DB_iGeR2bTZKNthWVlgNmLvh_g8vMyziwIBZE1nFzXfRieTbPBKljcY0KA?testcase_id=5799638466822144 Issue manually filed by: mmohammad See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 23 2016
Yes, because there's multiple calls to GetBits(), and until we whack all the moles...
,
Aug 24 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8cbce84c4d25478e7f934b2e89b313ef4360c2d6 commit 8cbce84c4d25478e7f934b2e89b313ef4360c2d6 Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Wed Aug 24 02:59:47 2016 Roll src/third_party/pdfium/ 837735660..8252bc1e5 (1 commit). https://pdfium.googlesource.com/pdfium.git/+log/837735660808..8252bc1e5a42 $ git log 837735660..8252bc1e5 --date=short --no-merges --format='%ad %ae %s' 2016-08-23 thestig Fix one more integer overflow in ReadPageHintTable(). BUG= 637119 TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2277623002 Cr-Commit-Position: refs/heads/master@{#413961} [modify] https://crrev.com/8cbce84c4d25478e7f934b2e89b313ef4360c2d6/DEPS
,
Aug 24 2016
,
Aug 24 2016
ClusterFuzz has detected this issue as fixed in range 413747:413961. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5799638466822144 Fuzzer: libfuzzer_pdf_hint_table_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: CFX_BitStream::GetBits CPDF_HintTables::ReadPageHintTable HintTableForFuzzing::Fuzz Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=413192:413325 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=413747:413961 Minimized Testcase (0.28 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95lIQrPlRyvBaAqEm_9mZP-D-1SRw7JB0VZ4_V-bZjNZaV7XXgqgjXMCk8jzDpciPStsGf6xcUyu9iSIzCZ-912UXW309TF0bM5DB_iGeR2bTZKNthWVlgNmLvh_g8vMyziwIBZE1nFzXfRieTbPBKljcY0KA?testcase_id=5799638466822144 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 24 2016
Re-Opening the issue as Clusterfuzz has detected the crash again, Clusterfuzz update in the next comment.Thank you
,
Aug 24 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5734095705604096 Fuzzer: libfuzzer_pdf_hint_table_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: CFX_BitStream::GetBits CPDF_HintTables::ReadPageHintTable HintTableForFuzzing::Fuzz Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=413192:413325 Minimized Testcase (0.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94RJlgNWrOmEg9Cbbigg4-IfxfW8GzE-MhgefZOQvSH9TmcS1QInpZeTGVmMO4Ml3IQ9fhWfT3vJKE4NVhq5qIz-534PoBhJ30QydPhSZPQ9jeOMSO7Ify6N41VA24YACuStefOVXHdzC-wQSDgPPW_KwafVA?testcase_id=5734095705604096 Additional requirements: Requires Gestures Issue manually filed by: mmohammad See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 25 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6751907727278080 Fuzzer: afl_pdf_hint_table_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: CPDF_HintTables::ReadPageHintTable Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=413317:413339 Minimized Testcase (5.36 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Z8VXvdr3Ie-FKE5mVQQcqHRJzs5aUuV2nSlsn-hA544RcP_faRUNE43ArhiJIFP83Bv3H8MC-_6mTs00odprVgVRs9-MkI79IQL4lq62BvLi0a2pFBCwavfUAZOJ8zIZxYGNOzt-IIULz8_YUIBls1o6Lzg?testcase_id=6751907727278080 Issue manually filed by: durga.behera See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 26 2016
The whack-a-mole continues.
,
Aug 31 2016
,
Sep 1 2016
,
Sep 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/583cf8ed05fb00102bfae37599ea272d254b121b commit 583cf8ed05fb00102bfae37599ea272d254b121b Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Thu Sep 01 18:18:55 2016 Roll src/third_party/pdfium/ 543651f9d..5e2d5c7ca (1 commit). https://pdfium.googlesource.com/pdfium.git/+log/543651f9d8d8..5e2d5c7ca2d0 $ git log 543651f9d..5e2d5c7ca --date=short --no-merges --format='%ad %ae %s' 2016-09-01 thestig Better validate hint table header bits entries. BUG= 637119 TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2301133002 Cr-Commit-Position: refs/heads/master@{#416000} [modify] https://crrev.com/583cf8ed05fb00102bfae37599ea272d254b121b/DEPS
,
Sep 2 2016
ClusterFuzz has detected this issue as fixed in range 415982:416034. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5734095705604096 Fuzzer: libfuzzer_pdf_hint_table_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: CFX_BitStream::GetBits CPDF_HintTables::ReadPageHintTable HintTableForFuzzing::Fuzz Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=413192:413325 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=415982:416034 Minimized Testcase (0.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94RJlgNWrOmEg9Cbbigg4-IfxfW8GzE-MhgefZOQvSH9TmcS1QInpZeTGVmMO4Ml3IQ9fhWfT3vJKE4NVhq5qIz-534PoBhJ30QydPhSZPQ9jeOMSO7Ify6N41VA24YACuStefOVXHdzC-wQSDgPPW_KwafVA?testcase_id=5734095705604096 Additional requirements: Requires Gestures See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 by mmohammad@chromium.org
, Aug 11 2016