New issue
Advanced search Search tips

Issue 637119 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Undefined-shift in CFX_BitStream::GetBits

Project Member Reported by ClusterFuzz, Aug 11 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5698067565379584

Fuzzer: ochang_search_index_mutator
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  CFX_BitStream::GetBits
  CPDF_HintTables::ReadPageHintTable
  CPDF_HintTables::LoadHintStream
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=400269:400408

Minimized Testcase (153.53 Kb): https://cluster-fuzz.appspot.com/download/AMIfv949pKaIkWNwIzZ_KOe2ME__S1YLcMp7ZiToD_XFubRZE5HDU1YDKQ8PapB1G9lxzAdh4c3iij1P3-clu4CZ7k9I1fHps87GBozXlwd8fE9zZstRxl7MMwhP53y6c7pF9tx91fU6fXlPSjSG56dGMT_hQvrcT4qCN8Zo1uTSZoC_-EJqVTc?testcase_id=5698067565379584

Issue manually filed by: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
thestig@ could you please look into this, and re- assigned if needed.thanks in advace.
Project Member

Comment 2 by bugdroid1@chromium.org, Aug 15 2016

Status: Fixed (was: Assigned)
Project Member

Comment 4 by ClusterFuzz, Aug 17 2016

ClusterFuzz has detected this issue as fixed in range 411957:412168.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5698067565379584

Fuzzer: ochang_search_index_mutator
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  CFX_BitStream::GetBits
  CPDF_HintTables::ReadPageHintTable
  CPDF_HintTables::LoadHintStream
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=400269:400408
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=411957:412168

Minimized Testcase (153.53 Kb): https://cluster-fuzz.appspot.com/download/AMIfv949pKaIkWNwIzZ_KOe2ME__S1YLcMp7ZiToD_XFubRZE5HDU1YDKQ8PapB1G9lxzAdh4c3iij1P3-clu4CZ7k9I1fHps87GBozXlwd8fE9zZstRxl7MMwhP53y6c7pF9tx91fU6fXlPSjSG56dGMT_hQvrcT4qCN8Zo1uTSZoC_-EJqVTc?testcase_id=5698067565379584

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Status: Assigned (was: Fixed)
Re-Opening the issue as Clusterfuzz has detected the crash again, Clusterfuzz update in the next comment.
Project Member

Comment 6 by ClusterFuzz, Aug 22 2016

Labels: Stability-LibFuzzer
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6100519917715456

Fuzzer: libfuzzer_pdf_hint_table_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  CFX_BitStream::GetBits
  CPDF_HintTables::ReadPageHintTable
  HintTableForFuzzing::Fuzz
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=413192:413325

Minimized Testcase (0.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97yi1PU2VFxumYAbcQgK-YdnhyHuLEVDQFZzdW-30MWlqospWLeYFWR735hmDlCXxzW1p3-dFgqEjpUC9OpFd2xE4WS_4ve4eo0Aq0GgHCicL952mdRES1j9U0-OqZcRb_yvAjJWZ4QFm_JEINKsTdeQYi6zw?testcase_id=6100519917715456

Additional requirements: Requires Gestures

Issue manually filed by: durga.behera

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 7 by bugdroid1@chromium.org, Aug 23 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6e465d61f28c8a3d9ddf3714f9ba64662989a36a

commit 6e465d61f28c8a3d9ddf3714f9ba64662989a36a
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Tue Aug 23 02:24:56 2016

Roll src/third_party/pdfium/ a73b8fee8..7da24e66c (1 commit).

https://pdfium.googlesource.com/pdfium.git/+log/a73b8fee8751..7da24e66c6e7

$ git log a73b8fee8..7da24e66c --date=short --no-merges --format='%ad %ae %s'
2016-08-22 thestig Fix more integer overflows inside ReadPageHintTable().

BUG= 637119 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2264363002
Cr-Commit-Position: refs/heads/master@{#413636}

[modify] https://crrev.com/6e465d61f28c8a3d9ddf3714f9ba64662989a36a/DEPS

Status: Fixed (was: Assigned)
Project Member

Comment 9 by ClusterFuzz, Aug 23 2016

ClusterFuzz has detected this issue as fixed in range 413431:413647.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6100519917715456

Fuzzer: libfuzzer_pdf_hint_table_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  CFX_BitStream::GetBits
  CPDF_HintTables::ReadPageHintTable
  HintTableForFuzzing::Fuzz
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=413192:413325
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=413431:413647

Minimized Testcase (0.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97yi1PU2VFxumYAbcQgK-YdnhyHuLEVDQFZzdW-30MWlqospWLeYFWR735hmDlCXxzW1p3-dFgqEjpUC9OpFd2xE4WS_4ve4eo0Aq0GgHCicL952mdRES1j9U0-OqZcRb_yvAjJWZ4QFm_JEINKsTdeQYi6zw?testcase_id=6100519917715456

Additional requirements: Requires Gestures

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Status: Assigned (was: Fixed)
Re-Opening the issue as Clusterfuzz has detected the crash again, Clusterfuzz update in the next comment.Thank you 
Project Member

Comment 11 by ClusterFuzz, Aug 23 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5799638466822144

Fuzzer: libfuzzer_pdf_hint_table_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  CFX_BitStream::GetBits
  CPDF_HintTables::ReadPageHintTable
  HintTableForFuzzing::Fuzz
  

Minimized Testcase (0.28 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95lIQrPlRyvBaAqEm_9mZP-D-1SRw7JB0VZ4_V-bZjNZaV7XXgqgjXMCk8jzDpciPStsGf6xcUyu9iSIzCZ-912UXW309TF0bM5DB_iGeR2bTZKNthWVlgNmLvh_g8vMyziwIBZE1nFzXfRieTbPBKljcY0KA?testcase_id=5799638466822144

Issue manually filed by: mmohammad

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Yes, because there's multiple calls to GetBits(), and until we whack all the moles...
Project Member

Comment 13 by bugdroid1@chromium.org, Aug 24 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8cbce84c4d25478e7f934b2e89b313ef4360c2d6

commit 8cbce84c4d25478e7f934b2e89b313ef4360c2d6
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Wed Aug 24 02:59:47 2016

Roll src/third_party/pdfium/ 837735660..8252bc1e5 (1 commit).

https://pdfium.googlesource.com/pdfium.git/+log/837735660808..8252bc1e5a42

$ git log 837735660..8252bc1e5 --date=short --no-merges --format='%ad %ae %s'
2016-08-23 thestig Fix one more integer overflow in ReadPageHintTable().

BUG= 637119 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2277623002
Cr-Commit-Position: refs/heads/master@{#413961}

[modify] https://crrev.com/8cbce84c4d25478e7f934b2e89b313ef4360c2d6/DEPS

Status: Fixed (was: Assigned)
Project Member

Comment 15 by ClusterFuzz, Aug 24 2016

ClusterFuzz has detected this issue as fixed in range 413747:413961.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5799638466822144

Fuzzer: libfuzzer_pdf_hint_table_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  CFX_BitStream::GetBits
  CPDF_HintTables::ReadPageHintTable
  HintTableForFuzzing::Fuzz
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=413192:413325
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=413747:413961

Minimized Testcase (0.28 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95lIQrPlRyvBaAqEm_9mZP-D-1SRw7JB0VZ4_V-bZjNZaV7XXgqgjXMCk8jzDpciPStsGf6xcUyu9iSIzCZ-912UXW309TF0bM5DB_iGeR2bTZKNthWVlgNmLvh_g8vMyziwIBZE1nFzXfRieTbPBKljcY0KA?testcase_id=5799638466822144

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Status: Assigned (was: Fixed)
Re-Opening the issue as Clusterfuzz has detected the crash again, Clusterfuzz update in the next comment.Thank you 
Project Member

Comment 17 by ClusterFuzz, Aug 24 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5734095705604096

Fuzzer: libfuzzer_pdf_hint_table_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  CFX_BitStream::GetBits
  CPDF_HintTables::ReadPageHintTable
  HintTableForFuzzing::Fuzz
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=413192:413325

Minimized Testcase (0.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94RJlgNWrOmEg9Cbbigg4-IfxfW8GzE-MhgefZOQvSH9TmcS1QInpZeTGVmMO4Ml3IQ9fhWfT3vJKE4NVhq5qIz-534PoBhJ30QydPhSZPQ9jeOMSO7Ify6N41VA24YACuStefOVXHdzC-wQSDgPPW_KwafVA?testcase_id=5734095705604096

Additional requirements: Requires Gestures

Issue manually filed by: mmohammad

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 18 by ClusterFuzz, Aug 25 2016

Labels: Stability-AFL Stability-Memory-AddressSanitizer
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6751907727278080

Fuzzer: afl_pdf_hint_table_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  CPDF_HintTables::ReadPageHintTable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=413317:413339

Minimized Testcase (5.36 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Z8VXvdr3Ie-FKE5mVQQcqHRJzs5aUuV2nSlsn-hA544RcP_faRUNE43ArhiJIFP83Bv3H8MC-_6mTs00odprVgVRs9-MkI79IQL4lq62BvLi0a2pFBCwavfUAZOJ8zIZxYGNOzt-IIULz8_YUIBls1o6Lzg?testcase_id=6751907727278080

Issue manually filed by: durga.behera

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Components: Internals>Plugins>PDF
Labels: -Pri-1 Pri-2
The whack-a-mole continues.
Labels: -Stability-Memory-AddressSanitizer -Stability-AFL
Status: Fixed (was: Assigned)
Project Member

Comment 22 by bugdroid1@chromium.org, Sep 1 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/583cf8ed05fb00102bfae37599ea272d254b121b

commit 583cf8ed05fb00102bfae37599ea272d254b121b
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Thu Sep 01 18:18:55 2016

Roll src/third_party/pdfium/ 543651f9d..5e2d5c7ca (1 commit).

https://pdfium.googlesource.com/pdfium.git/+log/543651f9d8d8..5e2d5c7ca2d0

$ git log 543651f9d..5e2d5c7ca --date=short --no-merges --format='%ad %ae %s'
2016-09-01 thestig Better validate hint table header bits entries.

BUG= 637119 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2301133002
Cr-Commit-Position: refs/heads/master@{#416000}

[modify] https://crrev.com/583cf8ed05fb00102bfae37599ea272d254b121b/DEPS

Project Member

Comment 23 by ClusterFuzz, Sep 2 2016

ClusterFuzz has detected this issue as fixed in range 415982:416034.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5734095705604096

Fuzzer: libfuzzer_pdf_hint_table_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  CFX_BitStream::GetBits
  CPDF_HintTables::ReadPageHintTable
  HintTableForFuzzing::Fuzz
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=413192:413325
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=415982:416034

Minimized Testcase (0.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94RJlgNWrOmEg9Cbbigg4-IfxfW8GzE-MhgefZOQvSH9TmcS1QInpZeTGVmMO4Ml3IQ9fhWfT3vJKE4NVhq5qIz-534PoBhJ30QydPhSZPQ9jeOMSO7Ify6N41VA24YACuStefOVXHdzC-wQSDgPPW_KwafVA?testcase_id=5734095705604096

Additional requirements: Requires Gestures

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 24 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment