New issue
Advanced search Search tips

Issue 638489 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Integer-overflow in CPDF_ToUnicodeMap::StringToCode

Project Member Reported by ClusterFuzz, Aug 17 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4940506125828096

Fuzzer: ochang_search_index_mutator
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  CPDF_ToUnicodeMap::StringToCode
  CPDF_ToUnicodeMap::Load
  CPDF_Font::LoadUnicodeMap
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (378.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Mtjjd6DFZhUcXbi6295d7REZXvUZ_DLwbCHCdxIU3gjZPI6KcwQS9zMrBIujE5UzzI6NA9uMnhN5H9P5XrY6fOjTXR6frM0WSjKjEH6DKSAkDqC52APRm1BDjdmGgyfI5dqTJkb5vSNV30_KQZ_hK4EA4Kligov7uWQiMJTQtGqQAJsQ?testcase_id=4940506125828096

Issue manually filed by: ajha

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by ajha@chromium.org, Aug 17 2016

Cc: dsinclair@chromium.org ajha@chromium.org
Components: Internals>Plugins>PDF
Labels: Findit-for-crash Te-Logged M-53
Owner: tsepez@chromium.org
Status: Assigned (was: Untriaged)
FindIt result:
==============
Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: tsepez
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/28c7844c1ef5ea0c8727b890e9ff56b593119a00
Time: Thu May 12 15:52:14 2016 -0700
The CL last changed line 142 of file fpdf_font.cpp, which is stack frame 0.

Author: tsepez
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/4c3debb3c91f5842784be30a911b52cdabcab7df
Time: Fri Apr 08 12:20:38 2016 -0700
The CL last changed line 239 of file fpdf_font.cpp, which is stack frame 1.

Author: dan sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/61b2fc718910a5ab2a75ec5026b239ff33bccfdc
Time: Wed Mar 23 19:21:44 2016 -0400
The CL last changed line 282 of file cpdf_font.cpp, which is stack frame 2.

Author: tsepez
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/a431e238ee42025cce44c3a76dd07c470d7f51ec
Time: Tue Jun 07 21:56:50 2016 -0700
The CL last changed line 150 of file cpdf_font.cpp, which is stack frame 3.

Author: dan sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/61b2fc718910a5ab2a75ec5026b239ff33bccfdc
Time: Wed Mar 23 19:21:44 2016 -0400
The CL last changed line 226 of file cpdf_cidfont.cpp, which is stack frame 4.

Author: dan sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/61b2fc718910a5ab2a75ec5026b239ff33bccfdc
Time: Wed Mar 23 19:21:44 2016 -0400
The CL last changed line 622 of file cpdf_cidfont.cpp, which is stack frame 5.

Author: dan sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/61b2fc718910a5ab2a75ec5026b239ff33bccfdc
Time: Wed Mar 23 19:21:44 2016 -0400
The CL last changed line 436 of file cpdf_cidfont.cpp, which is stack frame 6.

Suspected Project: chromium-pdfium

Based on the above Findit result assigning to tsepez and cc'ing dan for further investigation. 

Comment 2 by tsepez@chromium.org, Aug 19 2016

Cc: tsepez@chromium.org
Owner: dsinclair@chromium.org
Dan gets these nowdays.

Comment 3 by tsepez@chromium.org, Aug 19 2016

Owner: tsepez@chromium.org
Status: Started (was: Assigned)
But I'll fix it since it's mindless.
Project Member

Comment 5 by bugdroid1@chromium.org, Aug 20 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fcd3af29ac09bbcf1a5c7c288f63065c48449da7

commit fcd3af29ac09bbcf1a5c7c288f63065c48449da7
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Sat Aug 20 10:36:26 2016

Roll src/third_party/pdfium/ 5b13e1dc5..9b777deb0 (5 commits).

https://pdfium.googlesource.com/pdfium.git/+log/5b13e1dc5770..9b777deb00fb

$ git log 5b13e1dc5..9b777deb0 --date=short --no-merges --format='%ad %ae %s'
2016-08-19 weili Fix an embedder test with leaked page object
2016-08-19 npm Move CFX_FaceCache to its own file
2016-08-19 tsepez Avoid signed overflow in  CPDF_ToUnicodeMap::StringToCode()
2016-08-19 tsepez Introduce pdfium::FakeUniquePtr for keys to sets of unique ptrs.
2016-08-19 weili Fix leaked array buffer allocators of isolates

BUG= 638489 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2265733002
Cr-Commit-Position: refs/heads/master@{#413333}

[modify] https://crrev.com/fcd3af29ac09bbcf1a5c7c288f63065c48449da7/DEPS

Project Member

Comment 6 by ClusterFuzz, Aug 21 2016

ClusterFuzz has detected this issue as fixed in range 413324:413335.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4940506125828096

Fuzzer: ochang_search_index_mutator
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  CPDF_ToUnicodeMap::StringToCode
  CPDF_ToUnicodeMap::Load
  CPDF_Font::LoadUnicodeMap
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=413324:413335

Minimized Testcase (378.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Mtjjd6DFZhUcXbi6295d7REZXvUZ_DLwbCHCdxIU3gjZPI6KcwQS9zMrBIujE5UzzI6NA9uMnhN5H9P5XrY6fOjTXR6frM0WSjKjEH6DKSAkDqC52APRm1BDjdmGgyfI5dqTJkb5vSNV30_KQZ_hK4EA4Kligov7uWQiMJTQtGqQAJsQ?testcase_id=4940506125828096

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment