New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 638832 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Undefined-shift in t1_decoder_parse_charstrings

Project Member Reported by ClusterFuzz, Aug 18 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6500165685084160

Fuzzer: libfuzzer_pdfium_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  t1_decoder_parse_charstrings
  T1_Parse_Glyph_And_Get_Char_String
  T1_Parse_Glyph
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=397764:398208

Minimized Testcase (1.07 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97sozqIqNtIGlVvow0t_7SOUJ4xL1BrRUIJt_m_o0djM3rmyTObyGTyYaPXyrh9jPPsfM-uqyMP8hqasAQy-ZkQPAEoiVhjDaIxElSoo_SnAVmpu0mDj06enTQIqoXvq8sZyZp6vIan0yiIpcM92J7NETMyHg?testcase_id=6500165685084160

Issue manually filed by: ajha

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 

Comment 1 by ajha@chromium.org, Aug 18 2016

Cc: mmoroz@chromium.org ajha@chromium.org
Labels: Needs-triage Te-Logged M-53
FindIt result:
==============
Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: Werner Lemberg
Project: chromium-freetype2
Changelist: https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+/11cb8c36ed9c75ccf3b80bdb59e9b2a75993a1cd
Time: Mon Jun 22 14:56:47 2009
The CL last changed line 614 of file t1decode.c, which is stack frame 0.

Author: Werner Lemberg
Project: chromium-freetype2
Changelist: https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+/7f74a52a210fc20a8fcc0f8160ce92dfe0f84c48
Time: Fri Jul 26 09:09:10 2002
The CL last changed line 93 of file t1gload.c, which is stack frame 1.

Author: David Turner
Project: chromium-freetype2
Changelist: https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+/87c0d30fc5fe512c8971510622091dd2c7a83031
Time: Wed Dec 24 01:10:46 2003
The CL last changed line 129 of file t1gload.c, which is stack frame 2.

Author: Werner Lemberg
Project: chromium-freetype2
Changelist: https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+/b5084e11f7d2d73e0687dee6314c560b8fe6d4cb
Time: Sat Oct 28 17:10:06 2000
The CL last changed line 197 of file t1gload.c, which is stack frame 3.

Author: Werner Lemberg
Project: chromium-freetype2
Changelist: https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+/b5084e11f7d2d73e0687dee6314c560b8fe6d4cb
Time: Sat Oct 28 17:10:06 2000
The CL last changed line 468 of file t1objs.c, which is stack frame 4.

Author: Werner Lemberg
Project: chromium-freetype2
Changelist: https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+/102bb83afddf6dcb60c0eee0621b9e92ee3c157e
Time: Tue Jun 10 04:57:19 2008
The CL last changed line 1149 of file ftobjs.c, which is stack frame 5.

Author: Graham Asher
Project: chromium-freetype2
Changelist: https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+/d53cf1df31fa7ca41f87645d25517b05a1111eb3
Time: Thu Jul 18 15:04:29 2002
The CL last changed line 2126 of file ftobjs.c, which is stack frame 6.

Suspected Project: chromium-freetype2
==================================================================================

No clear owners of 'chromium-freetype2' as per  Issue 617879  hence Cc'ing mmoroz@ for help in finding an appropriate owner or routing this to suitable channel. 

Thank you!

Comment 2 by mmoroz@chromium.org, Aug 18 2016

Cc: bunge...@chromium.org kcc@chromium.org aizatsky@chromium.org
Components: Blink>Fonts
Owner: dpranke@chromium.org
Components: -Blink>Fonts Internals>Plugins>PDF
This is a PDF -- reassigning there (not a blink issue)
Status: WontFix (was: Untriaged)
Yet another case where we shouldn't be using the old freetype from third_party/freetype.
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by ClusterFuzz, Feb 28 2017

ClusterFuzz has detected this issue as fixed in range 453205:453227.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6500165685084160

Fuzzer: libfuzzer_pdfium_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  t1_decoder_parse_charstrings
  T1_Parse_Glyph_And_Get_Char_String
  T1_Face_Init
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=397764:398208
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=453205:453227

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv947GDjsGHSmtGjeVENAC7Idr7yyOhTyiRlvtqJpv8AJQHJisBrYR3TzoPMhnqmzFSUo_vQi7eyjyXOXPShyHEO_2TNQrHXp9JfK9rAqezE_CfaajCboU0HZQSgwew7AXYyrKle3V5BtBDFGTxyN0kvuS4zZ641RRQ-x0ODU9buyDkAYbNvS8NRPxM7WzhnLAvIvk6zQTwDB_b-XcWV1AZoQIjNFOnrJR72pdYNx4rqeBHp924fx0ueoTjuL8IMuyd2hsqMzdnhkaf3F1hxmUFEP94wQSQ5xTKSXRa3v_UkJWJfSZU-CgiNK7y_tpCIwowdYxpQ8zTtOE1P6EtbHVt6nyV_3idFlHlSlOLkrdB4LzSS6ycg?testcase_id=6500165685084160


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment