Integer-overflow in FX_RECT::Width |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4569143926063104 Fuzzer: ochang_search_index_mutator Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: FX_RECT::Width CPDF_ImageRenderer::StartLoadDIBSource CPDF_ImageRenderer::Start Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=394980:395008 Minimized Testcase (635.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94XLP03sm_TNn4ix6N7m3_x_vmdhPdiNJ6AThdbna5Om5t4cV25bw_nLzvak183JMf37c2QuVen3d0yhWi4TRnjYE1IXuaFTnPETYQxTQaqeJBaba9AxFzXw4zzNFObTWngvEWDR8eS60uJy2KkZweIwHmv6YwUf3kk5LgjDF92QEXMs-w?testcase_id=4569143926063104 Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 29 2016
,
Sep 7 2016
,
Sep 7 2016
,
Sep 7 2016
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium.git/+/f56d93f8ea1c2145401e99e61cefdbfcb7341229 commit f56d93f8ea1c2145401e99e61cefdbfcb7341229 Author: dsinclair <dsinclair@chromium.org> Date: Wed Sep 07 20:54:01 2016 Verify image dimentions before using Verify the provided image size is within bounds before loading. BUG= chromium:639160 Review-Url: https://codereview.chromium.org/2323473002 [modify] https://crrev.com/f56d93f8ea1c2145401e99e61cefdbfcb7341229/core/fpdfapi/fpdf_render/fpdf_render_image.cpp
,
Sep 7 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3eff4410ebbaf6c85cc875cc7fcdc3a1ed24a1e0 commit 3eff4410ebbaf6c85cc875cc7fcdc3a1ed24a1e0 Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Wed Sep 07 22:20:17 2016 Roll src/third_party/pdfium/ 1df1efa39..f56d93f8e (2 commits). https://pdfium.googlesource.com/pdfium.git/+log/1df1efa39218..f56d93f8ea1c $ git log 1df1efa39..f56d93f8e --date=short --no-merges --format='%ad %ae %s' 2016-09-07 dsinclair Verify image dimentions before using 2016-09-07 dsinclair Verify pattern start values. BUG= 639160 , 637984 TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2320823002 Cr-Commit-Position: refs/heads/master@{#417090} [modify] https://crrev.com/3eff4410ebbaf6c85cc875cc7fcdc3a1ed24a1e0/DEPS
,
Sep 8 2016
ClusterFuzz has detected this issue as fixed in range 417065:417100. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4569143926063104 Fuzzer: ochang_search_index_mutator Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: FX_RECT::Width CPDF_ImageRenderer::StartLoadDIBSource CPDF_ImageRenderer::Start Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=394980:395008 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=417065:417100 Minimized Testcase (635.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94XLP03sm_TNn4ix6N7m3_x_vmdhPdiNJ6AThdbna5Om5t4cV25bw_nLzvak183JMf37c2QuVen3d0yhWi4TRnjYE1IXuaFTnPETYQxTQaqeJBaba9AxFzXw4zzNFObTWngvEWDR8eS60uJy2KkZweIwHmv6YwUf3kk5LgjDF92QEXMs-w?testcase_id=4569143926063104 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mummare...@chromium.org
, Aug 19 2016Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)