Crash in CFDF_Document::WriteBuf |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4568251210399744 Fuzzer: ifratric_acrojs Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x00000004 Crash State: CFDF_Document::WriteBuf CPDFSDK_InterForm::ExportFormToFDFTextBuf Document::mailForm Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome_no_sandbox&range=414207:414243 Minimized Testcase (457.86 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95JK5SDDAo1Y_GIEGVpaQGjs-bGZBMdF-cgjpPN06n1lU2lIB5KrPEOzJEAvCO8l2goT5tKIiuenBT0p3lu_nWld2czkj25ploerR1vTJPVwp7eXjRHJr8I02GNuMMpWF_WNkKPbTS-LVF9iAfOTs7BETbaHwHZ4fCjmkpEPReeU1d8M3U?testcase_id=4568251210399744 Issue manually filed by: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 25 2016
,
Aug 25 2016
,
Aug 29 2016
,
Aug 29 2016
,
Aug 29 2016
Should be auto-rolled into Chromium soon.
,
Aug 29 2016
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium.git/+/c116e597ef4dfac88248d6de0e7c9bdf093b6e7c commit c116e597ef4dfac88248d6de0e7c9bdf093b6e7c Author: dsinclair <dsinclair@chromium.org> Date: Mon Aug 29 20:08:25 2016 Verify element exists before accessing. Currently when the parser utility classes are outputting to a text buffer we do not verify that an element from an array exists before accessing. We can have null items in arrays (and dictionaries but the dictionary case is already handled). This Cl updates the code to check the element exists before attempting to use the element. BUG= chromium:641076 Review-Url: https://codereview.chromium.org/2292473004 [modify] https://crrev.com/c116e597ef4dfac88248d6de0e7c9bdf093b6e7c/core/fpdfapi/fpdf_parser/fpdf_parser_utility.cpp
,
Aug 30 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b80d9eb6c3b98e374b2f8eef570094d66b3406ba commit b80d9eb6c3b98e374b2f8eef570094d66b3406ba Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Tue Aug 30 05:03:50 2016 Roll src/third_party/pdfium/ 548ea2f7d..35512aa7e (14 commits). https://pdfium.googlesource.com/pdfium.git/+log/548ea2f7d083..35512aa7e4ac $ git log 548ea2f7d..35512aa7e --date=short --no-merges --format='%ad %ae %s' 2016-08-29 jaepark Display content of the annotation when mouse hover. 2016-08-29 dsinclair Skip the channel if there is no data. 2016-08-29 tsepez Revert "Add -> operators to CFX_CountRef." 2016-08-29 tsepez Revert "Replace wrapper methods in CPDF_Path with -> operator." 2016-08-29 tsepez Revert "Use ->() in CPDF_ColorState" 2016-08-29 tracy_jiang Fix for #618267. Adding a method to determine if multiplication has overflow. 2016-08-29 dsinclair Verify element exists before accessing. 2016-08-29 tsepez Use ->() in CPDF_ColorState 2016-08-29 stackexploit openjpeg: Prevent an integer overflow in opj_jp2_apply_pclr. 2016-08-29 dsinclair Initialize the CPDF_Document pointer 2016-08-29 tsepez Replace wrapper methods in CPDF_Path with -> operator. 2016-08-29 thestig Add some limit checks to ReadSharedObjHintTable(). 2016-08-29 npm Move CFX_SubstFont and CTTFontDesc into their own files 2016-08-29 tonikitoo Fix the test case added in https://codereview.chromium.org/2277063003/ BUG= 62625 , 637232 ,618267, 641076 ,638829, 640998 , 641444 TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2293733002 Cr-Commit-Position: refs/heads/master@{#415132} [modify] https://crrev.com/b80d9eb6c3b98e374b2f8eef570094d66b3406ba/DEPS
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mmohammad@chromium.org
, Aug 25 2016Owner: tsepez@chromium.org
Status: Assigned (was: Untriaged)