Integer-overflow in CPDF_SimpleFont::LoadSubstFont |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6571981447364608 Fuzzer: tokenfuzz_pdf_march16 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: CPDF_SimpleFont::LoadSubstFont CPDF_SimpleFont::LoadCommon CPDF_Font::CreateFontF Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (180.92 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Q86LqqgrqxzL5SWmp1HunTMrJ81_laDTwSEFjKBO-PyEd3E8JvGCQa6fqAPyrTfyRMwhfvYdhIAB4mxzLTi6G5_k_taiBvHTRM70Om2z8VPFclCSqz9jf2WQK4DSM3Z7y-fXZ_mE3DMK3jkKwwAVc0ZgnYMRJsgZFlTExmJ9hWjlBwIU?testcase_id=6571981447364608 Issue manually filed by: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 29 2016
,
Aug 29 2016
,
Aug 30 2016
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium.git/+/f7252a074ed013e2ad3cc11e08eba90502262ce0 commit f7252a074ed013e2ad3cc11e08eba90502262ce0 Author: dsinclair <dsinclair@chromium.org> Date: Tue Aug 30 17:27:03 2016 Guard against overflow when calculating font weight. This CL uses the safe math libraries when calculating the font weight from the StemV value as very large values for StemV can cause the signed int to overflow. BUG= chromium:641418 Review-Url: https://codereview.chromium.org/2293633002 [modify] https://crrev.com/f7252a074ed013e2ad3cc11e08eba90502262ce0/core/fpdfapi/fpdf_font/cpdf_cidfont.cpp [modify] https://crrev.com/f7252a074ed013e2ad3cc11e08eba90502262ce0/core/fpdfapi/fpdf_font/cpdf_simplefont.cpp
,
Aug 30 2016
,
Aug 30 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5772bc071f6677f9c5f5ac060b1abb79d8fb3a00 commit 5772bc071f6677f9c5f5ac060b1abb79d8fb3a00 Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Tue Aug 30 20:28:29 2016 Roll src/third_party/pdfium/ 50034a679..fbda17d61 (2 commits). https://pdfium.googlesource.com/pdfium.git/+log/50034a679249..fbda17d61de1 $ git log 50034a679..fbda17d61 --date=short --no-merges --format='%ad %ae %s' 2016-08-30 tsepez Make CPDF_TextState have a CPDF_TextStateData rather than inheriting one. 2016-08-30 dsinclair Guard against overflow when calculating font weight. BUG= 641418 TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2292243002 Cr-Commit-Position: refs/heads/master@{#415408} [modify] https://crrev.com/5772bc071f6677f9c5f5ac060b1abb79d8fb3a00/DEPS
,
Sep 1 2016
ClusterFuzz has detected this issue as fixed in range 415049:415582. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6571981447364608 Fuzzer: tokenfuzz_pdf_march16 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: CPDF_SimpleFont::LoadSubstFont CPDF_SimpleFont::LoadCommon CPDF_Font::CreateFontF Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=415049:415582 Minimized Testcase (180.92 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Q86LqqgrqxzL5SWmp1HunTMrJ81_laDTwSEFjKBO-PyEd3E8JvGCQa6fqAPyrTfyRMwhfvYdhIAB4mxzLTi6G5_k_taiBvHTRM70Om2z8VPFclCSqz9jf2WQK4DSM3Z7y-fXZ_mE3DMK3jkKwwAVc0ZgnYMRJsgZFlTExmJ9hWjlBwIU?testcase_id=6571981447364608 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mmohammad@chromium.org
, Aug 26 2016Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)