New issue
Advanced search Search tips

Issue 641882 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Crash in base::win::ForceCrashOnSigAbort

Project Member Reported by ClusterFuzz, Aug 29 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4921097789374464

Fuzzer: ochang_neurofuzz_borgfuzz
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: UNKNOWN WRITE
Crash Address: 0x00000000
Crash State:
  base::win::ForceCrashOnSigAbort
  CPDF_HintTables::ReadPageHintTable
  CPDF_HintTables::LoadHintStream
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=414945:414952

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97vgLOh4o68HPLohEbHRrx5syCz9EJIgpU9dnYcuGV3j16EwJkaoDxfxHt37-JlV020bz8b-TJVDEswfyadlM4lOZWaFyJN9cHVtW2rU_xbrbItGOgWy1mdnA_RzFHXHeOM9hQatLrEXrhm1VPvfDDzepsMd856fP00cC56QmL8cjA54ts?testcase_id=4921097789374464


Issue manually filed by: msrchandra

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: dsinclair@chromium.org
Components: Tools>Test>FindIt>NoResult
Labels: Needs-triage Te-Logged
Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: sammc
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/6f856f785833aae16732c3573ef4174561ce7de4
Time: Tue Jun 30 02:11:23 2015
The CL last changed line 67 of file win_util.cc, which is stack frame 0.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 230 of file cpdf_hint_tables.cpp, which is stack frame 3.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 461 of file cpdf_hint_tables.cpp, which is stack frame 4.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 781 of file cpdf_data_avail.cpp, which is stack frame 5.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 215 of file cpdf_data_avail.cpp, which is stack frame 6.

Suspected Project: chromium

Unable to find the suspect from CL also,
CL details --
https://chromium.googlesource.com/chromium/src/+log/98bae263014aad2d3ef0910edef31a8ee32a6c17..d1109b15f8669b2c342d87e9ae6e5d8ebd669ada?pretty=fuller

Could some one please look into the issue and update.
Thank You.
Labels: findit-wrong
Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)
dsinclair@ could you please look into this.please feel free to re-assigned back if needed. thanks in advance !
Labels: -Needs-triage
Owner: thestig@chromium.org
Passing to thestig@ who has been looking at CPDF_HintsTable crashes.
Components: Internals>Plugins>PDF
Cc: och...@chromium.org
This crash doesn't seem to make sense. We have:

229: hStream->SkipBits(safeTotalPageLen.ValueOrDie());
230: hStream->ByteAlign();

How can we nullptr deref on line 230?

I can't repro the crash on Linux Chrome, or with Linux ASAN + pdfium_test.
Though it does crash on Windows Chrome. Interesting.
Maybe the symbolization is screwed up because of inlining, and we eventually abort on a failed safeTotalPageLen.ValueOrDie() on line 229?
oh, nevermind, that shouldn't happen because of the CanReadFromBitStream check before
Status: Started (was: Assigned)
https://codereview.chromium.org/2300903002/ - only happens on Windows because FX_FILESIZE is only an int32_t. We may want to consider changing that someday if we ever want to support very large PDFs. The Books team have a few samples.
Status: Fixed (was: Started)
Project Member

Comment 13 by bugdroid1@chromium.org, Sep 1 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/dccbd50cab878f34db9f5d4df2642ca1a2ab368e

commit dccbd50cab878f34db9f5d4df2642ca1a2ab368e
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Thu Sep 01 20:19:24 2016

Roll src/third_party/pdfium/ 5e2d5c7ca..8d3ca1484 (1 commit).

https://pdfium.googlesource.com/pdfium.git/+log/5e2d5c7ca2d0..8d3ca14840a0

$ git log 5e2d5c7ca..8d3ca1484 --date=short --no-merges --format='%ad %ae %s'
2016-09-01 thestig Handle another integer overflow in ReadPageHintTable().

BUG= 641882 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2301173002
Cr-Commit-Position: refs/heads/master@{#416031}

[modify] https://crrev.com/dccbd50cab878f34db9f5d4df2642ca1a2ab368e/DEPS

Components: -Tools>Test>FindIt>NoResult
Project Member

Comment 15 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment