This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Hello Dan, art-snake,

Could one of you please help find an appropriate owner for this security bug?

Thanks!


Suspected CLs: The result is a list of CLs that change the crashed files.

Author: dsinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/38fd84428a1ea007a043be0b7d9b289e47aa5da0
Time: Thu Sep 15 10:15:32 2016 -0700
Lines 360 of file fpdf_page_doc.cpp which potentially caused crash are changed in this cl (frame #1, "CPDF_DocPageData::ReleaseColorSpace").

Lines 1029 of file fpdf_render_image.cpp which potentially caused crash are changed in this cl (frame #2, "CPDF_RenderStatus::LoadSMask").

Files fpdf_render.cpp, fpdfview.cpp are changed in this cl (and is part of stack frame #3, "CPDF_RenderStatus::ProcessTransparency"; frame #4, "CPDF_RenderStatus::ContinueSingleObject"; frame #5, "CPDF_ProgressiveRenderer::Continue")
Minimum distance from crash line to modified line: 0. (file: fpdf_render_image.cpp, crashed on: 1029, modified: 1029).

Author: art-snake
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/cde5101eb15b24519e89fa500fe37038bc8e2201
Time: Thu Sep 15 14:11:09 2016 -0700
Lines 337 of file fpdf_page_doc.cpp which potentially caused crash are changed in this cl (frame #1, "CPDF_DocPageData::ReleaseColorSpace").

File fpdf_render.cpp is changed in this cl (and is part of stack frame #3, "CPDF_RenderStatus::ProcessTransparency"; frame #4, "CPDF_RenderStatus::ContinueSingleObject"; frame #5, "CPDF_ProgressiveRenderer::Continue")
Minimum distance from crash line to modified line: 0. (file: fpdf_page_doc.cpp, crashed on: 337, modified: 337).

Suspected Project: chromium-pdfium

ClusterFuzz has detected this issue as fixed in range 419475:419498.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6473827951575040

Fuzzer: ifratric_pdf_generic
Job Type: linux_msan_pdfium
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  CPDF_DIBSource::TranslateScanline24bpp
  CPDF_DIBSource::GetScanline
  CFX_DIBSource::Clone
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_pdfium&range=418926:419071
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_pdfium&range=419475:419498

Minimized Testcase (4804.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97T73unl-Anvc-jccspPV5NcjcdHUiC08SHv9KTpL8CtS62-J6fDHflBm8eBqBgbFw_hsPcPAJWJf3lHee3Zn9FkRcSuhZwlS_rPDiTCCTxfbR0tqIPuUBAJwblZFwrgkP8dlDv-7i31tEJ0OWNpCH32ysMvgunCiL8i4cXYCIXrIpHzVw?testcase_id=6473827951575040

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

It is duplicate for BUG= 647612  .
This issue was correctly fixed in https://codereview.chromium.org/2350193003/

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot