New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 648077 link

Starred by 1 user
Status: Fixed
Owner:
thestig@chromium.org
Closed: Oct 2016
Cc:
kcc@chromium.org
mmoroz@chromium.org
tsepez@chromium.org
aizatsky@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Integer-overflow in CPDF_PSEngine::DoOperator

Project Member Reported by ClusterFuzz, Sep 18 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4601123359162368

Fuzzer: libfuzzer_pdf_psengine_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  CPDF_PSEngine::DoOperator
  CPDF_PSProc::Execute
  RunOne
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94rTW1NZqNd8x2xhShtxA1nUUhHI4zPJVo_IxqIWjr-tjxuYObgAEtJKNVn_PYYQ0FxvCqhocy81f0YBvOf4RsLvje_ehtC72XYswyl1zvkol-_EbiQlJ0bd19LCz7pFpu67TJMYYkjEcedftCNifCbl5QL2g?testcase_id=4601123359162368


Issue manually filed by: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by mmoroz@chromium.org, Sep 18 2016

Cc: mmoroz@chromium.org kcc@chromium.org aizatsky@chromium.org
Components: Internals>Plugins>PDF
Owner: tsepez@chromium.org

Comment 2 by thestig@chromium.org, Oct 12 2016

Cc: tsepez@chromium.org
Owner: thestig@chromium.org
Status: Started (was: Untriaged)
https://codereview.chromium.org/2412833002
Project Member

Comment 3 by bugdroid1@chromium.org, Oct 12 2016 

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium.git/+/47cbc06ef6f528e4d30a869ec533d010ee79b064

commit 47cbc06ef6f528e4d30a869ec533d010ee79b064
Author: thestig <thestig@chromium.org>
Date: Wed Oct 12 16:37:28 2016

Optimize roll operator in CPDF_PSEngine.

Rolling 0 times is a no-op.
Rolling 0 items is a no-op.
Rolling N items J times is the same as rolling N items J % N times.
This also avoids an integer overflow corner case.

BUG= chromium:648077 

Review-Url: https://codereview.chromium.org/2412833002

[modify] https://crrev.com/47cbc06ef6f528e4d30a869ec533d010ee79b064/core/fpdfapi/page/fpdf_page_func.cpp

Comment 4 by thestig@chromium.org, Oct 12 2016

Status: Fixed (was: Started)
Project Member

Comment 5 by bugdroid1@chromium.org, Oct 12 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/67d2dc3a7b5541b718bb1383be73dc4479f9a83c

commit 67d2dc3a7b5541b718bb1383be73dc4479f9a83c
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Wed Oct 12 19:04:23 2016

Roll src/third_party/pdfium/ a30537f8b..8bc9b8b2d (3 commits).

https://pdfium.googlesource.com/pdfium.git/+log/a30537f8b074..8bc9b8b2ddeb

$ git log a30537f8b..8bc9b8b2d --date=short --no-merges --format='%ad %ae %s'
2016-10-12 thestig Check for more undefined behavior in CPDF_PSEngine.
2016-10-12 tsepez Get rid of CFX_ArrayTemplate<CPDF_Object*>
2016-10-12 thestig Optimize roll operator in CPDF_PSEngine.

BUG= 639792 , 648077 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2411923003
Cr-Commit-Position: refs/heads/master@{#424810}

[modify] https://crrev.com/67d2dc3a7b5541b718bb1383be73dc4479f9a83c/DEPS
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment