Issue 648576 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 647612
Owner:	dsinclair@chromium.org
Closed:	Sep 2016
Components:	Internals>Plugins>PDF
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	1
Type:	Bug-Security
ReleaseBlock-Beta Reproducible M-55 Stability-Memory-AddressSanitizer Security_Impact-Head Security_Severity-High allpublic Clusterfuzz

Heap-use-after-free in CPDF_RenderStatus::LoadSMask

Project Member Reported by ClusterFuzz, Sep 20 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6524512122437632

Fuzzer: ifratric_pdf_generic
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x05f19dd8
Crash State:
  CPDF_RenderStatus::LoadSMask
  CPDF_RenderStatus::ProcessTransparency
  CPDF_RenderStatus::ContinueSingleObject
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome_no_sandbox&range=419396:419475

Minimized Testcase (3274.51 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94WSvzWZwQYWYZEi4r_l6UEEwSTZuliuDBhJ98BzWdSPdjQg7QYHA6EwKN0avqQORudkqvAdQlgrfus2hMVK9PhsKmEmjk7n_KQJIG1cRy3hlNnRpwFJK1fIwgXDIhQrctOHVjjSw_1KaRsgAyyoHpjcMzTml7Arbc-oE3AtykzkYuCWOg?testcase_id=6524512122437632

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Project Member

Comment 1 by sheriffbot@chromium.org, Sep 20 2016

Labels: M-55

Project Member

Comment 2 by sheriffbot@chromium.org, Sep 20 2016

Labels: ReleaseBlock-Beta

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Project Member

Comment 3 by sheriffbot@chromium.org, Sep 20 2016

Labels: Pri-1

Comment 4 by elawrence@chromium.org, Sep 20 2016

Components: Internals>Plugins>PDF

Comment 5 by elawrence@chromium.org, Sep 20 2016

Owner: dsinclair@chromium.org

This looks like a dupe of 647612 which you recently fixed. Can you confirm? Thanks!

Comment 6 by dsinclair@chromium.org, Sep 20 2016

Mergedinto: 647612
Status: Duplicate (was: Untriaged)

Project Member

Comment 7 by sheriffbot@chromium.org, Dec 28 2016

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 648576 link

Issue metadata

Heap-use-after-free in CPDF_RenderStatus::LoadSMask

Issue description

Comment 1 by sheriffbot@chromium.org, Sep 20 2016

Comment 1 Deleted

Comment 2 by sheriffbot@chromium.org, Sep 20 2016

Comment 2 Deleted

Comment 3 by sheriffbot@chromium.org, Sep 20 2016

Comment 3 Deleted

Comment 4 by elawrence@chromium.org, Sep 20 2016

Comment 4 Deleted

Comment 5 by elawrence@chromium.org, Sep 20 2016

Comment 5 Deleted

Comment 6 by dsinclair@chromium.org, Sep 20 2016

Comment 6 Deleted

Comment 7 by sheriffbot@chromium.org, Dec 28 2016

Comment 7 Deleted

Sign in to add a comment