Integer-overflow in CPDF_CMapParser::CMap_GetCode |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6639975808630784 Fuzzer: ochang_search_index_mutator Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: CPDF_CMapParser::CMap_GetCode CPDF_CMapParser::ParseWord CPDF_CMap::LoadEmbedded Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (2169.24 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956zL9-kYRtT6-PEKFIHQZVF2oy3hWWOC7QwBj2uvCFKhDjPT48ZHSYa3rB9O7-ehcNQL9b9oR5N7K_nPIPRDP3YqMSqNZhsNrcGq02R37weGBoJyHr1wM5U23VgPxFvcUPhniIjZBpK_mzk3-84jruYk25L_E6foOmqzhAsGWH88CC7R8?testcase_id=6639975808630784 Issue manually filed by: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 21 2016
,
Sep 21 2016
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium.git/+/c0f60dc29db66262bbc0082fcd51170a570b0d1f commit c0f60dc29db66262bbc0082fcd51170a570b0d1f Author: dsinclair <dsinclair@chromium.org> Date: Wed Sep 21 19:49:36 2016 Check for overflow in CMap_GetCode. Given a large enough value for the character code it's possible to overflow the conversion to an int. This Cl updates the code to guard against overflow. BUG= chromium:648739 Review-Url: https://codereview.chromium.org/2358023002 [modify] https://crrev.com/c0f60dc29db66262bbc0082fcd51170a570b0d1f/core/fpdfapi/fpdf_font/fpdf_font_cid.cpp [modify] https://crrev.com/c0f60dc29db66262bbc0082fcd51170a570b0d1f/core/fpdfapi/fpdf_font/fpdf_font_cid_unittest.cpp
,
Sep 21 2016
,
Sep 21 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/37722ec53f433f6f1456a3cc9150cfbf9e8f7a08 commit 37722ec53f433f6f1456a3cc9150cfbf9e8f7a08 Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Wed Sep 21 22:09:59 2016 Roll src/third_party/pdfium/ b94d7c921..17103b84e (4 commits). https://pdfium.googlesource.com/pdfium.git/+log/b94d7c921616..17103b84ebde $ git log b94d7c921..17103b84e --date=short --no-merges --format='%ad %ae %s' 2016-09-21 tsepez Make ownership explicit in CPDF_ContentMarkItem. 2016-09-21 dsinclair Check for overflow in CMap_GetCode. 2016-09-21 tonikitoo Avoid static initializers and global variables in 'pdfium_test'. 2016-09-21 weili Clear LeakSanitizer's suppression list BUG= 648739 TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2357413002 Cr-Commit-Position: refs/heads/master@{#420176} [modify] https://crrev.com/37722ec53f433f6f1456a3cc9150cfbf9e8f7a08/DEPS
,
Sep 22 2016
ClusterFuzz has detected this issue as fixed in range 420163:420225. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6639975808630784 Fuzzer: ochang_search_index_mutator Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: CPDF_CMapParser::CMap_GetCode CPDF_CMapParser::ParseWord CPDF_CMap::LoadEmbedded Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=420163:420225 Minimized Testcase (2169.24 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956zL9-kYRtT6-PEKFIHQZVF2oy3hWWOC7QwBj2uvCFKhDjPT48ZHSYa3rB9O7-ehcNQL9b9oR5N7K_nPIPRDP3YqMSqNZhsNrcGq02R37weGBoJyHr1wM5U23VgPxFvcUPhniIjZBpK_mzk3-84jruYk25L_E6foOmqzhAsGWH88CC7R8?testcase_id=6639975808630784 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 15 2017
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mmohammad@chromium.org
, Sep 20 2016Status: Assigned (was: Untriaged)