New issue
Advanced search Search tips

Issue 648935 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Sep 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in FindBit

Project Member Reported by ClusterFuzz, Sep 21 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4740113399808000

Fuzzer: afl_pdf_codec_fax_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x7f0ac7afbb32
Crash State:
  FindBit
  FaxG4GetRow
  CCodec_FaxDecoder::v_GetNextLine
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=419847:419947

Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94FvLQJkIulJB61isJ-sfw5aPbGe5wavyaLXVaYYzJgfIU0WgaTmYGJKzq4rt62fAtALAUuUmStt1VuZbM7MRqfuIp_och3yQX5dRrIj-Wwce_3EpUKsy72hnOJhhYwx3dHhSOihoelFbxA2DxIyRayPAd36A?testcase_id=4740113399808000

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Components: Internals>Skia>PDF
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 21 2016

Labels: M-55
Project Member

Comment 3 by sheriffbot@chromium.org, Sep 21 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Sep 21 2016

Labels: Pri-1
Components: -Internals>Skia>PDF Internals>Plugins>PDF
Fixing Component based on file path of  third_party/pdfium/core/fxcodec/codec/fx_codec_fax.cpp
Owner: thestig@chromium.org
Status: Assigned (was: Untriaged)
thestig@ could you please look into this and assign an appropriate owner if needed? 

This issue appears very similar to  issue 648937 . 

It looks like we just turned on fuzzing for this area (via https://chromium.googlesource.com/chromium/src/+/a6dc4f682f6db2b4792963ef5a26929d8a728f2a)
Cc: tsepez@chromium.org kcwu@chromium.org
Now that the fax fuzzer is finding bugs... any interest in taking them?

Looks related to  bug 648937  but not immediately obvious if it's the exact same bug.
 Issue 648937  has been merged into this issue.
Status: Started (was: Assigned)
https://codereview.chromium.org/2369433002
Cc: -kcwu@chromium.org
Owner: kcwu@chromium.org
Project Member

Comment 12 by bugdroid1@chromium.org, Sep 23 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7563d3dfa905fb2095e715406bf85b19df9d07a7

commit 7563d3dfa905fb2095e715406bf85b19df9d07a7
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Fri Sep 23 17:56:10 2016

Roll src/third_party/pdfium/ 3f4111fbf..4dd613cb5 (1 commit).

https://pdfium.googlesource.com/pdfium.git/+log/3f4111fbff12..4dd613cb51c1

$ git log 3f4111fbf..4dd613cb5 --date=short --no-merges --format='%ad %ae %s'
2016-09-23 kcwu Bail out on bad width and height in CCodec_FaxDecoder::CreateDecoder

BUG= 648935 , 649436 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2364973002
Cr-Commit-Position: refs/heads/master@{#420655}

[modify] https://crrev.com/7563d3dfa905fb2095e715406bf85b19df9d07a7/DEPS

Project Member

Comment 13 by ClusterFuzz, Sep 24 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 14 by ClusterFuzz, Sep 24 2016

ClusterFuzz has detected this issue as fixed in range 420614:420693.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4740113399808000

Fuzzer: afl_pdf_codec_fax_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x7f0ac7afbb32
Crash State:
  FindBit
  FaxG4GetRow
  CCodec_FaxDecoder::v_GetNextLine
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=419847:419947
Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=420614:420693

Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94FvLQJkIulJB61isJ-sfw5aPbGe5wavyaLXVaYYzJgfIU0WgaTmYGJKzq4rt62fAtALAUuUmStt1VuZbM7MRqfuIp_och3yQX5dRrIj-Wwce_3EpUKsy72hnOJhhYwx3dHhSOihoelFbxA2DxIyRayPAd36A?testcase_id=4740113399808000

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 15 by sheriffbot@chromium.org, Sep 24 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -ReleaseBlock-Beta
Project Member

Comment 17 by sheriffbot@chromium.org, Dec 31 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment