Integer-overflow in FaxG4GetRow |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4990501805883392 Fuzzer: libfuzzer_pdf_codec_fax_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: FaxG4GetRow CCodec_FaxDecoder::v_GetNextLine ReadNextLine Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=419788:419884 Minimized Testcase (0.78 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94UvMXEArmGZ6x8X-MhZ69eJKh42JNRqj9-IBvPPMUk9qVSvSapvPFKDcR5HHdFzdn-UbDQnfqU_631tdIHhmbuGpxTAjlYoo3slJcsKAfgpLG87UoTHh1xp5tlcG9kmsAW6N3wO2jBVIG4TJYRumnVNwa-oQ?testcase_id=4990501805883392 Issue manually filed by: mmohammad See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 22 2016
Sorry, I have no idea about the algorithm of fax codec.
,
Sep 22 2016
dsinclair @ could you please look into this.please feel free to re-assigned back if needed. thanks in advance !
,
Sep 23 2016
I found this issue is not in G4 codec algorithm itself. Let me take it.
,
Sep 23 2016
,
Sep 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7563d3dfa905fb2095e715406bf85b19df9d07a7 commit 7563d3dfa905fb2095e715406bf85b19df9d07a7 Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Fri Sep 23 17:56:10 2016 Roll src/third_party/pdfium/ 3f4111fbf..4dd613cb5 (1 commit). https://pdfium.googlesource.com/pdfium.git/+log/3f4111fbff12..4dd613cb51c1 $ git log 3f4111fbf..4dd613cb5 --date=short --no-merges --format='%ad %ae %s' 2016-09-23 kcwu Bail out on bad width and height in CCodec_FaxDecoder::CreateDecoder BUG= 648935 , 649436 TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2364973002 Cr-Commit-Position: refs/heads/master@{#420655} [modify] https://crrev.com/7563d3dfa905fb2095e715406bf85b19df9d07a7/DEPS
,
Sep 24 2016
ClusterFuzz has detected this issue as fixed in range 420626:420739. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4990501805883392 Fuzzer: libfuzzer_pdf_codec_fax_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: FaxG4GetRow CCodec_FaxDecoder::v_GetNextLine ReadNextLine Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=419788:419884 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=420626:420739 Minimized Testcase (0.78 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94UvMXEArmGZ6x8X-MhZ69eJKh42JNRqj9-IBvPPMUk9qVSvSapvPFKDcR5HHdFzdn-UbDQnfqU_631tdIHhmbuGpxTAjlYoo3slJcsKAfgpLG87UoTHh1xp5tlcG9kmsAW6N3wO2jBVIG4TJYRumnVNwa-oQ?testcase_id=4990501805883392 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 24 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by mmohammad@chromium.org
, Sep 22 2016Owner: kcwu@chromium.org
Status: Assigned (was: Untriaged)