Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in EvalSegmentedFn |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5208794651164672 Fuzzer: libfuzzer_pdf_codec_icc_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: EvalSegmentedFn cmsEvalToneCurveFloat EvaluateCurves Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=420535:420584 Minimized Testcase (0.29 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94JKrqSMXerKfjj-94yISJ7BfE6H1df_ngQKbvQnleCOYtGYB-cB75r9PpTRyQQE-v4Wu05M6FdrIW-jT8JXyVYSksGSGMpg6-RH8ye0x0TAakLZKCE6LR211ZTSX6Vi-nNi0z29ZrvDMVW1BoLhap571aFXg?testcase_id=5208794651164672 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 30 2016
Not a duplicate, incorrectly marked.
,
Sep 30 2016
,
Sep 30 2016
,
Oct 1 2016
,
Oct 1 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 3 2016
kcwu@ I see you've fixed some other issues in lcms, do you know how to fix the above? The case doesn't seem to repro for me with an msan build. From reading the code, it looks like it's initialized, but the code is hard to track through.
,
Oct 3 2016
This was likely introduced by https://pdfium.googlesource.com/pdfium.git/+/39ee9dfac1c6d286a4075c7e2435fe1cfe365bad We're promoting M55 to Beta imminently and this bug is marked as a blocker for that. Please take a look. Thanks!
,
Oct 4 2016
There are two events for this case. 1. heap buffer overflow read 2. use of uninit value (from 1) 1 can be detected by asan. My local msan cannot catch 2 neither but I can confirm it with the call stack of crash report. I prepared a fix (but I am not sure the fix is correct yet) https://codereview.chromium.org/2384063006
,
Oct 4 2016
I think we should try to land the patch upstream first as they'd be the best people to give feedback if it's correct.
,
Oct 4 2016
A friendly reminder that M55 Beta launch is coming soon! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.
,
Oct 5 2016
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium.git/+/958e57cbe864f356140b74cbc3b70bf352187bd4 commit 958e57cbe864f356140b74cbc3b70bf352187bd4 Author: kcwu <kcwu@chromium.org> Date: Wed Oct 05 02:00:41 2016 Fix cmdStageAllocMatrix parameter swap For cmdStageAllocMatrix, InputChans is length of Matrix, OutputChans is length of Offsets. The original code will allocate NewElem->Offset with length Cols=InputChans (cmslut.c:417). This results in heap buffer overflow later. BUG= chromium:651849 Review-Url: https://codereview.chromium.org/2384063006 [add] https://crrev.com/958e57cbe864f356140b74cbc3b70bf352187bd4/third_party/lcms2-2.6/0009-cmdStageAllocMatrix-param-swap.patch [modify] https://crrev.com/958e57cbe864f356140b74cbc3b70bf352187bd4/third_party/lcms2-2.6/README.pdfium [modify] https://crrev.com/958e57cbe864f356140b74cbc3b70bf352187bd4/third_party/lcms2-2.6/src/cmstypes.c
,
Oct 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1021474bc8e23b90b3e5f0ab8e83ed5ee8c38c6c commit 1021474bc8e23b90b3e5f0ab8e83ed5ee8c38c6c Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Wed Oct 05 04:08:06 2016 Roll src/third_party/pdfium/ 98c6c15ab..958e57cbe (1 commit). https://pdfium.googlesource.com/pdfium.git/+log/98c6c15abfec..958e57cbe864 $ git log 98c6c15ab..958e57cbe --date=short --no-merges --format='%ad %ae %s' 2016-10-04 kcwu Fix cmdStageAllocMatrix parameter swap BUG= 651849 TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2396753002 Cr-Commit-Position: refs/heads/master@{#423073} [modify] https://crrev.com/1021474bc8e23b90b3e5f0ab8e83ed5ee8c38c6c/DEPS
,
Oct 6 2016
,
Oct 6 2016
,
Oct 11 2016
Issue 654198 has been merged into this issue.
,
Oct 11 2016
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium.git/+/d2023170190b4eb278054fd84765412c1a6ccddd commit d2023170190b4eb278054fd84765412c1a6ccddd Author: kcwu <kcwu@chromium.org> Date: Tue Oct 11 14:50:37 2016 Fix cmdStageAllocMatrix parameter swap again This is fixup of 958e57cb. BUG= chromium:651849 , chromium:654198 Review-Url: https://codereview.chromium.org/2407113002 [modify] https://crrev.com/d2023170190b4eb278054fd84765412c1a6ccddd/third_party/lcms2-2.6/0009-cmdStageAllocMatrix-param-swap.patch [modify] https://crrev.com/d2023170190b4eb278054fd84765412c1a6ccddd/third_party/lcms2-2.6/src/cmslut.c
,
Oct 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/06643fd50e35580f7ef43bd29d07b0f9b4423f0e commit 06643fd50e35580f7ef43bd29d07b0f9b4423f0e Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Tue Oct 11 16:35:36 2016 Roll src/third_party/pdfium/ 10a285391..d20231701 (1 commit). https://pdfium.googlesource.com/pdfium.git/+log/10a285391c74..d2023170190b $ git log 10a285391..d20231701 --date=short --no-merges --format='%ad %ae %s' 2016-10-11 kcwu Fix cmdStageAllocMatrix parameter swap again BUG= 651849 , 654198 TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2405253002 Cr-Commit-Position: refs/heads/master@{#424452} [modify] https://crrev.com/06643fd50e35580f7ef43bd29d07b0f9b4423f0e/DEPS
,
Oct 17 2016
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium.git/+/522ed14ce8cf39e5e6fc1a58099edd4f849b7fb8 commit 522ed14ce8cf39e5e6fc1a58099edd4f849b7fb8 Author: kcwu <kcwu@chromium.org> Date: Mon Oct 17 13:37:25 2016 lcms: Revise previous cmsStageAllocMatrix fix Also fixed wrong patch file name. This is fixup of 958e57cb and d2023170 TEST=apply this change in lcms' repo and make check BUG= chromium:651849 , chromium:654198 Review-Url: https://codereview.chromium.org/2424803002 [delete] https://crrev.com/85fcf94eeae589641213c4301bbb16b44b10a282/third_party/lcms2-2.6/0009-cmdStageAllocMatrix-param-swap.patch [add] https://crrev.com/522ed14ce8cf39e5e6fc1a58099edd4f849b7fb8/third_party/lcms2-2.6/0009-cmsStageAllocMatrix-param-swap.patch [modify] https://crrev.com/522ed14ce8cf39e5e6fc1a58099edd4f849b7fb8/third_party/lcms2-2.6/README.pdfium [modify] https://crrev.com/522ed14ce8cf39e5e6fc1a58099edd4f849b7fb8/third_party/lcms2-2.6/src/cmslut.c [modify] https://crrev.com/522ed14ce8cf39e5e6fc1a58099edd4f849b7fb8/third_party/lcms2-2.6/src/cmstypes.c
,
Oct 17 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4f9b41f13da493b9ee0d488178192144507480bf commit 4f9b41f13da493b9ee0d488178192144507480bf Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Mon Oct 17 15:11:49 2016 Roll src/third_party/pdfium/ 85fcf94ee..522ed14ce (1 commit). https://pdfium.googlesource.com/pdfium.git/+log/85fcf94eeae5..522ed14ce8cf $ git log 85fcf94ee..522ed14ce --date=short --no-merges --format='%ad %ae %s' 2016-10-17 kcwu lcms: Revise previous cmsStageAllocMatrix fix BUG= 651849 , 654198 TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2427683002 Cr-Commit-Position: refs/heads/master@{#425680} [modify] https://crrev.com/4f9b41f13da493b9ee0d488178192144507480bf/DEPS
,
Oct 25 2016
,
Jan 12 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by kenrb@chromium.org
, Sep 30 2016Status: Duplicate (was: Untriaged)