New issue
Advanced search Search tips

Issue 651849 link

Starred by 1 user

Issue metadata

Status: Fixed
Merged: issue 651293
Owner:
Closed: Oct 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use-of-uninitialized-value in EvalSegmentedFn

Project Member Reported by ClusterFuzz, Sep 30 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5208794651164672

Fuzzer: libfuzzer_pdf_codec_icc_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  EvalSegmentedFn
  cmsEvalToneCurveFloat
  EvaluateCurves
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=420535:420584

Minimized Testcase (0.29 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94JKrqSMXerKfjj-94yISJ7BfE6H1df_ngQKbvQnleCOYtGYB-cB75r9PpTRyQQE-v4Wu05M6FdrIW-jT8JXyVYSksGSGMpg6-RH8ye0x0TAakLZKCE6LR211ZTSX6Vi-nNi0z29ZrvDMVW1BoLhap571aFXg?testcase_id=5208794651164672

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 

Comment 1 by kenrb@chromium.org, Sep 30 2016

Mergedinto: 651293
Status: Duplicate (was: Untriaged)

Comment 2 by aarya@google.com, Sep 30 2016

Status: Assigned (was: Duplicate)
Not a duplicate, incorrectly marked.

Comment 3 by kenrb@chromium.org, Sep 30 2016

Cc: tsepez@chromium.org och...@chromium.org
Labels: Pri-1
Owner: dsinclair@chromium.org

Comment 4 by kenrb@chromium.org, Sep 30 2016

Components: Internals>Plugins>PDF
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 1 2016

Labels: M-55
Project Member

Comment 6 by sheriffbot@chromium.org, Oct 1 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Owner: kcwu@chromium.org
kcwu@ I see you've fixed some other issues in lcms, do you know how to fix the above? The case doesn't seem to repro for me with an msan build. From reading the code, it looks like it's initialized, but the code is hard to track through.
This was likely introduced by https://pdfium.googlesource.com/pdfium.git/+/39ee9dfac1c6d286a4075c7e2435fe1cfe365bad 

We're promoting M55 to Beta imminently and this bug is marked as a blocker for that. Please take a look.  Thanks!

Comment 9 by kcwu@chromium.org, Oct 4 2016

Status: Started (was: Assigned)
There are two events for this case. 
 1. heap buffer overflow read
 2. use of uninit value (from 1)

1 can be detected by asan. My local msan cannot catch 2 neither but I can confirm it with the call stack of crash report.

I prepared a fix (but I am not sure the fix is correct yet)
https://codereview.chromium.org/2384063006

I think we should try to land the patch upstream first as they'd be the best people to give feedback if it's correct.
A friendly reminder that M55 Beta launch is coming soon! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.
Project Member

Comment 12 by bugdroid1@chromium.org, Oct 5 2016

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium.git/+/958e57cbe864f356140b74cbc3b70bf352187bd4

commit 958e57cbe864f356140b74cbc3b70bf352187bd4
Author: kcwu <kcwu@chromium.org>
Date: Wed Oct 05 02:00:41 2016

Fix cmdStageAllocMatrix parameter swap

For cmdStageAllocMatrix, InputChans is length of Matrix, OutputChans is
length of Offsets. The original code will allocate NewElem->Offset with
length Cols=InputChans (cmslut.c:417). This results in heap buffer
overflow later.

BUG= chromium:651849 

Review-Url: https://codereview.chromium.org/2384063006

[add] https://crrev.com/958e57cbe864f356140b74cbc3b70bf352187bd4/third_party/lcms2-2.6/0009-cmdStageAllocMatrix-param-swap.patch
[modify] https://crrev.com/958e57cbe864f356140b74cbc3b70bf352187bd4/third_party/lcms2-2.6/README.pdfium
[modify] https://crrev.com/958e57cbe864f356140b74cbc3b70bf352187bd4/third_party/lcms2-2.6/src/cmstypes.c

Project Member

Comment 13 by bugdroid1@chromium.org, Oct 5 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1021474bc8e23b90b3e5f0ab8e83ed5ee8c38c6c

commit 1021474bc8e23b90b3e5f0ab8e83ed5ee8c38c6c
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Wed Oct 05 04:08:06 2016

Roll src/third_party/pdfium/ 98c6c15ab..958e57cbe (1 commit).

https://pdfium.googlesource.com/pdfium.git/+log/98c6c15abfec..958e57cbe864

$ git log 98c6c15ab..958e57cbe --date=short --no-merges --format='%ad %ae %s'
2016-10-04 kcwu Fix cmdStageAllocMatrix parameter swap

BUG= 651849 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2396753002
Cr-Commit-Position: refs/heads/master@{#423073}

[modify] https://crrev.com/1021474bc8e23b90b3e5f0ab8e83ed5ee8c38c6c/DEPS

Comment 14 by kcwu@chromium.org, Oct 6 2016

Status: Fixed (was: Started)
Project Member

Comment 15 by sheriffbot@chromium.org, Oct 6 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
 Issue 654198  has been merged into this issue.
Project Member

Comment 18 by bugdroid1@chromium.org, Oct 11 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/06643fd50e35580f7ef43bd29d07b0f9b4423f0e

commit 06643fd50e35580f7ef43bd29d07b0f9b4423f0e
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Tue Oct 11 16:35:36 2016

Roll src/third_party/pdfium/ 10a285391..d20231701 (1 commit).

https://pdfium.googlesource.com/pdfium.git/+log/10a285391c74..d2023170190b

$ git log 10a285391..d20231701 --date=short --no-merges --format='%ad %ae %s'
2016-10-11 kcwu Fix cmdStageAllocMatrix parameter swap again

BUG= 651849 , 654198 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2405253002
Cr-Commit-Position: refs/heads/master@{#424452}

[modify] https://crrev.com/06643fd50e35580f7ef43bd29d07b0f9b4423f0e/DEPS

Project Member

Comment 20 by bugdroid1@chromium.org, Oct 17 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4f9b41f13da493b9ee0d488178192144507480bf

commit 4f9b41f13da493b9ee0d488178192144507480bf
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Mon Oct 17 15:11:49 2016

Roll src/third_party/pdfium/ 85fcf94ee..522ed14ce (1 commit).

https://pdfium.googlesource.com/pdfium.git/+log/85fcf94eeae5..522ed14ce8cf

$ git log 85fcf94ee..522ed14ce --date=short --no-merges --format='%ad %ae %s'
2016-10-17 kcwu lcms: Revise previous cmsStageAllocMatrix fix

BUG= 651849 , 654198 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2427683002
Cr-Commit-Position: refs/heads/master@{#425680}

[modify] https://crrev.com/4f9b41f13da493b9ee0d488178192144507480bf/DEPS

Labels: -ReleaseBlock-Beta
Project Member

Comment 22 by sheriffbot@chromium.org, Jan 12 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment