New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 652232 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Integer-overflow in CPDF_ToUnicodeMap::Load

Project Member Reported by ClusterFuzz, Oct 3 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4591831520378880

Fuzzer: ochang_search_index_mutator
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  CPDF_ToUnicodeMap::Load
  CPDF_Font::LoadUnicodeMap
  CPDF_Font::UnicodeFromCharCode
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=368790:368799

Minimized Testcase (297.32 Kb): https://cluster-fuzz.appspot.com/download/AMIfv950g4i4rnGWU4cFMgQRoV0sYqNqZfNLeX4rQz6AgFQQEIcS3mC7v0VwRGyR-WFDU2s9zrnPn8MRHwx4pzrNbaDKNBN6q5xQB9IGBqEjJDct2Lie2K1fvw-5uIzzoC92eZhh253o1O0mdIgHL6QTlCe-taSLr-M5Dihu1azqC4U3ynhTer0?testcase_id=4591831520378880

Issue manually filed by: ranjitkan

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: ranjitkan@chromium.org
Components: Tools>Test>FindIt>CorrectResult
Labels: -Pri-1 -Type-Bug Findit-for-crash M-55 Te-Logged Pri-2 Type-Bug-Regression
Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)
Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 279 of file fpdf_font.cpp, which is stack frame 0.

Author: dan sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/61b2fc718910a5ab2a75ec5026b239ff33bccfdc
Time: Wed Mar 23 19:21:44 2016 -0400
The CL last changed line 283 of file cpdf_font.cpp, which is stack frame 1.

@dsinclair: Assigning to you, please take a look into it. Please help us to reassign to a right owner if not with respect to your changes. 

Thanks.!
Cc: dsinclair@chromium.org
Owner: npm@chromium.org
npm@ can you take a look?
Project Member

Comment 3 by bugdroid1@chromium.org, Oct 4 2016

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium.git/+/89f9ee3b8f3b4756f05ff48055f4bff7353201e2

commit 89f9ee3b8f3b4756f05ff48055f4bff7353201e2
Author: npm <npm@chromium.org>
Date: Tue Oct 04 17:15:55 2016

Use FX_SAFE_UINT32 on CPDF_ToUnicodeMap::Load

m_Map maps to unsigned integer, but m_MultiCharBuf.GetLength() returns
an integer. There will be integer overflow if the length is big, and
UBSAN will complain. Thus, using FX_SAFE_UINT32. Replacing with uint32
would work as well: the point is to consider the length as uint instead
of int.

BUG= chromium:652232 

Review-Url: https://codereview.chromium.org/2393573002

[modify] https://crrev.com/89f9ee3b8f3b4756f05ff48055f4bff7353201e2/core/fpdfapi/fpdf_font/fpdf_font.cpp

Comment 4 by npm@chromium.org, Oct 4 2016

Status: Fixed (was: Assigned)
Project Member

Comment 5 by bugdroid1@chromium.org, Oct 4 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/af0f73399f18929d1b6871b6a33661c5684f82cb

commit af0f73399f18929d1b6871b6a33661c5684f82cb
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Tue Oct 04 19:07:48 2016

Roll src/third_party/pdfium/ 78c271dd9..89f9ee3b8 (1 commit).

https://pdfium.googlesource.com/pdfium.git/+log/78c271dd9ee8..89f9ee3b8f3b

$ git log 78c271dd9..89f9ee3b8 --date=short --no-merges --format='%ad %ae %s'
2016-10-04 npm Use FX_SAFE_UINT32 on CPDF_ToUnicodeMap::Load

BUG= 652232 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2385063004
Cr-Commit-Position: refs/heads/master@{#422877}

[modify] https://crrev.com/af0f73399f18929d1b6871b6a33661c5684f82cb/DEPS

Project Member

Comment 6 by ClusterFuzz, Oct 5 2016

ClusterFuzz has detected this issue as fixed in range 422834:422891.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4591831520378880

Fuzzer: ochang_search_index_mutator
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  CPDF_ToUnicodeMap::Load
  CPDF_Font::LoadUnicodeMap
  CPDF_Font::UnicodeFromCharCode
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=368790:368799
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=422834:422891

Minimized Testcase (297.32 Kb): https://cluster-fuzz.appspot.com/download/AMIfv950g4i4rnGWU4cFMgQRoV0sYqNqZfNLeX4rQz6AgFQQEIcS3mC7v0VwRGyR-WFDU2s9zrnPn8MRHwx4pzrNbaDKNBN6q5xQB9IGBqEjJDct2Lie2K1fvw-5uIzzoC92eZhh253o1O0mdIgHL6QTlCe-taSLr-M5Dihu1azqC4U3ynhTer0?testcase_id=4591831520378880

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Components: Internals>Plugins>PDF

Sign in to add a comment