Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in CPDFSDK_WidgetHandler::ReleaseAnnot |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5134530438758400 Fuzzer: ifratric_pdf_generic Job Type: linux_msan_pdfium Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: CPDFSDK_WidgetHandler::ReleaseAnnot CPDFSDK_PageView::~CPDFSDK_PageView CPDFSDK_Document::~CPDFSDK_Document Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_pdfium&range=423265:423386 Minimized Testcase (212.74 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97W9efEI0fDjNob3f8oTbv5oXFJzfMEIVHTLTSHO0bmq4S9M8qnkP-0RuGX8OyXNSQOqYsD94jS3pCSNSL60jlbOVQGRGuj979rbpURCfoIdaloXBTkv7fatgQsLfcLuMOcnb28-Cd1FL6H6h2BOok_iGEUMFMLj3ZGQIXXpwMlwoRANXE?testcase_id=5134530438758400 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 6 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 6 2016
,
Oct 6 2016
,
Oct 7 2016
**** Bulk edit - please ignore if not applicable **** This bug is reported as M55 Beta blocker and we're getting closer to M55 Beta promotion. Please plan to have fix ready and merged to M55 branch (2883) by 5:00 PM PT, Monday(10/10) so it has enough baking time in Dev before Beta promotion. Thank you.
,
Oct 7 2016
tsepez: If you have time, can you take this?
,
Oct 11 2016
ASAN says UAF, BTW.
,
Oct 11 2016
,
Oct 11 2016
https://codereview.chromium.org/2406893003 hopefully.
,
Oct 11 2016
Grabbing this back as it may fall under 654272.
,
Oct 11 2016
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium.git/+/709f5a9301e91365ab87610993c497e386504ead commit 709f5a9301e91365ab87610993c497e386504ead Author: dsinclair <dsinclair@chromium.org> Date: Tue Oct 11 21:21:16 2016 Fixup formfiller cleanup The CFFL_InteractiveFormFiller must be cleaned up before the environment because the destruction of the formfiller will trigger the destruction of the formfiller widgets. Some of those widgets may require stopping timers, which requires accessing the environment. BUG= chromium:654272 , chromium:653459 Review-Url: https://codereview.chromium.org/2408163003 [modify] https://crrev.com/709f5a9301e91365ab87610993c497e386504ead/fpdfsdk/cpdfsdk_formfillenvironment.cpp
,
Oct 11 2016
,
Oct 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cedb9638610256a293d802876f04d05f11249776 commit cedb9638610256a293d802876f04d05f11249776 Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Tue Oct 11 23:42:29 2016 Roll src/third_party/pdfium/ 19c198b7b..2bfa222a3 (7 commits). https://pdfium.googlesource.com/pdfium.git/+log/19c198b7b806..2bfa222a38e1 $ git log 19c198b7b..2bfa222a3 --date=short --no-merges --format='%ad %ae %s' 2016-10-11 npm Delete unused flags from CFX_SubstFont 2016-10-11 dsinclair Fixup formfiller cleanup 2016-10-11 dsinclair Remove remaining CPDFSDK_Document references 2016-10-11 dsinclair Convert CPDFXFA_Document to use CPDFSDK_FormFillEnvironment 2016-10-11 tsepez Add CPDF_Object::IsInline() 2016-10-11 npm Deleted unused members in CTTFontDesc 2016-10-11 dsinclair Convert fpdfformfill to use CPDFSDK_FormFillEnvironment BUG= 654272 , 653459 TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2411143002 Cr-Commit-Position: refs/heads/master@{#424598} [modify] https://crrev.com/cedb9638610256a293d802876f04d05f11249776/DEPS
,
Oct 12 2016
,
Oct 22 2016
Updating severity to high. Looks like this was actually a UaF.
,
Oct 22 2016
Issue 657258 has been merged into this issue.
,
Oct 24 2016
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/e84013dc2611fe399d435debdd36c6da9aab3664 commit e84013dc2611fe399d435debdd36c6da9aab3664 Author: Lei Zhang <thestig@google.com> Date: Mon Oct 24 20:54:36 2016
,
Oct 24 2016
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/e84013dc2611fe399d435debdd36c6da9aab3664 commit e84013dc2611fe399d435debdd36c6da9aab3664 Author: Lei Zhang <thestig@google.com> Date: Mon Oct 24 20:54:36 2016
,
Oct 25 2016
,
Nov 9 2016
ClusterFuzz has detected this issue as fixed in range 430786:430834. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5134530438758400 Fuzzer: ifratric_pdf_generic Job Type: linux_msan_pdfium Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: CPDFSDK_WidgetHandler::ReleaseAnnot CPDFSDK_PageView::~CPDFSDK_PageView CPDFSDK_Document::~CPDFSDK_Document Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_pdfium&range=423265:423386 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_pdfium&range=430786:430834 Minimized Testcase (212.74 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97W9efEI0fDjNob3f8oTbv5oXFJzfMEIVHTLTSHO0bmq4S9M8qnkP-0RuGX8OyXNSQOqYsD94jS3pCSNSL60jlbOVQGRGuj979rbpURCfoIdaloXBTkv7fatgQsLfcLuMOcnb28-Cd1FL6H6h2BOok_iGEUMFMLj3ZGQIXXpwMlwoRANXE?testcase_id=5134530438758400 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 18 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Oct 6 2016