New issue
Advanced search Search tips

Issue 654198 link

Starred by 2 users

Issue metadata

Status: Fixed
Merged: issue 651849
Owner:
Closed: Oct 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use-of-uninitialized-value in EvalSegmentedFn

Project Member Reported by ClusterFuzz, Oct 8 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5496798984798208

Fuzzer: libfuzzer_pdf_codec_icc_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  EvalSegmentedFn
  cmsEvalToneCurveFloat
  EvaluateCurves
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=423055:423091

Minimized Testcase (0.26 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97_AKNzkW8YXX0aJPco1-bJpiKIqlXcKzvMD9Cfqm8LmOM6l0NM2rBiyPadf0nqAbihEY_xScmq_B0BehwjZvCYXVYWkCYNt-Fdrypa05KUQ3motAiGP6TiEGs62enXZ84StBw4yuR3PIubzDdq1dcE7hxdBw?testcase_id=5496798984798208

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Oct 8 2016

Labels: M-55
Project Member

Comment 2 by sheriffbot@chromium.org, Oct 8 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 8 2016

Labels: Pri-1

Comment 4 by tsepez@chromium.org, Oct 10 2016

Components: Internals>Plugins>PDF
Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)
Is this  bug 651849  or something different? I wonder why it keeps popping up.
Cc: kcwu@chromium.org
Mergedinto: 651849
Status: Duplicate (was: Assigned)

Comment 8 by kcwu@chromium.org, Oct 11 2016

Cc: -kcwu@chromium.org dsinclair@chromium.org
Owner: kcwu@chromium.org
Status: Assigned (was: Duplicate)
This is not dup. I have a CL under review https://codereview.chromium.org/2407113002/

Comment 10 by kcwu@chromium.org, Oct 11 2016

Status: Fixed (was: Assigned)
Project Member

Comment 11 by bugdroid1@chromium.org, Oct 11 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/06643fd50e35580f7ef43bd29d07b0f9b4423f0e

commit 06643fd50e35580f7ef43bd29d07b0f9b4423f0e
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Tue Oct 11 16:35:36 2016

Roll src/third_party/pdfium/ 10a285391..d20231701 (1 commit).

https://pdfium.googlesource.com/pdfium.git/+log/10a285391c74..d2023170190b

$ git log 10a285391..d20231701 --date=short --no-merges --format='%ad %ae %s'
2016-10-11 kcwu Fix cmdStageAllocMatrix parameter swap again

BUG= 651849 , 654198 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2405253002
Cr-Commit-Position: refs/heads/master@{#424452}

[modify] https://crrev.com/06643fd50e35580f7ef43bd29d07b0f9b4423f0e/DEPS

Project Member

Comment 12 by ClusterFuzz, Oct 12 2016

ClusterFuzz has detected this issue as fixed in range 424448:424536.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5496798984798208

Fuzzer: libfuzzer_pdf_codec_icc_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  EvalSegmentedFn
  cmsEvalToneCurveFloat
  EvaluateCurves
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=423055:423091
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=424448:424536

Minimized Testcase (0.26 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97_AKNzkW8YXX0aJPco1-bJpiKIqlXcKzvMD9Cfqm8LmOM6l0NM2rBiyPadf0nqAbihEY_xScmq_B0BehwjZvCYXVYWkCYNt-Fdrypa05KUQ3motAiGP6TiEGs62enXZ84StBw4yuR3PIubzDdq1dcE7hxdBw?testcase_id=5496798984798208

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 13 by sheriffbot@chromium.org, Oct 12 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 16 by bugdroid1@chromium.org, Oct 17 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4f9b41f13da493b9ee0d488178192144507480bf

commit 4f9b41f13da493b9ee0d488178192144507480bf
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Mon Oct 17 15:11:49 2016

Roll src/third_party/pdfium/ 85fcf94ee..522ed14ce (1 commit).

https://pdfium.googlesource.com/pdfium.git/+log/85fcf94eeae5..522ed14ce8cf

$ git log 85fcf94ee..522ed14ce --date=short --no-merges --format='%ad %ae %s'
2016-10-17 kcwu lcms: Revise previous cmsStageAllocMatrix fix

BUG= 651849 , 654198 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2427683002
Cr-Commit-Position: refs/heads/master@{#425680}

[modify] https://crrev.com/4f9b41f13da493b9ee0d488178192144507480bf/DEPS

Comment 17 Deleted

Labels: -M-56 M-55
Project Member

Comment 19 by sheriffbot@chromium.org, Jan 18 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment