Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in BilinearInterpFloat |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4766418254168064 Fuzzer: afl_pdf_codec_icc_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x6020000002b4 Crash State: BilinearInterpFloat _LUTevalFloat XFormSampler16 Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=420425:420578 Minimized Testcase (0.17 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97MIDlPdtG_h3_b26Z4TITHqIce5v3jO8snMfbSvb2r7krpcAeIgtwtKQjW3WdmJ1mYKi8oRB-UsHeP4J4BwFuhzNFVsXKFISQ0eXjHihNKdmdlcroAsLVsJAsILx92IkrtSz-yInH3GDdtKlbIkxRThRt5iA?testcase_id=4766418254168064 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Oct 9 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 9 2016
,
Oct 10 2016
,
Oct 11 2016
kcwu@ has been looking into the ICC issues.
,
Oct 12 2016
I analyzed and know why it crashed. But I have no idea how to fix it. It crashed at https://cs.chromium.org/chromium/src/third_party/pdfium/third_party/lcms2-2.6/src/cmsintrp.c?sq=package:chromium&l=363 d01 = DENS(X0, Y1); where DENS is a macro. It expanded as d01 = LutTable[X0 + Y1 + OutChan] with X0=0, Y1=1, OutChan=0. In other words, LutTable[1]. The size of LutTable is only 1. So it crashed. LutTable is allocated at https://cs.chromium.org/chromium/src/third_party/pdfium/third_party/lcms2-2.6/src/cmslut.c?sq=package:chromium&l=503 NewElem ->Tab.TFloat = (cmsFloat32Number*) _cmsDupMem(mpe ->ContextID, Data ->Tab.TFloat, Data ->nEntries * sizeof (cmsFloat32Number)); where Data->nEntries=1. Back to the index. https://cs.chromium.org/chromium/src/third_party/pdfium/third_party/lcms2-2.6/src/cmsintrp.c?sq=package:chromium&l=358 Y1 = Y0 + (Input[1] >= 1.0 ? 0 : p->opta[0]); where Input[1]=0, p->opta[0]=1. The source of p->opta[0] is https://cs.chromium.org/chromium/src/third_party/pdfium/third_party/lcms2-2.6/src/cmsintrp.c?sq=package:chromium&l=137 p -> opta[0] = p -> nOutputs; where p->nOutputs=1. So far, I have no idea where is the bug.
,
Oct 13 2016
,
Oct 13 2016
+ochang@ who might have some suggestions
,
Oct 19 2016
,
Oct 26 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
,
Oct 27 2016
kcwu: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 27 2016
I found lcms trunk doesn't have this issue. I will investigate the detail later. BTW, do you have any concerns to update the version of lcms from 2.6 to 2.8 (the latest release) ?
,
Oct 27 2016
No concerns, lets do it now so that it can get fuzzing on trunk before next stable release.
,
Oct 27 2016
This is fixed by https://github.com/mm2/Little-CMS/commit/c0a98d86182cd305d4393ad9a0bb5fc4941090ba#diff-bdcc790716799065da658a69e8fdb10dR4292 last week. p.s. That commit fixed more than one issue. For example, it also fixed issue 654676 and issue 654313 at least.
,
Oct 31 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
,
Nov 1 2016
Hi kcwu@ - can you confirm the merge from issue 654676 also addresses this one?
,
Nov 1 2016
No, issue 654676 is different to this issue.
,
Nov 7 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you! Also due to Thanksgiving holidays in US, please make sure all fixes are ready and merged to M55 latest by 5:00 PM PT Friday, 11/18/16.
,
Nov 7 2016
Merge to M55 tracked by https://codereview.chromium.org/2482523003/
,
Nov 7 2016
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium.git/+/413e3518ce390860cb5560720e5fba3ca7c8f764 commit 413e3518ce390860cb5560720e5fba3ca7c8f764 Author: kcwu <kcwu@chromium.org> Date: Mon Nov 07 18:41:52 2016 lcms: backport upstream commit c0a98d86 This fixed several issues. BUG= chromium:654265 , chromium:657282 , chromium:654676 , chromium:654313 Review-Url: https://codereview.chromium.org/2482523003 [add] https://crrev.com/413e3518ce390860cb5560720e5fba3ca7c8f764/third_party/lcms2-2.6/0012-backport-c0a98d86.patch [modify] https://crrev.com/413e3518ce390860cb5560720e5fba3ca7c8f764/third_party/lcms2-2.6/README.pdfium [modify] https://crrev.com/413e3518ce390860cb5560720e5fba3ca7c8f764/third_party/lcms2-2.6/src/cmsintrp.c [modify] https://crrev.com/413e3518ce390860cb5560720e5fba3ca7c8f764/third_party/lcms2-2.6/src/cmsio0.c [modify] https://crrev.com/413e3518ce390860cb5560720e5fba3ca7c8f764/third_party/lcms2-2.6/src/cmstypes.c
,
Nov 8 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/497a104c1a41fa6840998a97b1c674da1fd00c9b commit 497a104c1a41fa6840998a97b1c674da1fd00c9b Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Tue Nov 08 05:00:34 2016 Roll src/third_party/pdfium/ a97fc7c63..3c669a7fb (8 commits). https://pdfium.googlesource.com/pdfium.git/+log/a97fc7c6392c..3c669a7fb05d $ git log a97fc7c63..3c669a7fb --date=short --no-merges --format='%ad %ae %s' 2016-11-07 thestig Fix #include after commit c09625ca. 2016-11-07 tsepez Force compiler to deduce src type for checked_cast<dst, src>. 2016-11-07 tsepez Hold trailers via unique_ptrs. 2016-11-07 thestig Sync pdfium tryserver list with main pdfium waterfall. 2016-11-07 tsepez Use unique_ptr return from CPDF_Parser::ParseIndirectObject() 2016-11-07 tsepez Rename CPDF_Linearized to CPDF_LinearizedHeader 2016-11-07 kcwu lcms: backport upstream commit c0a98d86 2016-11-07 dsinclair Fold DataProviders into parent classes BUG= 654265 , 657282 , 654676 , 654313 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2485023002 Cr-Commit-Position: refs/heads/master@{#430520} [modify] https://crrev.com/497a104c1a41fa6840998a97b1c674da1fd00c9b/DEPS
,
Nov 8 2016
,
Nov 8 2016
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 8 2016
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
,
Nov 8 2016
awhalley@, is this change safe to take to M55 (Just double checking Cl listed #21 landed 12 hrs ago)?
,
Nov 8 2016
,
Nov 9 2016
,
Nov 9 2016
ClusterFuzz has detected this issue as fixed in range 430510:430537. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4766418254168064 Fuzzer: afl_pdf_codec_icc_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x6020000002b4 Crash State: BilinearInterpFloat _LUTevalFloat XFormSampler16 Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=420425:420578 Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=430510:430537 Minimized Testcase (0.17 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97MIDlPdtG_h3_b26Z4TITHqIce5v3jO8snMfbSvb2r7krpcAeIgtwtKQjW3WdmJ1mYKi8oRB-UsHeP4J4BwFuhzNFVsXKFISQ0eXjHihNKdmdlcroAsLVsJAsILx92IkrtSz-yInH3GDdtKlbIkxRThRt5iA?testcase_id=4766418254168064 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 10 2016
govind@ - good catch. Hold off for now. Will re-request.
,
Nov 10 2016
Ok, sounds good. Please update the bug once it is good to take in. I will approve M55 merge then. Thank you.
,
Nov 11 2016
awhalley@, will it be a good to take merge now?
,
Nov 14 2016
Yes, good to merge. The commit in question is: https://pdfium.googlesource.com/pdfium.git/+/413e3518ce390860cb5560720e5fba3ca7c8f764 which also addresses issue 657282 .
,
Nov 14 2016
Approving merge to M55 branch 2883 per comment #32. Please merge ASAP. Thank you.
,
Nov 14 2016
Issue 664975 has been merged into this issue.
,
Nov 17 2016
Merged: https://pdfium.googlesource.com/pdfium/+/9439f839d1a17f251a6b78b5cbf97c5848d5d52b
,
Nov 18 2016
,
Feb 15 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Oct 9 2016