This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

kcwu@ has been looking into the ICC issues.

I analyzed and know why it crashed. But I have no idea how to fix it.

It crashed at
https://cs.chromium.org/chromium/src/third_party/pdfium/third_party/lcms2-2.6/src/cmsintrp.c?sq=package:chromium&l=363
    d01 = DENS(X0, Y1);
where DENS is a macro. It expanded as
    d01 = LutTable[X0 + Y1 + OutChan]
with X0=0, Y1=1, OutChan=0. In other words, LutTable[1].
The size of LutTable is only 1. So it crashed.

LutTable is allocated at https://cs.chromium.org/chromium/src/third_party/pdfium/third_party/lcms2-2.6/src/cmslut.c?sq=package:chromium&l=503
    NewElem ->Tab.TFloat = (cmsFloat32Number*) _cmsDupMem(mpe ->ContextID, Data ->Tab.TFloat, Data ->nEntries * sizeof (cmsFloat32Number));
where Data->nEntries=1.

Back to the index. https://cs.chromium.org/chromium/src/third_party/pdfium/third_party/lcms2-2.6/src/cmsintrp.c?sq=package:chromium&l=358
    Y1 = Y0 + (Input[1] >= 1.0 ? 0 : p->opta[0]);
where Input[1]=0, p->opta[0]=1.
The source of p->opta[0] is https://cs.chromium.org/chromium/src/third_party/pdfium/third_party/lcms2-2.6/src/cmsintrp.c?sq=package:chromium&l=137
    p -> opta[0] = p -> nOutputs;
where p->nOutputs=1.

So far, I have no idea where is the bug.

+ochang@ who might have some suggestions

**** Bulk edit -  please ignore if not applicable ****

A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!

kcwu: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I found lcms trunk doesn't have this issue. I will investigate the detail later.

BTW, do you have any concerns to update the version of lcms from 2.6 to 2.8 (the latest release) ?

No concerns, lets do it now so that it can get fuzzing on trunk before next stable release.

This is fixed by https://github.com/mm2/Little-CMS/commit/c0a98d86182cd305d4393ad9a0bb5fc4941090ba#diff-bdcc790716799065da658a69e8fdb10dR4292 last week.

p.s. That commit fixed more than one issue. For example, it also fixed  issue 654676  and  issue 654313  at least.

**** Bulk edit -  please ignore if not applicable ****

A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!

Hi kcwu@ - can you confirm the merge from  issue 654676  also addresses this one?

No,  issue 654676  is different to this issue.

**** Bulk edit -  please ignore if not applicable ****

A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!

Also due to Thanksgiving holidays in US, please make sure all fixes are ready and merged to M55 latest by 5:00 PM PT Friday, 11/18/16.

Merge to M55 tracked by https://codereview.chromium.org/2482523003/

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium.git/+/413e3518ce390860cb5560720e5fba3ca7c8f764

commit 413e3518ce390860cb5560720e5fba3ca7c8f764
Author: kcwu <kcwu@chromium.org>
Date: Mon Nov 07 18:41:52 2016

lcms: backport upstream commit c0a98d86

This fixed several issues.

BUG= chromium:654265 , chromium:657282 , chromium:654676 , chromium:654313 

Review-Url: https://codereview.chromium.org/2482523003

[add] https://crrev.com/413e3518ce390860cb5560720e5fba3ca7c8f764/third_party/lcms2-2.6/0012-backport-c0a98d86.patch
[modify] https://crrev.com/413e3518ce390860cb5560720e5fba3ca7c8f764/third_party/lcms2-2.6/README.pdfium
[modify] https://crrev.com/413e3518ce390860cb5560720e5fba3ca7c8f764/third_party/lcms2-2.6/src/cmsintrp.c
[modify] https://crrev.com/413e3518ce390860cb5560720e5fba3ca7c8f764/third_party/lcms2-2.6/src/cmsio0.c
[modify] https://crrev.com/413e3518ce390860cb5560720e5fba3ca7c8f764/third_party/lcms2-2.6/src/cmstypes.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/497a104c1a41fa6840998a97b1c674da1fd00c9b

commit 497a104c1a41fa6840998a97b1c674da1fd00c9b
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Tue Nov 08 05:00:34 2016

Roll src/third_party/pdfium/ a97fc7c63..3c669a7fb (8 commits).

https://pdfium.googlesource.com/pdfium.git/+log/a97fc7c6392c..3c669a7fb05d

$ git log a97fc7c63..3c669a7fb --date=short --no-merges --format='%ad %ae %s'
2016-11-07 thestig Fix #include after commit c09625ca.
2016-11-07 tsepez Force compiler to deduce src type for checked_cast<dst, src>.
2016-11-07 tsepez Hold trailers via unique_ptrs.
2016-11-07 thestig Sync pdfium tryserver list with main pdfium waterfall.
2016-11-07 tsepez Use unique_ptr return from CPDF_Parser::ParseIndirectObject()
2016-11-07 tsepez Rename CPDF_Linearized to CPDF_LinearizedHeader
2016-11-07 kcwu lcms: backport upstream commit c0a98d86
2016-11-07 dsinclair Fold DataProviders into parent classes

BUG= 654265 , 657282 , 654676 , 654313 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2485023002
Cr-Commit-Position: refs/heads/master@{#430520}

[modify] https://crrev.com/497a104c1a41fa6840998a97b1c674da1fd00c9b/DEPS

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

 awhalley@, is this change safe to take to M55 (Just double checking Cl listed #21 landed 12 hrs ago)?

ClusterFuzz has detected this issue as fixed in range 430510:430537.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4766418254168064

Fuzzer: afl_pdf_codec_icc_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x6020000002b4
Crash State:
  BilinearInterpFloat
  _LUTevalFloat
  XFormSampler16
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=420425:420578
Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=430510:430537

Minimized Testcase (0.17 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97MIDlPdtG_h3_b26Z4TITHqIce5v3jO8snMfbSvb2r7krpcAeIgtwtKQjW3WdmJ1mYKi8oRB-UsHeP4J4BwFuhzNFVsXKFISQ0eXjHihNKdmdlcroAsLVsJAsILx92IkrtSz-yInH3GDdtKlbIkxRThRt5iA?testcase_id=4766418254168064

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

govind@ - good catch.  Hold off for now.  Will re-request.

Ok, sounds good. Please update the bug once it is good to take in. I will approve M55 merge then. Thank you.

 awhalley@, will it be a good to take merge now?

Yes, good to merge. The commit in question is:

https://pdfium.googlesource.com/pdfium.git/+/413e3518ce390860cb5560720e5fba3ca7c8f764

which also addresses  issue 657282 .

Approving merge to M55 branch 2883 per comment #32. Please merge ASAP. Thank you.

 Issue 664975  has been merged into this issue.

Merged: https://pdfium.googlesource.com/pdfium/+/9439f839d1a17f251a6b78b5cbf97c5848d5d52b

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot