Issue metadata
Sign in to add a comment
|
Heap-use-after-free in CFX_SystemHandler::KillTimer |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6358811051032576 Fuzzer: ifratric_pdf_generic Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x603000003fe0 Crash State: CFX_SystemHandler::KillTimer CPWL_TimerHandler::EndTimer CPWL_Caret::SetCaret Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=423265:423391 Minimized Testcase (3541.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95UdowekGuiRJDLxy2Qlhv8qDiiLbYTqvMtTJLebvi3siGiIKwEiaVIyH6PrCffGoKiLk5mSuhzcJrUDEdgSh4klzodlvuyeHLXWc7k_wA8UZ4wA56DzpYL61V0mQHZujFNArWR6gTzHK73Ltwhv2gcrqoIgaXsYkrUrONJtjbMktwz09E?testcase_id=6358811051032576 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 10 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 10 2016
,
Oct 10 2016
,
Oct 11 2016
,
Oct 11 2016
,
Oct 11 2016
Correct CL. https://codereview.chromium.org/2408163003/
,
Oct 11 2016
Moving back to M55 as we're cutting the stable rc today for M54.
,
Oct 11 2016
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium.git/+/709f5a9301e91365ab87610993c497e386504ead commit 709f5a9301e91365ab87610993c497e386504ead Author: dsinclair <dsinclair@chromium.org> Date: Tue Oct 11 21:21:16 2016 Fixup formfiller cleanup The CFFL_InteractiveFormFiller must be cleaned up before the environment because the destruction of the formfiller will trigger the destruction of the formfiller widgets. Some of those widgets may require stopping timers, which requires accessing the environment. BUG= chromium:654272 , chromium:653459 Review-Url: https://codereview.chromium.org/2408163003 [modify] https://crrev.com/709f5a9301e91365ab87610993c497e386504ead/fpdfsdk/cpdfsdk_formfillenvironment.cpp
,
Oct 11 2016
,
Oct 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cedb9638610256a293d802876f04d05f11249776 commit cedb9638610256a293d802876f04d05f11249776 Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Tue Oct 11 23:42:29 2016 Roll src/third_party/pdfium/ 19c198b7b..2bfa222a3 (7 commits). https://pdfium.googlesource.com/pdfium.git/+log/19c198b7b806..2bfa222a38e1 $ git log 19c198b7b..2bfa222a3 --date=short --no-merges --format='%ad %ae %s' 2016-10-11 npm Delete unused flags from CFX_SubstFont 2016-10-11 dsinclair Fixup formfiller cleanup 2016-10-11 dsinclair Remove remaining CPDFSDK_Document references 2016-10-11 dsinclair Convert CPDFXFA_Document to use CPDFSDK_FormFillEnvironment 2016-10-11 tsepez Add CPDF_Object::IsInline() 2016-10-11 npm Deleted unused members in CTTFontDesc 2016-10-11 dsinclair Convert fpdfformfill to use CPDFSDK_FormFillEnvironment BUG= 654272 , 653459 TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2411143002 Cr-Commit-Position: refs/heads/master@{#424598} [modify] https://crrev.com/cedb9638610256a293d802876f04d05f11249776/DEPS
,
Oct 12 2016
,
Oct 13 2016
ClusterFuzz has detected this issue as fixed in range 424153:424757. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6358811051032576 Fuzzer: ifratric_pdf_generic Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x603000003fe0 Crash State: CFX_SystemHandler::KillTimer CPWL_TimerHandler::EndTimer CPWL_Caret::SetCaret Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=423265:423391 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=424153:424757 Minimized Testcase (3541.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95UdowekGuiRJDLxy2Qlhv8qDiiLbYTqvMtTJLebvi3siGiIKwEiaVIyH6PrCffGoKiLk5mSuhzcJrUDEdgSh4klzodlvuyeHLXWc7k_wA8UZ4wA56DzpYL61V0mQHZujFNArWR6gTzHK73Ltwhv2gcrqoIgaXsYkrUrONJtjbMktwz09E?testcase_id=6358811051032576 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 21 2016
,
Oct 21 2016
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
,
Oct 23 2016
+awhalley@ for M55 merge review
,
Oct 24 2016
Yep, good to take this. Note that we only need: 2016-10-11 dsinclair Fixup formfiller cleanup which can be cherry picked into chromium/2883
,
Oct 24 2016
Approving merge to M55 branch 2883. As per comment #18 on what to merge. Thank you.
,
Oct 24 2016
Will merge.
,
Oct 24 2016
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/e84013dc2611fe399d435debdd36c6da9aab3664 commit e84013dc2611fe399d435debdd36c6da9aab3664 Author: Lei Zhang <thestig@google.com> Date: Mon Oct 24 20:54:36 2016
,
Oct 24 2016
Seems like M55 merge is done per comment #21. Is anything pending for M55? If not, please remove "Merge-Approved-55" label and apply "merge-merged-2883" label. Thank you.
,
Oct 24 2016
,
Oct 28 2016
,
Oct 31 2016
Issue 655543 has been merged into this issue.
,
Jan 18 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Oct 10 2016