New issue
Advanced search Search tips

Issue 654272 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in CFX_SystemHandler::KillTimer

Project Member Reported by ClusterFuzz, Oct 9 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6358811051032576

Fuzzer: ifratric_pdf_generic
Job Type: linux_asan_pdfium
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x603000003fe0
Crash State:
  CFX_SystemHandler::KillTimer
  CPWL_TimerHandler::EndTimer
  CPWL_Caret::SetCaret
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=423265:423391

Minimized Testcase (3541.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95UdowekGuiRJDLxy2Qlhv8qDiiLbYTqvMtTJLebvi3siGiIKwEiaVIyH6PrCffGoKiLk5mSuhzcJrUDEdgSh4klzodlvuyeHLXWc7k_wA8UZ4wA56DzpYL61V0mQHZujFNArWR6gTzHK73Ltwhv2gcrqoIgaXsYkrUrONJtjbMktwz09E?testcase_id=6358811051032576

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Oct 10 2016

Labels: M-55
Project Member

Comment 2 by sheriffbot@chromium.org, Oct 10 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 10 2016

Labels: Pri-1

Comment 4 by tsepez@chromium.org, Oct 10 2016

Components: Internals>Plugins>PDF
Labels: M-54
Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 11 2016

Labels: -Security_Impact-Head Security_Impact-Beta
Project Member

Comment 6 by sheriffbot@chromium.org, Oct 11 2016

Labels: -ReleaseBlock-Beta ReleaseBlock-Stable

Comment 7 Deleted

Labels: -M-54 M-55
Moving back to M55 as we're cutting the stable rc today for M54.
Project Member

Comment 10 by bugdroid1@chromium.org, Oct 11 2016

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium.git/+/709f5a9301e91365ab87610993c497e386504ead

commit 709f5a9301e91365ab87610993c497e386504ead
Author: dsinclair <dsinclair@chromium.org>
Date: Tue Oct 11 21:21:16 2016

Fixup formfiller cleanup

The CFFL_InteractiveFormFiller must be cleaned up before the environment because
the destruction of the formfiller will trigger the destruction of the formfiller
widgets. Some of those widgets may require stopping timers, which requires
accessing the environment.

BUG= chromium:654272 ,  chromium:653459 

Review-Url: https://codereview.chromium.org/2408163003

[modify] https://crrev.com/709f5a9301e91365ab87610993c497e386504ead/fpdfsdk/cpdfsdk_formfillenvironment.cpp

Status: Fixed (was: Started)
Project Member

Comment 12 by bugdroid1@chromium.org, Oct 11 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cedb9638610256a293d802876f04d05f11249776

commit cedb9638610256a293d802876f04d05f11249776
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Tue Oct 11 23:42:29 2016

Roll src/third_party/pdfium/ 19c198b7b..2bfa222a3 (7 commits).

https://pdfium.googlesource.com/pdfium.git/+log/19c198b7b806..2bfa222a38e1

$ git log 19c198b7b..2bfa222a3 --date=short --no-merges --format='%ad %ae %s'
2016-10-11 npm Delete unused flags from CFX_SubstFont
2016-10-11 dsinclair Fixup formfiller cleanup
2016-10-11 dsinclair Remove remaining CPDFSDK_Document references
2016-10-11 dsinclair Convert CPDFXFA_Document to use CPDFSDK_FormFillEnvironment
2016-10-11 tsepez Add CPDF_Object::IsInline()
2016-10-11 npm Deleted unused members in CTTFontDesc
2016-10-11 dsinclair Convert fpdfformfill to use CPDFSDK_FormFillEnvironment

BUG= 654272 , 653459 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2411143002
Cr-Commit-Position: refs/heads/master@{#424598}

[modify] https://crrev.com/cedb9638610256a293d802876f04d05f11249776/DEPS

Project Member

Comment 13 by sheriffbot@chromium.org, Oct 12 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 14 by ClusterFuzz, Oct 13 2016

ClusterFuzz has detected this issue as fixed in range 424153:424757.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6358811051032576

Fuzzer: ifratric_pdf_generic
Job Type: linux_asan_pdfium
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x603000003fe0
Crash State:
  CFX_SystemHandler::KillTimer
  CPWL_TimerHandler::EndTimer
  CPWL_Caret::SetCaret
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=423265:423391
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=424153:424757

Minimized Testcase (3541.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95UdowekGuiRJDLxy2Qlhv8qDiiLbYTqvMtTJLebvi3siGiIKwEiaVIyH6PrCffGoKiLk5mSuhzcJrUDEdgSh4klzodlvuyeHLXWc7k_wA8UZ4wA56DzpYL61V0mQHZujFNArWR6gTzHK73Ltwhv2gcrqoIgaXsYkrUrONJtjbMktwz09E?testcase_id=6358811051032576

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 15 by sheriffbot@chromium.org, Oct 21 2016

Labels: Merge-Request-55

Comment 16 by dimu@chromium.org, Oct 21 2016

Labels: -Merge-Request-55 Merge-Review-55 Hotlist-Merge-Review
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
Cc: awhalley@chromium.org
+awhalley@ for M55 merge review
Yep, good to take this.  Note that we only need:

2016-10-11 dsinclair Fixup formfiller cleanup

which can be cherry picked into chromium/2883
Labels: -Merge-Review-55 Merge-Approved-55
Approving merge to M55 branch 2883. As per comment #18 on what to merge. Thank you.
Will merge.
Project Member

Comment 21 by bugdroid1@chromium.org, Oct 24 2016

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/e84013dc2611fe399d435debdd36c6da9aab3664

commit e84013dc2611fe399d435debdd36c6da9aab3664
Author: Lei Zhang <thestig@google.com>
Date: Mon Oct 24 20:54:36 2016

Seems like M55 merge is done per comment #21.

Is anything pending for M55? If not, please remove "Merge-Approved-55" label and apply "merge-merged-2883" label. Thank you.
Labels: -Hotlist-Merge-review -Merge-Approved-55 merge-merged-2883
Labels: -ReleaseBlock-Stable
Cc: thestig@chromium.org mmoroz@chromium.org dsinclair@chromium.org
 Issue 655543  has been merged into this issue.
Project Member

Comment 26 by sheriffbot@chromium.org, Jan 18 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment