New issue
Advanced search Search tips

Issue 655991 link

Starred by 1 user
Status: Fixed
Owner:
thestig@chromium.org
Closed: Oct 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in chrome_pdf::PDFiumEngine::Form_GetCurrentPage

Project Member Reported by ClusterFuzz, Oct 14 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6193006187380736

Fuzzer: ifratric_pdf_generic
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x27e52e1b
Crash State:
  chrome_pdf::PDFiumEngine::Form_GetCurrentPage
  CPDFSDK_FormFillEnvironment::GetCurrentPage
  CPDFSDK_FormFillEnvironment::GetCurrentView
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=425143:425240

Minimized Testcase (907.38 Kb): https://cluster-fuzz.appspot.com/download/AMIfv957wr9ljn2A97hCF5cwIkBddg5cC4lkSuEq8OBBMSdzCWQmpvk5PMryy6xuiVlQGypLodk8eyJAVhLJDMay2Z7k9lDZff378p8b6mDABIk3TZMx7SGe5lbcTYdOAVtC8JXOyo4yBX3Fn27BDnayoy0Us6Pf_ch9XB6D8OHXciSLJ5x2lEE?testcase_id=6193006187380736

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 1 by sheriffbot@chromium.org, Oct 14 2016

Labels: M-55
Project Member

Comment 2 by sheriffbot@chromium.org, Oct 14 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 14 2016

Labels: Pri-1

Comment 4 by mmoroz@chromium.org, Oct 14 2016

Components: Internals>Plugins>PDF
Owner: thestig@chromium.org
Status: Available (was: Untriaged)
thestig@, looks like you've worked on something similar ( bug 574440 ). Would you mind taking a look or suggesting an owner for this?

Comment 5 by thestig@chromium.org, Oct 14 2016

Labels: Stability-Memory-AddressSanitizer OS-Linux
Not sure if this actually regressed. Repros on Linux with ASAN as well.

Comment 6 by thestig@chromium.org, Oct 14 2016

Status: Started (was: Available)
https://codereview.chromium.org/2414323003
Project Member

Comment 7 by bugdroid1@chromium.org, Oct 14 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b83a3aed0a28d2f33d8bf54504f4a5a250e96d25

commit b83a3aed0a28d2f33d8bf54504f4a5a250e96d25
Author: thestig <thestig@chromium.org>
Date: Fri Oct 14 23:22:28 2016

Validate page index in PDFiumEngine::ScrollToPage().

BUG= 655991 

Review-Url: https://codereview.chromium.org/2414323003
Cr-Commit-Position: refs/heads/master@{#425507}

[modify] https://crrev.com/b83a3aed0a28d2f33d8bf54504f4a5a250e96d25/pdf/pdfium/pdfium_engine.cc
[modify] https://crrev.com/b83a3aed0a28d2f33d8bf54504f4a5a250e96d25/pdf/pdfium/pdfium_engine.h

Comment 8 by thestig@chromium.org, Oct 14 2016

Status: Fixed (was: Started)
Project Member

Comment 9 by sheriffbot@chromium.org, Oct 15 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 10 by sheriffbot@chromium.org, Jan 21 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment