New issue
Advanced search Search tips

Issue 656162 link

Starred by 1 user
Status: Fixed
Owner:
tsepez@chromium.org
Closed: Oct 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in CPDF_Dictionary::GetDirectObjectFor

Project Member Reported by ClusterFuzz, Oct 14 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6468231986675712

Fuzzer: ifratric_acrojs
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x2ed66b43
Crash State:
  CPDF_Dictionary::GetDirectObjectFor
  CPDF_Dictionary::GetArrayFor
  CPDF_Dictionary::GetRectFor
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=425286:425310

Minimized Testcase (918.57 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96BHchtbvCkETsVbe2E3QnUvcE2QTOPpbJabN7aUJFKO5XjwNIy7qs0thmdL5IOyCwCHXBdWBbmtqPaLv69KP-fX_4fuYwusaYwgHwWQ01ClVMCLZYSIvWem0Uk1Mq_q1TPrGtmiya6LbdVDuopq12vE9WUNCvelNYR-r2fzSlHZ20MTpg?testcase_id=6468231986675712

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mmoroz@chromium.org, Oct 15 2016

Components: Internals>Plugins>PDF
Owner: tsepez@chromium.org
Status: Available (was: Untriaged)
The result is a list of CLs that change the crashed files. 

Author: tsepez
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/1d023881cd53485303c0fcc0b5878e700dc470fd
Time: Thu Oct 13 16:36:20 2016 -0700
Lines 181 of file cpdf_dictionary.cpp which potentially caused crash are changed in this cl (frame #5, "chrome_child!CPDF_Dictionary::SetFor+0x34 ").
Project Member

Comment 2 by sheriffbot@chromium.org, Oct 15 2016

Labels: M-55
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 15 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 15 2016

Labels: Pri-1
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 15 2016

Status: Assigned (was: Available)
Project Member

Comment 6 by sheriffbot@chromium.org, Oct 16 2016

Labels: -Security_Impact-Head Security_Impact-Beta

Comment 7 by tsepez@chromium.org, Oct 17 2016

Labels: -M-55 M-56
Status: Fixed (was: Assigned)
Reverted in d5bd8a1.
Project Member

Comment 8 by bugdroid1@chromium.org, Oct 18 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/96550fadd54a51db311b9df224787c2307b0a312

commit 96550fadd54a51db311b9df224787c2307b0a312
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Tue Oct 18 03:20:24 2016

Roll src/third_party/pdfium/ c11287728..878dd5b12 (2 commits).

https://pdfium.googlesource.com/pdfium.git/+log/c11287728d15..878dd5b121b3

$ git log c11287728..878dd5b12 --date=short --no-merges --format='%ad %ae %s'
2016-10-17 dsinclair Cleanup unneeded FWL theme code.
2016-10-17 tsepez FPDFPage_TransformAnnots(): don't re-insert unowned object on top of itself

BUG= 656162 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2429513003
Cr-Commit-Position: refs/heads/master@{#425882}

[modify] https://crrev.com/96550fadd54a51db311b9df224787c2307b0a312/DEPS
Project Member

Comment 9 by sheriffbot@chromium.org, Oct 18 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 10 by sheriffbot@chromium.org, Dec 9 2016

Labels: Merge-Request-56

Comment 11 by dimu@chromium.org, Dec 9 2016

Labels: -Merge-Request-56 Merge-Review-56 Hotlist-Merge-Review
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

Comment 12 by bustamante@google.com, Dec 13 2016

Labels: -Merge-Review-56 Merge-Approved-56
This change meets the bar and is approved for merging into M56

Comment 13 by awhalley@google.com, Dec 16 2016

Labels: -ReleaseBlock-Beta
Already merged to M56 in #8
Project Member

Comment 14 by sheriffbot@chromium.org, Dec 19 2016 

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 15 by sheriffbot@chromium.org, Dec 23 2016 

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 16 by awhalley@chromium.org, Jan 2 2017

Labels: -Hotlist-Merge-Review -Merge-Approved-56 merge-merged-2924
Project Member

Comment 17 by sheriffbot@chromium.org, Jan 24 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment