New issue
Advanced search Search tips

Issue 656876 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Undefined-shift in CJBig2_HuffmanTable::InitCodes

Project Member Reported by ClusterFuzz, Oct 18 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6591373145014272

Fuzzer: libfuzzer_pdf_codec_jbig2_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  CJBig2_HuffmanTable::InitCodes
  CJBig2_HuffmanTable::ParseFromCodedBuffer
  CJBig2_HuffmanTable::CJBig2_HuffmanTable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=421422:421461

Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94c1Z4R2Wi_FPAmpY1sh0kENdNUQEdGFt5W6lAk4Ku7cI8w2wvcHMaLxr1uw3Umlk6g1nfgYU8ADGXlt6OuYLnYQt90kONxXYnUADbI5AdcTGY6iVh0KKIYJZpYG0CpUCLEmOaAyDakVW90NmMi_PakarM_GQ?testcase_id=6591373145014272

Additional requirements: Requires Gestures

Issue manually filed by: ajha

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 

Comment 1 by ajha@chromium.org, Oct 18 2016

Cc: ajha@chromium.org
Components: Internals>Plugins>PDF
Labels: M-56 Te-Logged
Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)
Suspected CLs	Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 115 of file JBig2_HuffmanTable.cpp, which is stack frame 0.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 97 of file JBig2_HuffmanTable.cpp, which is stack frame 1.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 26 of file JBig2_HuffmanTable.cpp, which is stack frame 2.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 1234 of file JBig2_Context.cpp, which is stack frame 3.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 330 of file JBig2_Context.cpp, which is stack frame 4.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 86 of file JBig2_Context.cpp, which is stack frame 5.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 189 of file JBig2_Context.cpp, which is stack frame 6.

Suspected Project: chromium-pdfium
===================================================================================

Assigning to Dan@ as the owner of chromium//src/third_party/pdfium/OWNERS for help in further investigation of this.

Thanks in advance!
Cc: kcwu@chromium.org
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by ClusterFuzz, Mar 27 2017

ClusterFuzz has detected this issue as fixed in range 459701:459705.

Detailed report: https://clusterfuzz.com/testcase?key=6591373145014272

Fuzzer: libfuzzer_pdf_codec_jbig2_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  CJBig2_HuffmanTable::InitCodes
  CJBig2_HuffmanTable::ParseFromCodedBuffer
  CJBig2_HuffmanTable::CJBig2_HuffmanTable
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=421422:421461
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=459701:459705

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96dcQRcqX6axIUCb9gfg86Y3WVayElQv6aFRsdidRKr2LdacddcTh8KRJrqpWkhgfEjhlWGSjVm5mKQnwYGWxtF_5RxjaWxYf1644XQtquVDx7kTHZbir7uTlsULiFncB5hTDxM3u7qxqlEjnSKHVEENAFpjCejH_BzTB_OXa68QKRQ7c-uVRrETtySEciX0zUnFDK4CmTb5-8yigiX6gLvRHH8YQRFcRnvpfQS-QPsHsaYqaa2ryHCZDc2WQhVUIxuRos1m5-MFQWyJo2PD_vKt5eWZyLx9GRdAHr8Ok3M2x6KkrvFdM-LS36BTGLx48uTpkya3KJw0KmayjAXfPKhdgBM_lU5iQN4qgsLDRv0tHvnlSs?testcase_id=6591373145014272


Additional requirements: Requires Gestures

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Mar 27 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6591373145014272 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 6 by npm@chromium.org, Mar 27 2017

Labels: ClusterFuzz-Wrong
Status: Assigned (was: Verified)
Labels: -ClusterFuzz-Wrong
Status: Fixed (was: Assigned)
Doesn't repro for me locally. Marking as fixed.

Sign in to add a comment