New issue
Advanced search Search tips

Issue 659936 link

Starred by 1 user
Status: Fixed
Owner:
thestig@chromium.org
Closed: Mar 2017
Cc:
behdad@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in SetupGlyfBuilders

Project Member Reported by ClusterFuzz, Oct 27 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5548214796419072

Fuzzer: libfuzzer_sfntly_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SetupGlyfBuilders
  sfntly::SubsetterImpl::Subset
  sfntly::SubsetterImpl::SubsetFont
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=417039:417261

Minimized Testcase (0.64 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97eOLiZXWWFtg1OFsY5yNHTgFon1F1lhSxBdQldNwr4GfrLpR_I13IsqZsVMkn9anECEKp2ElTuk1z9OEmhuZeDuvcMtRG7qJ2hS7-3n1v4yvwfkmfaXG8m5Gk7fJialgDG3Y3l0EW7ZrZJ3slZ6gaK9k2l_w?testcase_id=5548214796419072

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by durga.behera@chromium.org, Oct 28 2016

Components: Internals>Skia>PDF
Labels: Test-Predator-Correct
Owner: thestig@chromium.org
Status: Assigned (was: Untriaged)
Suspect List by find it:
=======================
Author: arthurhsu
Project: chromium-sfntly
Changelist: https://chromium.googlesource.com/external/github.com/googlei18n/sfntly.git/+/25ea06aa8ecfd4b34be2b1d0371c87a0a631bb87
Time: Tue Aug 16 02:26:47 2011
The CL last changed line 270 of file subsetter_impl.cc, which is stack frame 0. 

Author: arthurhsu
Project: chromium-sfntly
Changelist: https://chromium.googlesource.com/external/github.com/googlei18n/sfntly.git/+/2937ee060cb9743321c3fbe15f050a8cd28d3c4d
Time: Fri Dec 09 01:57:19 2011
The CL last changed line 760 of file subsetter_impl.cc, which is stack frame 1. 

Author: arthurhsu
Project: chromium-sfntly
Changelist: https://chromium.googlesource.com/external/github.com/googlei18n/sfntly.git/+/2937ee060cb9743321c3fbe15f050a8cd28d3c4d
Time: Fri Dec 09 01:57:19 2011
The CL last changed line 680 of file subsetter_impl.cc, which is stack frame 2. 

Author: arthurhsu
Project: chromium-sfntly
Changelist: https://chromium.googlesource.com/external/github.com/googlei18n/sfntly.git/+/25ea06aa8ecfd4b34be2b1d0371c87a0a631bb87
Time: Tue Aug 16 02:26:47 2011
The CL last changed line 38 of file font_subsetter.cc, which is stack frame 3. 

Author: thestig
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/05192643e8bfe9ece91d32bd6084f5ccfe33f5a4
Time: Thu Aug 25 02:29:48 2016
The CL last changed line 31 of file subset_font_fuzzer.cc, which is stack frame 4.

Possible suspect: https://codereview.chromium.org/2268863003
thestig@ : Could you please take a look into this if its related to your change.

Comment 2 by thestig@chromium.org, Oct 28 2016

Cc: behdad@chromium.org
sfntly_fuzzer keeps on giving.
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by thestig@chromium.org, Mar 28 2017

Status: Started (was: Assigned)
https://github.com/googlei18n/sfntly/pull/75
Project Member

Comment 5 by bugdroid1@chromium.org, Mar 28 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/83d38421f79045fef26de00d4c76198c06067852

commit 83d38421f79045fef26de00d4c76198c06067852
Author: thestig <thestig@chromium.org>
Date: Tue Mar 28 19:27:17 2017

Roll DEPS for sfntly de3cce5..04740d2

04740d2 Merge pull request #75 from leizleiz/morefixes
0c9b2fd Fix nits in OTFBasicEditing test.
3723ffd Fix ReadableFontData::ReadDateTimeAsLong().
126f3b3 Fix assert failures in HorizontalMetricsTable.
8fcbf51 Check offsets in FontFactory::LoadCollectionForBuilding().
b95a8f4 Avoid integer overflow in LocaTable::GlyphLength().
cccd3aa Check for integer overflow in SetupGlyfBuilders.
f1384b2 Fix more NULL pointer derefs in sfntly::Font::Builder.
7525f24 Revert commit 3e3a91a.

BUG= 659936 ,663737, 666619 , 669806 , 699510 , 705357 
TBR=behdad@chromium.org,jshin@chromium.org

Review-Url: https://codereview.chromium.org/2784563002
Cr-Commit-Position: refs/heads/master@{#460186}

[modify] https://crrev.com/83d38421f79045fef26de00d4c76198c06067852/DEPS

Comment 6 by thestig@chromium.org, Mar 28 2017

Status: Fixed (was: Started)
Project Member

Comment 7 by ClusterFuzz, Mar 29 2017 

ClusterFuzz has detected this issue as fixed in range 460148:460187.

Detailed report: https://clusterfuzz.com/testcase?key=5548214796419072

Fuzzer: libfuzzer_sfntly_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SetupGlyfBuilders
  sfntly::SubsetterImpl::Subset
  sfntly::SubsetterImpl::SubsetFont
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=417039:417261
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=460148:460187

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96fYLlTxo6qHiwtzbkjiGwdTu7RcpGtpZd6xTrayKhfPWP2jFo3qLtHCIjMO4E9TMD7txF7jCeANOe-5zEBSZ31H9tbuFllw0BjkPYsakFgC3jWqzfbt5ZPep_6ZUOBmLMAL7YNYzAkQoJDRAONZCO8Pts0PK-Hk7tsbjVTNxRws3DunZ8_w1xVlff5B4WaUCz91asW9_tDSbWKEiniBenXc6pp8pSU3oDCHe0JqQNRpEu8OuKjGrmAMBSrlva_nBZ1T1v5gpRrT7HVafubc1o3WC3OeBHOqiMpTTIzipQrNZgO2cmOdEPIDPBft6rLNsFQ8lFHneNIssyCoL0RsTzbcQfrg0mr7bPQshsXw7fds6Pov8w?testcase_id=5548214796419072


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment