Crash in CPDF_PageContentGenerator::ProcessImage |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5825910571008000 Fuzzer: ifratric_pdf_generic Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000007 Crash State: CPDF_PageContentGenerator::ProcessImage CPDF_PageContentGenerator::GenerateContent FPDFPage_GenerateContent Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=428625:428627 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv965MNJC4APxI7cOXt9EX0TSFiX-5wQp1s7WU0Wu-Y51cfMB-MY81HRDJeXV0KYG4kMzPIwcZLNxsp9r5Ku68Vi8Ef2orDWUUSVWFLykk-N5BpGjtE7pCveBrG9tD8qlkvXT-gZeZG8t4tu91XgV0OZyHm4g4cdiADP0DekQgtJFOwi_hsQ?testcase_id=5825910571008000 Additional requirements: Requires Gestures Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 31 2016
Clicked redo on regression range; nothing in that range makes any sense.
,
Oct 31 2016
Hmm. CF is adamant about the range. mstensho is it possible that your CL somehow changed the flow such that a call is eventually made to the plugin with an invalid object?
,
Oct 31 2016
e.g. https://chromium.googlesource.com/chromium/src/+log/fdc6ab7c454d400dfc3d68ace3e4bcd192e3e5d5..e2ba7553b202819e150c10eac65ded657f4df6cf?pretty=fuller It seems implausible, so if you could rule it out ...
,
Oct 31 2016
@thestig - would you have a windows box to poke at the minidump? Thanks.
,
Oct 31 2016
I do have a Windows box. My windbg skills are pretty rusty though. I don't trust the regression range.
,
Nov 1 2016
yeah, another possibility is that without the fix in the range, trying to print the document just timed out ... given that the change claims to make things much faster.
,
Nov 1 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5103569884938240
,
Nov 1 2016
,
Nov 1 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6355713644560384
,
Nov 11 2016
Ok. The possibility of a null-ptr segv was introduced in (M56) at https://codereview.chromium.org/2420743002/ and should have hit every time PDFiumEngine::PrintPagesAsRasterPDF() was called. The path may not have been taken given the logic in https://cs.chromium.org/chromium/src/pdf/pdfium/pdfium_engine.cc?rcl=1478866657&l=1394 I expect that some logic changed subsequently to unmask the underlying problem.
,
Nov 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2ec3b4f35d623d53e26923d3d19d0cb29f20cd26 commit 2ec3b4f35d623d53e26923d3d19d0cb29f20cd26 Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Fri Nov 11 21:12:01 2016 Roll src/third_party/pdfium/ a0d323103..dc40c40f4 (2 commits). https://pdfium.googlesource.com/pdfium.git/+log/a0d323103781..dc40c40f40ed $ git log a0d323103..dc40c40f4 --date=short --no-merges --format='%ad %ae %s' 2016-11-11 thestig Relax colorspace checks in CPDF_DIBSource::CreateDecoder(). 2016-11-11 tsepez Fix sevg above CPDF_PageContentGenerator::ProcessImage() BUG= 650230 , 660756 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2495043002 Cr-Commit-Position: refs/heads/master@{#431644} [modify] https://crrev.com/2ec3b4f35d623d53e26923d3d19d0cb29f20cd26/DEPS
,
Nov 11 2016
,
Nov 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/536cf7b135468bc3848faadae2b35089d22d46aa commit 536cf7b135468bc3848faadae2b35089d22d46aa Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Tue Nov 15 03:49:39 2016 Roll src/third_party/pdfium/ e3c731526..343980241 (6 commits). https://pdfium.googlesource.com/pdfium.git/+log/e3c731526c04..3439802410dc $ git log e3c731526..343980241 --date=short --no-merges --format='%ad %ae %s' 2016-11-14 dsinclair Cleanup fwl_* classes and cfx_* classes in fwl. 2016-11-14 tsepez Make CPDF_PageContentGenerator methods take object numbers 2016-11-14 thestig Fix nits in CPDF_PageOrganizer. 2016-11-14 npm Fix some nits in pdfium_test 2016-11-14 thestig Invalidate a slightly larger rect when updating popup annotations. 2016-11-14 npm Properly release caches in CPDF_DocRenderData BUG= 660756 , 662804 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2499223002 Cr-Commit-Position: refs/heads/master@{#432083} [modify] https://crrev.com/536cf7b135468bc3848faadae2b35089d22d46aa/DEPS
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by nyerramilli@chromium.org
, Oct 31 2016Components: Internals>Skia>PDF
Labels: findit-wrong M-56
Owner: tsepez@chromium.org
Status: Assigned (was: Untriaged)