Stack-buffer-overflow in IccLib_Translate |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5539399946469376 Fuzzer: afl_pdf_codec_icc_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Stack-buffer-overflow READ 4 Crash Address: 0x7f28a2a82850 Crash State: IccLib_Translate Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=430333:430381 Minimized Testcase (0.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv979AeNzbsf1skh1N1wO9m0iVr_yRAVkXqJ-xwBq5AyDprVKuLo5_EBlg6r7PojD8zTtvDktr2tvULY2nG_r43Bha-u2HQFK9rPsJ5E3UrZW34-bejBpTpJdhjjrTCLOBUa5XEakturNjDOpzyZSpPzloJnGWQ?testcase_id=5539399946469376 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Nov 8 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 8 2016
,
Nov 8 2016
This appears to be a bug in the fuzzer. The fuzzer allocates 4-element arrays for a color, but the maximum size for the array appears to be 15: https://cs.chromium.org/chromium/src/third_party/pdfium/third_party/lcms2-2.6/src/cmspcs.c?l=868&cl=GROK&gsn=cmsChannelsOf&pv=1. The code should do something like: FX_FLOAT src[nComponent]; FX_FLOAT dst[nComponent]; instead. I glanced through a couple of callsites in pdfium and saw some iffy things - for example, kMaxComponents here is 8, but it's not obvious why this is guaranteed to be enough: https://cs.chromium.org/chromium/src/third_party/pdfium/core/fpdfapi/page/cpdf_meshstream.cpp?pv=1&rcl=1478607598&l=173 Hopefully, normal ASAN fuzzing can find those if they're reachable though.
,
Nov 9 2016
Because color thing is too deep in pdf fuzzing, it is hard to find them via fuzzing yet. For example, there is no data of cpdf_meshstream.cpp and lcms in the coverage report https://cluster-fuzz.appspot.com/coverage_report/libfuzzer_pdfium_fuzzer/2016-11-08 I'm not sure it is fuzzer-only bug, so I'd like to revert my CL first.
,
Nov 9 2016
The revert CL https://codereview.chromium.org/2485363002/
,
Nov 9 2016
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium.git/+/1e21c0d076cc6cc61f36a1835dc886f721fdc4d6 commit 1e21c0d076cc6cc61f36a1835dc886f721fdc4d6 Author: kcwu <kcwu@chromium.org> Date: Wed Nov 09 14:15:11 2016 Revert of Clean up fx_codec_icc.cpp (patchset #1 id:1 of https://codereview.chromium.org/2482663002/ ) Reason for revert: Max cmsChannelsOf() is 15, which is larger than expectation of existing code and cause crashes (at least the fuzzer). BUG= chromium:663240 Original issue's description: > Clean up fx_codec_icc.cpp > > Committed: https://pdfium.googlesource.com/pdfium/+/a94fc11866adb1b9ca4a4e1afb4fb574ed472e07 TBR=dsinclair@chromium.org # Not skipping CQ checks because original CL landed more than 1 days ago. Review-Url: https://codereview.chromium.org/2485363002 [modify] https://crrev.com/1e21c0d076cc6cc61f36a1835dc886f721fdc4d6/core/fxcodec/codec/fx_codec_icc.cpp
,
Nov 9 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/afdb5c81f3b22934fe417ba425b4b419da8c3b5f commit afdb5c81f3b22934fe417ba425b4b419da8c3b5f Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Wed Nov 09 15:41:25 2016 Roll src/third_party/pdfium/ 4f610efcf..1e21c0d07 (1 commit). https://pdfium.googlesource.com/pdfium.git/+log/4f610efcf4e3..1e21c0d076cc $ git log 4f610efcf..1e21c0d07 --date=short --no-merges --format='%ad %ae %s' 2016-11-09 kcwu Revert of Clean up fx_codec_icc.cpp (patchset #1 id:1 of https://codereview.chromium.org/2482663002/ ) BUG= 663240 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2487963002 Cr-Commit-Position: refs/heads/master@{#430937} [modify] https://crrev.com/afdb5c81f3b22934fe417ba425b4b419da8c3b5f/DEPS
,
Nov 10 2016
,
Nov 10 2016
ClusterFuzz has detected this issue as fixed in range 430933:430961. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5539399946469376 Fuzzer: afl_pdf_codec_icc_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Stack-buffer-overflow READ 4 Crash Address: 0x7f28a2a82850 Crash State: IccLib_Translate Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=430333:430381 Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=430933:430961 Minimized Testcase (0.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv979AeNzbsf1skh1N1wO9m0iVr_yRAVkXqJ-xwBq5AyDprVKuLo5_EBlg6r7PojD8zTtvDktr2tvULY2nG_r43Bha-u2HQFK9rPsJ5E3UrZW34-bejBpTpJdhjjrTCLOBUa5XEakturNjDOpzyZSpPzloJnGWQ?testcase_id=5539399946469376 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by sheriffbot@chromium.org
, Nov 8 2016