Integer-overflow in MatShaperEval16 |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6269939137904640 Fuzzer: libfuzzer_pdf_codec_icc_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: MatShaperEval16 PrecalculatedXFORM IccLib_Translate Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=420535:420584 Minimized Testcase (0.33 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97uGJVa3aVmt2kuM6DDqbB--JqmOcXb0zuRNjbr75_zLo8EenL_1JnYOmKbXLw8I4DRZ3PwOAzjenP-NomGwaRAL9D4lvolf5CH1LcSEwWb4qthUexHIlH7tdAjI2_mneJPfHmBYviEueDzi_aR75peSXjK0w?testcase_id=6269939137904640 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Nov 21 2016
The stack trace from libfuzzer shows that the problem is likely at: IccLib_Translate(void*, unsigned int, float*, float*) third_party/pdfium/core/fxcodec/codec/fx_codec_icc.cpp:205:5 Kuang-che, could you take a look? If not, feel free to assign back.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 30 2016
I have send PR to upstream https://github.com/mm2/Little-CMS/pull/108 Let's see original author think this is good fix or not. Corresponding chrome CL https://codereview.chromium.org/2538703002/
,
Dec 5 2016
,
Dec 8 2016
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium.git/+/31559c91c4983b42361415d30b0b2a518c7ef383 commit 31559c91c4983b42361415d30b0b2a518c7ef383 Author: kcwu <kcwu@chromium.org> Date: Thu Dec 08 01:34:58 2016 lcms: avoid fixed number LUT optimization on inf values BUG= chromium:666705 Review-Url: https://codereview.chromium.org/2538703002 [add] https://crrev.com/31559c91c4983b42361415d30b0b2a518c7ef383/third_party/lcms2-2.6/0014-avoid-fixed-inf.patch [modify] https://crrev.com/31559c91c4983b42361415d30b0b2a518c7ef383/third_party/lcms2-2.6/README.pdfium [modify] https://crrev.com/31559c91c4983b42361415d30b0b2a518c7ef383/third_party/lcms2-2.6/src/cmsopt.c
,
Dec 8 2016
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium.git/+/31559c91c4983b42361415d30b0b2a518c7ef383 commit 31559c91c4983b42361415d30b0b2a518c7ef383 Author: kcwu <kcwu@chromium.org> Date: Thu Dec 08 01:34:58 2016 lcms: avoid fixed number LUT optimization on inf values BUG= chromium:666705 Review-Url: https://codereview.chromium.org/2538703002 [add] https://crrev.com/31559c91c4983b42361415d30b0b2a518c7ef383/third_party/lcms2-2.6/0014-avoid-fixed-inf.patch [modify] https://crrev.com/31559c91c4983b42361415d30b0b2a518c7ef383/third_party/lcms2-2.6/README.pdfium [modify] https://crrev.com/31559c91c4983b42361415d30b0b2a518c7ef383/third_party/lcms2-2.6/src/cmsopt.c
,
Dec 8 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e02b3c1f94a09f87460192fea64108bf95f386e1 commit e02b3c1f94a09f87460192fea64108bf95f386e1 Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Thu Dec 08 11:39:20 2016 Roll src/third_party/pdfium/ cd5e12a9e..64f4e2530 (12 commits). https://pdfium.googlesource.com/pdfium.git/+log/cd5e12a9ea39..64f4e25304df $ git log cd5e12a9e..64f4e2530 --date=short --no-merges --format='%ad %ae %s' 2016-12-07 tsepez Use unique_ptr for CXFA_XMLParser. 2016-12-07 tsepez Replace CFX_ByteStringArray with std::vector. 2016-12-07 dsinclair Convert GetWidgetRect to return rect. 2016-12-07 dsinclair Split CFWL_Widget::GetWidgetRect into two parts 2016-12-07 dsinclair Cleanup return values in CFWL_ComboBox 2016-12-07 dsinclair Cleanup FWL default values part II. 2016-12-07 kcwu lcms: avoid fixed number LUT optimization on inf values 2016-12-07 dsinclair Cleanup default FWL params part I 2016-12-07 dsinclair Cleanup caret show/hide code 2016-12-07 dsinclair Cleanup FWL Event and Message code. 2016-12-07 tsepez Remove CFX_FormatString::Release() 2016-12-07 tsepez Properly ref count IFX_FileAccess. BUG= 666705 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2559143002 Cr-Commit-Position: refs/heads/master@{#437229} [modify] https://crrev.com/e02b3c1f94a09f87460192fea64108bf95f386e1/DEPS
,
Dec 9 2016
ClusterFuzz has detected this issue as fixed in range 437210:437229. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6269939137904640 Fuzzer: libfuzzer_pdf_codec_icc_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: MatShaperEval16 PrecalculatedXFORM IccLib_Translate Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=420535:420584 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=437210:437229 Minimized Testcase (0.33 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97uGJVa3aVmt2kuM6DDqbB--JqmOcXb0zuRNjbr75_zLo8EenL_1JnYOmKbXLw8I4DRZ3PwOAzjenP-NomGwaRAL9D4lvolf5CH1LcSEwWb4qthUexHIlH7tdAjI2_mneJPfHmBYviEueDzi_aR75peSXjK0w?testcase_id=6269939137904640 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 9 2016
ClusterFuzz testcase 6269939137904640 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ajha@chromium.org
, Nov 18 2016Labels: M-55