Crash: opj_pi_next_pcrl divide by zero opening PDF
Reported by
seuk...@gmail.com,
Dec 6 2016
|
||||||
Issue descriptionVULNERABILITY DETAILS open pdf and crash. VERSION Chrome Version:55.0.2883.75 Operating System: windows FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: tab
,
Dec 6 2016
Divide by zero
Thread 0 CRASHED [EXCEPTION_INT_DIVIDE_BY_ZERO @ 0x00007ffb702d79a0 ]
0x00007ffb702d79a0 (chrome_child.dll -pi.c:443 ) opj_pi_next_pcrl
0x00007ffb702da1e7 (chrome_child.dll -t2.c:412 ) opj_t2_decode_packets
0x00007ffb702d5611 (chrome_child.dll -tcd.c:1591 ) opj_tcd_t2_decode
0x00007ffb702d4c8b (chrome_child.dll -tcd.c:1330 ) opj_tcd_decode_tile
0x00007ffb702cddf3 (chrome_child.dll -j2k.c:8073 ) opj_j2k_decode_tile
0x00007ffb702ce007 (chrome_child.dll -j2k.c:9614 ) opj_j2k_decode_tiles
0x00007ffb702ce9de (chrome_child.dll -j2k.c:7290 ) opj_j2k_exec
0x00007ffb702cd91b (chrome_child.dll -j2k.c:9814 ) opj_j2k_decode
0x00007ffb702c9b28 (chrome_child.dll -jp2.c:1502 ) opj_jp2_decode
0x00007ffb7029b5a5 (chrome_child.dll -fx_codec_jpx_opj.cpp:774 ) CJPX_Decoder::Init(unsigned char const *,unsigned int)
static INLINE OPJ_INT32 opj_int_ceildiv(OPJ_INT32 a, OPJ_INT32 b) {
assert(b);
return (a + b - 1) / b;
}
,
Dec 6 2016
,
Dec 12 2016
,
Dec 17 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6131729464295424 Job Type: linux_asan_pdfium Crash Type: Floating-point-exception Crash Address: Crash State: opj_pi_next opj_t2_decode_packets opj_tcd_decode_tile Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=344607:344814 Minimized Testcase (2.91 Kb): https://cluster-fuzz.appspot.com/download/AMIfv967m0JFNaEPRpZd89emH4UsuNvfmHB1kDgR20YtV3LpGsfo7Jj6xl5q6xnlMQL_K1KOSGKMl0HM7lhTBDxEweoX7TfshORU5fzO0CdDG30gYXB7898ScxSSgVATdht4IwtNv8KZRyZDgt9ZP-C7zXnLZRwmeg?testcase_id=6131729464295424 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Feb 27 2017
We are building a command-line tool that can reproduce this crash on Goobuntu from source code with a single command. If anyone is interested in using it, please let me know. It'll really help speed up the fixing process :)
,
Feb 27 2017
There are many FPEs in openjpeg. https://github.com/uclouvain/openjpeg/issues/855 is another bug and https://github.com/uclouvain/openjpeg/pull/845 is a pull request to fix a bunch more. Since the issue is known publicly upstream, I'd rather we just wait until they iron it out.
,
Mar 14 2017
ClusterFuzz has detected this issue as fixed in range 456450:456499. Detailed report: https://clusterfuzz.com/testcase?key=6131729464295424 Job Type: linux_asan_pdfium Crash Type: Floating-point-exception Crash Address: Crash State: opj_pi_next opj_t2_decode_packets opj_tcd_decode_tile Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_pdfium&range=344607:344814 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_pdfium&range=456450:456499 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv967m0JFNaEPRpZd89emH4UsuNvfmHB1kDgR20YtV3LpGsfo7Jj6xl5q6xnlMQL_K1KOSGKMl0HM7lhTBDxEweoX7TfshORU5fzO0CdDG30gYXB7898ScxSSgVATdht4IwtNv8KZRyZDgt9ZP-C7zXnLZRwmeg?testcase_id=6131729464295424 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 14 2017
ClusterFuzz testcase 6131729464295424 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Dec 6 2016