Out-of-memory in pdfium_fuzzer |
|||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6159139833380864 Fuzzer: libfuzzer_pdfium_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Out-of-memory Crash Address: Crash State: pdfium_fuzzer Minimized Testcase (0.31 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95G0XgAtDI3vgAyngMPDHviBEBPNSEQSu6Z59dYjTOD5qqjcZdz5nisJOqXYUiDyTKgcEwMj0PSsbpgNbotU3VaHCZfGNKNHCcaS_5i7Lh032eUB3LKAu0-6UqNai-9zawjRLvM-URhpYVie66XjkwpfaCcMw?testcase_id=6159139833380864 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Feb 15 2017
,
Feb 17 2017
,
Mar 15 2017
why WontFix?
,
Mar 15 2017
Because the memory is being allocated when the PDF declares that it has a stream of length 1411357199.
,
Mar 15 2017
So, shouldn't the code be resistant to such malformed inputs? Remember, OOMs make fuzzing much less efficient and thus effectively hide other bugs from us. Often, OOMs are security bugs themselves too.
,
Mar 15 2017
,
Mar 15 2017
Yes, we should be resistant to malformed inputs. But not at the expense of being much slower on good inputs. Un-assigning myself.
,
Mar 15 2017
PDFs can be GBs in size. So a large stream is possible, though rare in real life. In an unsandboxed environment outside of CF or the Chrome PDF Viewer, PDFium may be able to allocate enough memory to handle input like this without hitting OOM. I'd suggest checking the number of bytes remaining from current seek position, and if it is smaller than the stream length, then we know the stream length is wrong. For valid files with large streams, try to read the stream in chunks rather than at once.
,
Mar 24 2017
what do we do with bugs like this that don't have an owner?
,
Mar 27 2017
Assign them to me and I'll figure out what to do with it.
,
Mar 27 2017
,
Mar 27 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/43c195016f9c2e38654a484f9472c138b92d3ec3 commit 43c195016f9c2e38654a484f9472c138b92d3ec3 Author: Dan Sinclair <dsinclair@chromium.org> Date: Mon Mar 27 16:08:22 2017 Guard against lengths greater then input size If we get a requested length that is longer then the available buffer size we bail as we won't be able to read the needed data anyway. Bug: chromium:672177 Change-Id: Idb41671c07fe758ec0c1d4d6f84ead0a58fa8339 Reviewed-on: https://pdfium-review.googlesource.com/3221 Reviewed-by: Nicolás Peña <npm@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org> [modify] https://crrev.com/43c195016f9c2e38654a484f9472c138b92d3ec3/core/fpdfapi/parser/cpdf_syntax_parser.cpp
,
Mar 27 2017
,
Mar 28 2017
ClusterFuzz has detected this issue as fixed in range 459823:459865. Detailed report: https://clusterfuzz.com/testcase?key=6159139833380864 Fuzzer: libfuzzer_pdfium_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Out-of-memory (exceeds 2048 MB) Crash Address: Crash State: pdfium_fuzzer Sanitizer: memory (MSAN) Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=459823:459865 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv9609bx186WOHHYRSrbN_lxJakqWK5k014-uGt080JLW94RBMVV66WeABwRaQKBu_qFqEW4qR3z2A94YLY10hNQnur7ZFANgdf-vDWp_BZn560mVnwdoXe9PkJYjRAV-CSCslcPhSDLdySzqPgH-ROMPjqQIxO3Y3pdC7ELGS2wBYAGiASmtg3Oyz7nrmYbUgsRlAKTuje0A18FIz3ugE-PQqDIPbsQMldydiT_iU1MOnAab6HVfa1ksZpCuKQeYMMNRlThxQZMKe64-Idc_XKQMKhDtPf9QUbZyKyY19mNgNw5xgk14_pnMoPvmooXPy2vTugPt58kkwn6ULyoTxYwX_4FkmK9Q_qofIa7XtO6Eh9qxKb4?testcase_id=6159139833380864 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by mummare...@chromium.org
, Feb 14 2017Components: Internals>Plugins>PDF
Labels: Test-Predator-Wrong M-56