New issue
Advanced search Search tips

Issue 672177 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Out-of-memory in pdfium_fuzzer

Project Member Reported by ClusterFuzz, Dec 7 2016

Issue description

Cc: npm@chromium.org dsinclair@chromium.org
Components: Internals>Plugins>PDF
Labels: Test-Predator-Wrong M-56
Could someone please take a look?
Thank you.

Comment 2 by npm@chromium.org, Feb 15 2017

Cc: -npm@chromium.org
Owner: npm@chromium.org
Status: Assigned (was: Untriaged)

Comment 3 by npm@chromium.org, Feb 17 2017

Status: WontFix (was: Assigned)

Comment 4 by kcc@chromium.org, Mar 15 2017

Cc: kcc@chromium.org
why WontFix? 

Comment 5 by npm@chromium.org, Mar 15 2017

Because the memory is being allocated when the PDF declares that it has a stream of length 1411357199.

Comment 6 by kcc@chromium.org, Mar 15 2017

Cc: infe...@chromium.org
So, shouldn't the code be resistant to such malformed inputs? 
Remember, OOMs make fuzzing much less efficient and thus effectively hide other bugs from us. 
Often, OOMs are security bugs themselves too.

Comment 7 by kcc@chromium.org, Mar 15 2017

Status: Assigned (was: WontFix)

Comment 8 by npm@chromium.org, Mar 15 2017

Owner: ----
Status: Available (was: Assigned)
Yes, we should be resistant to malformed inputs. But not at the expense of being much slower on good inputs. Un-assigning myself.
Labels: -M-56
PDFs can be GBs in size. So a large stream is possible, though rare in real life. 

In an unsandboxed environment outside of CF or the Chrome PDF Viewer, PDFium may be able to allocate enough memory to handle input like this without hitting OOM.

I'd suggest checking the number of bytes remaining from current seek position, and if it is smaller than the stream length, then we know the stream length is wrong.

For valid files with large streams, try to read the stream in chunks rather than at once.

Comment 10 by kcc@chromium.org, Mar 24 2017

Cc: npm@chromium.org
what do we do with bugs like this that don't have an owner? 
Owner: dsinclair@chromium.org
Assign them to me and I'll figure out what to do with it.
Status: Started (was: Available)
https://pdfium-review.googlesource.com/c/3221/
Project Member

Comment 13 by bugdroid1@chromium.org, Mar 27 2017

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/43c195016f9c2e38654a484f9472c138b92d3ec3

commit 43c195016f9c2e38654a484f9472c138b92d3ec3
Author: Dan Sinclair <dsinclair@chromium.org>
Date: Mon Mar 27 16:08:22 2017

Guard against lengths greater then input size

If we get a requested length that is longer then the available buffer
size we bail as we won't be able to read the needed data anyway.

Bug:  chromium:672177 
Change-Id: Idb41671c07fe758ec0c1d4d6f84ead0a58fa8339
Reviewed-on: https://pdfium-review.googlesource.com/3221
Reviewed-by: Nicolás Peña <npm@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>

[modify] https://crrev.com/43c195016f9c2e38654a484f9472c138b92d3ec3/core/fpdfapi/parser/cpdf_syntax_parser.cpp

Status: Fixed (was: Started)
Project Member

Comment 15 by ClusterFuzz, Mar 28 2017

ClusterFuzz has detected this issue as fixed in range 459823:459865.

Detailed report: https://clusterfuzz.com/testcase?key=6159139833380864

Fuzzer: libfuzzer_pdfium_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  pdfium_fuzzer
  
Sanitizer: memory (MSAN)

Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=459823:459865

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv9609bx186WOHHYRSrbN_lxJakqWK5k014-uGt080JLW94RBMVV66WeABwRaQKBu_qFqEW4qR3z2A94YLY10hNQnur7ZFANgdf-vDWp_BZn560mVnwdoXe9PkJYjRAV-CSCslcPhSDLdySzqPgH-ROMPjqQIxO3Y3pdC7ELGS2wBYAGiASmtg3Oyz7nrmYbUgsRlAKTuje0A18FIz3ugE-PQqDIPbsQMldydiT_iU1MOnAab6HVfa1ksZpCuKQeYMMNRlThxQZMKe64-Idc_XKQMKhDtPf9QUbZyKyY19mNgNw5xgk14_pnMoPvmooXPy2vTugPt58kkwn6ULyoTxYwX_4FkmK9Q_qofIa7XtO6Eh9qxKb4?testcase_id=6159139833380864


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment