This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Can you PTAL or assign this to someone who can? Thanks.

Dan, should this one be yours? It looks like range checking is not being done on p->nOutputs when p is const cmsInterpParams*.

The failing function has a void return type so presumably the data should be sanitized at a higher level?

kcwu@ want to take another ICC bug?

kcwu: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

kcwu: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

A friendly reminder that M57 Beta launch is coming soon on February 2nd! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Dev (before Beta promotion). Thank you!

[Bulk edit]

A friendly reminder that M57 Beta launch is coming soon on February 2nd (in a week)! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Dev (before Beta promotion). Thank you!

A friendly reminder that M57 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!

Hi kcwu@ - are you best placed to look at this one also? If not, please re-assign.

A friendly reminder that M57 Stable is launch is coming VERY soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!

The issue is in pdfium? I don't think Kuang-che touched that code before. Kuang-che?

I think this is Kuang-che's upstream backport of lcms?

What's lcms? Is it related to video?

I don't have free time to help. Reassigned.

URGENT - PTAL ASAP.

We're getting VERY close to M57 Stable promotion. And 
this issue is marked as M57 stable release blocker. Pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion).

Know that this issue shouldn't block the release?  Remove the ReleaseBlock-Stable label or move to M58.

Thank you.

npm@ can you please take a look?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6915797053b8b76d03816e2cbb08a87082946b38

commit 6915797053b8b76d03816e2cbb08a87082946b38
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Wed Feb 22 19:58:43 2017

Roll src/third_party/pdfium/ 60fd9fc63..e3f237740 (1 commit).

https://pdfium.googlesource.com/pdfium.git/+log/60fd9fc63744..e3f237740fd8

$ git log 60fd9fc63..e3f237740 --date=short --no-merges --format='%ad %ae %s'
2017-02-22 npm lcms upstream patches to fix security bug

Created with:
  roll-dep src/third_party/pdfium
BUG= 675617 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2711783002
Cr-Commit-Position: refs/heads/master@{#452172}

[modify] https://crrev.com/6915797053b8b76d03816e2cbb08a87082946b38/DEPS

Requesting merge while waiting for clusterfuzz to confirm fix. I'm not in the security team and was assigned this bug today, so unsure about how necessary the merge is. But it should be safe as it is using an upstream patch.

ClusterFuzz has detected this issue as fixed in range 452151:452185.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4883428844765184

Fuzzer: libfuzzer_pdf_codec_icc_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x606000000ba0
Crash State:
  TetrahedralInterpFloat
  Eval4InputsFloat
  EvaluateCLUTfloat
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=420535:420584
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=452151:452185

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94ASJFfKxihCv1MmyBjG90Tcu1Jy8AE5e3R-AFdZusHTL3g-KfcTKRuv5yzLRMkhutzmgQvywwsYIeYG_PZzNceJeEKb4Dl_rR7FGJfkq7307KJj2lfdji4CUB8wZgma0k2qcKr6uE7GFELabqT3FITYnsmRK_9ZoZUNQYC1dB1RNdCCeJBAT-473NjnotZtFeH6X7dg2jq9dmEiDvEdo-cW3Dbw2L-RYua0_S_sbyL5L8pnje2w36yBePSwgEZtr7B8L0T9GVn48uTuKSheVxDO9_JdLyHTdo10xW3FD_x9i2XItgpLvJrZx1-ECxGnKvYO7_52bFFwbIHivwpQELkOx2c6O2F3_i-lG1F1bWTIvNK2l8?testcase_id=4883428844765184


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+awhalley@ for merge review.

govind@ - good for M57.

Note that we're only after npm lcms upstream patches to fix security bug, needn't be a full DEPS roll if there's an M57 branch this can be cherrypicked to.  Thanks!

Approving merge to M57 branch 2987 based on comment #31. Please see #31 for before merging. Thank you.

Yes, there is a pdfium branch called chromium/2987, I cherry-picked there:

https://codereview.chromium.org/2711783009/

npm@ - many thanks!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot