Issue metadata
Sign in to add a comment
|
Security: PDFium OpenJPEG Use-After-Free Vulnerability
Reported by
stackexp...@gmail.com,
Jan 5 2017
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
=================================================================
==15048==ERROR: AddressSanitizer: heap-use-after-free on address 0x0ee03740 at pc 0x025d7625 bp 0x03eac1fc sp 0x03eac1f0
READ of size 4 at 0x0ee03740 thread T0
#0 0x25d7624 in opj_j2k_read_mco C:\b\c\b\win_asan_release\src\third_party\pdfium\third_party\libopenjpeg20\j2k.c:5671:68
#1 0x25cc88f in opj_j2k_read_header_procedure C:\b\c\b\win_asan_release\src\third_party\pdfium\third_party\libopenjpeg20\j2k.c:7217:23
#2 0x25dcef8 in opj_jp2_exec C:\b\c\b\win_asan_release\src\third_party\pdfium\third_party\libopenjpeg20\jp2.c:2261:26
#3 0x25c1779 in opj_j2k_read_header C:\b\c\b\win_asan_release\src\third_party\pdfium\third_party\libopenjpeg20\j2k.c:6768:15
#4 0x25bf156 in opj_read_header C:\b\c\b\win_asan_release\src\third_party\pdfium\third_party\libopenjpeg20\openjpeg.c:391:10
#5 0x2529799 in CJPX_Decoder::Init(unsigned char const *,unsigned int) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fxcodec\codec\fx_codec_jpx_opj.cpp:761:8
#6 0x252b624 in CCodec_JpxModule::CreateDecoder(unsigned char const *,unsigned int,class CPDF_ColorSpace *) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fxcodec\codec\fx_codec_jpx_opj.cpp:900:19
#7 0x24749d3 in CPDF_DIBSource::LoadJpxBitmap(void) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\fpdf_render_loadimage.cpp:638:36
#8 0x246e1d9 in CPDF_DIBSource::CreateDecoder(void) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\fpdf_render_loadimage.cpp:527:5
#9 0x2471fe0 in CPDF_DIBSource::StartLoadDIBSource(class CPDF_Document *,class CPDF_Stream const *,bool,class CPDF_Dictionary *,class CPDF_Dictionary *,bool,unsigned int,bool) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\fpdf_render_loadimage.cpp:302:13
#10 0x243d2f7 in CPDF_ImageCacheEntry::StartGetCachedBitmap(class CPDF_Dictionary *,class CPDF_Dictionary *,bool,unsigned int,bool,class CPDF_RenderStatus *,int,int) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_imagecacheentry.cpp:121:13
#11 0x23e410e in CPDF_PageRenderCache::StartGetCachedBitmap(class CPDF_Stream *,bool,unsigned int,bool,class CPDF_RenderStatus *,int,int) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_pagerendercache.cpp:98:36
#12 0x2495c18 in CPDF_ImageLoader::Start(class CPDF_ImageObject const *,class CPDF_PageRenderCache *,bool,unsigned int,bool,class CPDF_RenderStatus *,int,int) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_imageloader.cpp:48:19
#13 0x2452e08 in CPDF_ImageRenderer::StartLoadDIBSource(void) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_imagerenderer.cpp:66:16
#14 0x2458126 in CPDF_ImageRenderer::Start(class CPDF_RenderStatus *,class CPDF_PageObject *,class CFX_Matrix const *,bool,int) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_imagerenderer.cpp:205:7
#15 0x23eebee in CPDF_RenderStatus::ContinueSingleObject(class CPDF_PageObject *,class CFX_Matrix const *,class IFX_Pause *) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_renderstatus.cpp:1084:28
#16 0x238498c in CPDF_ProgressiveRenderer::Continue(class IFX_Pause *) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_progressiverenderer.cpp:78:30
#17 0x228b84d in `anonymous namespace'::RenderPageImpl C:\b\c\b\win_asan_release\src\third_party\pdfium\fpdfsdk\fpdfview.cpp:115:26
#18 0x228b047 in FPDF_RenderPage_Retail(class CPDF_PageRenderContext *,void *,int,int,int,int,int,int,bool,class IFSDK_PAUSE_Adapter *) C:\b\c\b\win_asan_release\src\third_party\pdfium\fpdfsdk\fpdfview.cpp:982:3
#19 0x228b273 in FPDF_RenderPageBitmap C:\b\c\b\win_asan_release\src\third_party\pdfium\fpdfsdk\fpdfview.cpp:716:3
#20 0x4975d in RenderPage(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > const &,void *,void * &,struct FPDF_FORMFILLINFO_PDFiumTest &,int,struct Options const &,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > const &) C:\b\c\b\win_asan_release\src\third_party\pdfium\samples\pdfium_test.cc:657:5
#21 0x4c615 in RenderPdf(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > const &,char const *,unsigned int,struct Options const &,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > const &) C:\b\c\b\win_asan_release\src\third_party\pdfium\samples\pdfium_test.cc:862:9
#22 0x4d583 in main C:\b\c\b\win_asan_release\src\third_party\pdfium\samples\pdfium_test.cc:998:5
#23 0x2c5b9b8 in _scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253
#24 0x749e3389 (C:\Windows\syswow64\kernel32.dll+0x7dd73389)
#25 0x76f99a01 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9a01)
#26 0x76f999d4 (C:\Windows\SysWOW64\ntdll.dll+0x7dea99d4)
0x0ee03740 is located 0 bytes inside of 200-byte region [0x0ee03740,0x0ee03808)
freed by thread T0 here:
#0 0x2c41398 in realloc e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:102
#1 0x25d500d in opj_j2k_read_mct C:\b\c\b\win_asan_release\src\third_party\pdfium\third_party\libopenjpeg20\j2k.c:5179:62
#2 0x25cc88f in opj_j2k_read_header_procedure C:\b\c\b\win_asan_release\src\third_party\pdfium\third_party\libopenjpeg20\j2k.c:7217:23
#3 0x25dcef8 in opj_jp2_exec C:\b\c\b\win_asan_release\src\third_party\pdfium\third_party\libopenjpeg20\jp2.c:2261:26
#4 0x25c1779 in opj_j2k_read_header C:\b\c\b\win_asan_release\src\third_party\pdfium\third_party\libopenjpeg20\j2k.c:6768:15
#5 0x25bf156 in opj_read_header C:\b\c\b\win_asan_release\src\third_party\pdfium\third_party\libopenjpeg20\openjpeg.c:391:10
#6 0x2529799 in CJPX_Decoder::Init(unsigned char const *,unsigned int) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fxcodec\codec\fx_codec_jpx_opj.cpp:761:8
#7 0x252b624 in CCodec_JpxModule::CreateDecoder(unsigned char const *,unsigned int,class CPDF_ColorSpace *) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fxcodec\codec\fx_codec_jpx_opj.cpp:900:19
#8 0x24749d3 in CPDF_DIBSource::LoadJpxBitmap(void) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\fpdf_render_loadimage.cpp:638:36
#9 0x246e1d9 in CPDF_DIBSource::CreateDecoder(void) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\fpdf_render_loadimage.cpp:527:5
#10 0x2471fe0 in CPDF_DIBSource::StartLoadDIBSource(class CPDF_Document *,class CPDF_Stream const *,bool,class CPDF_Dictionary *,class CPDF_Dictionary *,bool,unsigned int,bool) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\fpdf_render_loadimage.cpp:302:13
#11 0x243d2f7 in CPDF_ImageCacheEntry::StartGetCachedBitmap(class CPDF_Dictionary *,class CPDF_Dictionary *,bool,unsigned int,bool,class CPDF_RenderStatus *,int,int) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_imagecacheentry.cpp:121:13
#12 0x23e410e in CPDF_PageRenderCache::StartGetCachedBitmap(class CPDF_Stream *,bool,unsigned int,bool,class CPDF_RenderStatus *,int,int) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_pagerendercache.cpp:98:36
#13 0x2495c18 in CPDF_ImageLoader::Start(class CPDF_ImageObject const *,class CPDF_PageRenderCache *,bool,unsigned int,bool,class CPDF_RenderStatus *,int,int) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_imageloader.cpp:48:19
#14 0x2452e08 in CPDF_ImageRenderer::StartLoadDIBSource(void) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_imagerenderer.cpp:66:16
#15 0x2458126 in CPDF_ImageRenderer::Start(class CPDF_RenderStatus *,class CPDF_PageObject *,class CFX_Matrix const *,bool,int) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_imagerenderer.cpp:205:7
#16 0x23eebee in CPDF_RenderStatus::ContinueSingleObject(class CPDF_PageObject *,class CFX_Matrix const *,class IFX_Pause *) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_renderstatus.cpp:1084:28
#17 0x238498c in CPDF_ProgressiveRenderer::Continue(class IFX_Pause *) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_progressiverenderer.cpp:78:30
#18 0x228b84d in `anonymous namespace'::RenderPageImpl C:\b\c\b\win_asan_release\src\third_party\pdfium\fpdfsdk\fpdfview.cpp:115:26
#19 0x228b047 in FPDF_RenderPage_Retail(class CPDF_PageRenderContext *,void *,int,int,int,int,int,int,bool,class IFSDK_PAUSE_Adapter *) C:\b\c\b\win_asan_release\src\third_party\pdfium\fpdfsdk\fpdfview.cpp:982:3
#20 0x228b273 in FPDF_RenderPageBitmap C:\b\c\b\win_asan_release\src\third_party\pdfium\fpdfsdk\fpdfview.cpp:716:3
#21 0x4975d in RenderPage(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > const &,void *,void * &,struct FPDF_FORMFILLINFO_PDFiumTest &,int,struct Options const &,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > const &) C:\b\c\b\win_asan_release\src\third_party\pdfium\samples\pdfium_test.cc:657:5
#22 0x4c615 in RenderPdf(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > const &,char const *,unsigned int,struct Options const &,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > const &) C:\b\c\b\win_asan_release\src\third_party\pdfium\samples\pdfium_test.cc:862:9
#23 0x4d583 in main C:\b\c\b\win_asan_release\src\third_party\pdfium\samples\pdfium_test.cc:998:5
#24 0x2c5b9b8 in _scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253
#25 0x749e3389 (C:\Windows\syswow64\kernel32.dll+0x7dd73389)
#26 0x76f99a01 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9a01)
#27 0x76f999d4 (C:\Windows\SysWOW64\ntdll.dll+0x7dea99d4)
previously allocated by thread T0 here:
#0 0x2c410f8 in calloc e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:81
#1 0x25d3262 in opj_j2k_read_siz C:\b\c\b\win_asan_release\src\third_party\pdfium\third_party\libopenjpeg20\j2k.c:2252:42
#2 0x25cc88f in opj_j2k_read_header_procedure C:\b\c\b\win_asan_release\src\third_party\pdfium\third_party\libopenjpeg20\j2k.c:7217:23
#3 0x25dcef8 in opj_jp2_exec C:\b\c\b\win_asan_release\src\third_party\pdfium\third_party\libopenjpeg20\jp2.c:2261:26
#4 0x25c1779 in opj_j2k_read_header C:\b\c\b\win_asan_release\src\third_party\pdfium\third_party\libopenjpeg20\j2k.c:6768:15
#5 0x25bf156 in opj_read_header C:\b\c\b\win_asan_release\src\third_party\pdfium\third_party\libopenjpeg20\openjpeg.c:391:10
#6 0x2529799 in CJPX_Decoder::Init(unsigned char const *,unsigned int) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fxcodec\codec\fx_codec_jpx_opj.cpp:761:8
#7 0x252b624 in CCodec_JpxModule::CreateDecoder(unsigned char const *,unsigned int,class CPDF_ColorSpace *) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fxcodec\codec\fx_codec_jpx_opj.cpp:900:19
#8 0x24749d3 in CPDF_DIBSource::LoadJpxBitmap(void) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\fpdf_render_loadimage.cpp:638:36
#9 0x246e1d9 in CPDF_DIBSource::CreateDecoder(void) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\fpdf_render_loadimage.cpp:527:5
#10 0x2471fe0 in CPDF_DIBSource::StartLoadDIBSource(class CPDF_Document *,class CPDF_Stream const *,bool,class CPDF_Dictionary *,class CPDF_Dictionary *,bool,unsigned int,bool) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\fpdf_render_loadimage.cpp:302:13
#11 0x243d2f7 in CPDF_ImageCacheEntry::StartGetCachedBitmap(class CPDF_Dictionary *,class CPDF_Dictionary *,bool,unsigned int,bool,class CPDF_RenderStatus *,int,int) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_imagecacheentry.cpp:121:13
#12 0x23e410e in CPDF_PageRenderCache::StartGetCachedBitmap(class CPDF_Stream *,bool,unsigned int,bool,class CPDF_RenderStatus *,int,int) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_pagerendercache.cpp:98:36
#13 0x2495c18 in CPDF_ImageLoader::Start(class CPDF_ImageObject const *,class CPDF_PageRenderCache *,bool,unsigned int,bool,class CPDF_RenderStatus *,int,int) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_imageloader.cpp:48:19
#14 0x2452e08 in CPDF_ImageRenderer::StartLoadDIBSource(void) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_imagerenderer.cpp:66:16
#15 0x2458126 in CPDF_ImageRenderer::Start(class CPDF_RenderStatus *,class CPDF_PageObject *,class CFX_Matrix const *,bool,int) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_imagerenderer.cpp:205:7
#16 0x23eebee in CPDF_RenderStatus::ContinueSingleObject(class CPDF_PageObject *,class CFX_Matrix const *,class IFX_Pause *) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_renderstatus.cpp:1084:28
#17 0x238498c in CPDF_ProgressiveRenderer::Continue(class IFX_Pause *) C:\b\c\b\win_asan_release\src\third_party\pdfium\core\fpdfapi\render\cpdf_progressiverenderer.cpp:78:30
#18 0x228b84d in `anonymous namespace'::RenderPageImpl C:\b\c\b\win_asan_release\src\third_party\pdfium\fpdfsdk\fpdfview.cpp:115:26
#19 0x228b047 in FPDF_RenderPage_Retail(class CPDF_PageRenderContext *,void *,int,int,int,int,int,int,bool,class IFSDK_PAUSE_Adapter *) C:\b\c\b\win_asan_release\src\third_party\pdfium\fpdfsdk\fpdfview.cpp:982:3
#20 0x228b273 in FPDF_RenderPageBitmap C:\b\c\b\win_asan_release\src\third_party\pdfium\fpdfsdk\fpdfview.cpp:716:3
#21 0x4975d in RenderPage(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > const &,void *,void * &,struct FPDF_FORMFILLINFO_PDFiumTest &,int,struct Options const &,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > const &) C:\b\c\b\win_asan_release\src\third_party\pdfium\samples\pdfium_test.cc:657:5
#22 0x4c615 in RenderPdf(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > const &,char const *,unsigned int,struct Options const &,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > const &) C:\b\c\b\win_asan_release\src\third_party\pdfium\samples\pdfium_test.cc:862:9
#23 0x4d583 in main C:\b\c\b\win_asan_release\src\third_party\pdfium\samples\pdfium_test.cc:998:5
#24 0x2c5b9b8 in _scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253
#25 0x749e3389 (C:\Windows\syswow64\kernel32.dll+0x7dd73389)
#26 0x76f99a01 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9a01)
#27 0x76f999d4 (C:\Windows\SysWOW64\ntdll.dll+0x7dea99d4)
SUMMARY: AddressSanitizer: heap-use-after-free C:\b\c\b\win_asan_release\src\third_party\pdfium\third_party\libopenjpeg20\j2k.c:5671:68 in opj_j2k_read_mco
Shadow bytes around the buggy address:
0x31dc0690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x31dc06a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x31dc06b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x31dc06c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x31dc06d0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
=>0x31dc06e0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
0x31dc06f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x31dc0700: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x31dc0710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x31dc0720: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x31dc0730: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==15048==ABORTING
VERSION
Chrome Version: Stable
Operating System: All
REPRODUCTION CASE
See attachment.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: Tab
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]
,
Jan 5 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6025704501411840
,
Jan 5 2017
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6025704501411840 Job Type: linux_asan_pdfium Crash Type: Heap-use-after-free READ 4 Crash Address: 0x613000000b00 Crash State: opj_j2k_read_mco opj_j2k_read_header_procedure opj_j2k_read_header Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=321780:322012 Minimized Testcase (1.56 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97TI-j38amhThvsc3CMKah8kNCCVL_RBQW7QN9ogDYAuYZ26Zl9VP6jpbgL3czp_jHWGjpRVy2Wc-2TkfASjFcZ0_TFiXtJIFJfer2JvffLLqsche897cK7xpUk9JhkLKN1aTtW5amknEFFQ8wG3NqcStHMdm-3lZumvjEqzavs2ZmOi2pPJrgcBVKdyihXqeebFqxVfsq-2NFiKi4LErKZCG-YmgvpnQ8zPd-cmds8Np1bAcKLEixlKy794BVpO_SFzlNW5yU4vunaWu1T4whUIbn39rXDfVyhJuwaZJttMlXv73ACs6sW2SXuZfM-DE8gRjswfTVixvr5VOsT_DncX58bBCB0m4kU8ZPGyLFwkwqi4FM?testcase_id=6025704501411840 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. A recommended severity was added to this bug. Please change the severity if it is inaccurate.
,
Jan 5 2017
,
Jan 5 2017
This issue affects all chrome versions, including chrome stable, we should fix it ASAP.
,
Jan 6 2017
jun_fang: This looks like it may have been caused by updating openjpeg: https://pdfium.googlesource.com/pdfium/+/ec61a859344dc6d2a60e4cbcd1555e6d317f2add.
,
Jan 7 2017
,
Jan 10 2017
npm@ can you take a look? This one isn't XFA so needs to get fixed soon.
,
Jan 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a427ba0638c4294faf264550d12077b709f5c0de commit a427ba0638c4294faf264550d12077b709f5c0de Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Wed Jan 11 06:42:58 2017 Roll src/third_party/pdfium/ 29a9f87a8..44bc1f818 (5 commits). https://pdfium.googlesource.com/pdfium.git/+log/29a9f87a8bcd..44bc1f818dd7 $ git log 29a9f87a8..44bc1f818 --date=short --no-merges --format='%ad %ae %s' 2017-01-10 npm Fix m_nb_mct_records calculation in opj_j2k_read_mct 2017-01-10 dsinclair Strip out custom allocator code 2017-01-10 dsinclair Split xfa_textlayout apart. 2017-01-10 dsinclair Remove custom allocator from CFDE_TxtEdtBuf. 2017-01-10 tsepez Remove CFX_ArrayTemplate in cfx_psrender. BUG= 678461 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2628783002 Cr-Commit-Position: refs/heads/master@{#442827} [modify] https://crrev.com/a427ba0638c4294faf264550d12077b709f5c0de/DEPS
,
Jan 11 2017
ClusterFuzz has detected this issue as fixed in range 441524:442831. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6025704501411840 Job Type: linux_asan_pdfium Crash Type: Heap-use-after-free READ 4 Crash Address: 0x613000000b00 Crash State: opj_j2k_read_mco opj_j2k_read_header_procedure opj_j2k_read_header Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=321780:322012 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=441524:442831 Minimized Testcase (1.56 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97TI-j38amhThvsc3CMKah8kNCCVL_RBQW7QN9ogDYAuYZ26Zl9VP6jpbgL3czp_jHWGjpRVy2Wc-2TkfASjFcZ0_TFiXtJIFJfer2JvffLLqsche897cK7xpUk9JhkLKN1aTtW5amknEFFQ8wG3NqcStHMdm-3lZumvjEqzavs2ZmOi2pPJrgcBVKdyihXqeebFqxVfsq-2NFiKi4LErKZCG-YmgvpnQ8zPd-cmds8Np1bAcKLEixlKy794BVpO_SFzlNW5yU4vunaWu1T4whUIbn39rXDfVyhJuwaZJttMlXv73ACs6sW2SXuZfM-DE8gRjswfTVixvr5VOsT_DncX58bBCB0m4kU8ZPGyLFwkwqi4FM?testcase_id=6025704501411840 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 11 2017
,
Jan 11 2017
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6025704501411840 Job Type: linux_asan_pdfium Crash Type: Heap-use-after-free READ 4 Crash Address: 0x613000000b00 Crash State: opj_j2k_read_mco opj_j2k_read_header_procedure opj_j2k_read_header Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=321780:322012 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=441524:442831 Minimized Testcase (1.56 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97TI-j38amhThvsc3CMKah8kNCCVL_RBQW7QN9ogDYAuYZ26Zl9VP6jpbgL3czp_jHWGjpRVy2Wc-2TkfASjFcZ0_TFiXtJIFJfer2JvffLLqsche897cK7xpUk9JhkLKN1aTtW5amknEFFQ8wG3NqcStHMdm-3lZumvjEqzavs2ZmOi2pPJrgcBVKdyihXqeebFqxVfsq-2NFiKi4LErKZCG-YmgvpnQ8zPd-cmds8Np1bAcKLEixlKy794BVpO_SFzlNW5yU4vunaWu1T4whUIbn39rXDfVyhJuwaZJttMlXv73ACs6sW2SXuZfM-DE8gRjswfTVixvr5VOsT_DncX58bBCB0m4kU8ZPGyLFwkwqi4FM?testcase_id=6025704501411840 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/68e998adb1ea9fd998afd4dafd372d3d4729a54b commit 68e998adb1ea9fd998afd4dafd372d3d4729a54b Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Wed Jan 11 23:46:19 2017 Roll src/third_party/pdfium/ 8fa82794f..96f482c9c (2 commits). https://pdfium.googlesource.com/pdfium.git/+log/8fa82794ffc2..96f482c9cd3c $ git log 8fa82794f..96f482c9c --date=short --no-merges --format='%ad %ae %s' 2017-01-11 dsinclair Convert FDE CSS enums to enum classes. 2017-01-11 npm Really fix m_nb_mct_records calculation in opj_j2k_read_mct BUG= 678461 , 680102 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2623103004 Cr-Commit-Position: refs/heads/master@{#443057} [modify] https://crrev.com/68e998adb1ea9fd998afd4dafd372d3d4729a54b/DEPS
,
Jan 12 2017
,
Jan 13 2017
,
Jan 23 2017
,
Jan 23 2017
Nice one! The panel awarded $3,000 for this report!
,
Jan 23 2017
,
Jan 24 2017
When you're going to release a new version of Chrome, please use the following text as the credit information. Thanks. Ke Liu (@klotxl) of Tencent's Xuanwu LAB (http://xlab.tencent.com/)
,
Mar 6 2017
,
Mar 8 2017
,
Mar 17 2017
,
Mar 17 2017
This bug requires manual review: DEPS changes referenced in bugdroid comments. Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 21 2017
mbarbella@, any idea why sheriffbot@ is requesting 58 merge? Can't see how it's needed.
,
Mar 21 2017
I see what's happening, but I'm not totally sure what the best way to fix this is. Will follow up with you off-bug.
,
Mar 31 2017
,
Apr 20 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 27 2017
How can I download minimized testcase? Any suggestions? Greate thanks~~~~
,
Apr 25 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 Deleted