New issue
Advanced search Search tips

Issue 680914 link

Starred by 1 user
Status: Fixed
Owner:
hnakashima@chromium.org
Closed: Sep 2017
Cc:
tsepez@chromium.org
dsinclair@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in Buffer_itoa

Project Member Reported by ClusterFuzz, Jan 13 2017

Comment 1 by mummare...@chromium.org, Jan 18 2017

Cc: tsepez@chromium.org
Components: Internals>Plugins>PDF
Labels: Test-Predator-Wrong M-56

Comment 2 by dsinclair@chromium.org, Feb 7 2017

Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)
Project Member

Comment 3 by ClusterFuzz, Jul 30 2017 

Detailed report: https://clusterfuzz.com/testcase?key=5575141651382272

Fuzzer: pdfium_fuzzer
Job Type: libfuzzer_chrome_ubsan
Crash Type: Integer-overflow
Crash Address: 
Crash State:
  Buffer_itoa
  CFX_ByteString::FormatInteger
  CPDF_Number::GetString
  
Sanitizer: undefined (UBSAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5575141651382272


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 4 by ClusterFuzz, Jul 31 2017 

Detailed report: https://clusterfuzz.com/testcase?key=5575141651382272

Fuzzer: pdfium_fuzzer
Job Type: libfuzzer_chrome_ubsan
Crash Type: Integer-overflow
Crash Address: 
Crash State:
  Buffer_itoa
  CFX_ByteString::FormatInteger
  CPDF_Number::GetString
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=423338:423416

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5575141651382272


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 5 by ClusterFuzz, Aug 29 2017 

ClusterFuzz has detected this issue as fixed in range 497785:497822.

Detailed report: https://clusterfuzz.com/testcase?key=5575141651382272

Fuzzer: pdfium_fuzzer
Job Type: libfuzzer_chrome_ubsan
Crash Type: Integer-overflow
Crash Address: 
Crash State:
  Buffer_itoa
  CFX_ByteString::FormatInteger
  CPDF_Number::GetString
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=423338:423416
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=497785:497822

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5575141651382272

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Aug 29 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5575141651382272 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 7 by thestig@chromium.org, Aug 29 2017

Labels: -M-56 ClusterFuzz-Wrong
Status: Assigned (was: Verified)
I suspect CF might be wrong, at least about the fixed CL range. We should double check.

Comment 8 by dsinclair@chromium.org, Aug 31 2017

Cc: dsinclair@chromium.org
Owner: hnakashima@chromium.org

Comment 9 by hnakashima@chromium.org, Sep 1 2017

Status: Started (was: Assigned)

Comment 10 by hnakashima@chromium.org, Sep 1 2017

Labels: -ClusterFuzz-Wrong
Clusterfuzz was right, this CL fixed the issue on this test case:
https://pdfium-review.googlesource.com/c/pdfium/+/10511

Comment 11 by hnakashima@chromium.org, Sep 1 2017

Status: Fixed (was: Started)

Sign in to add a comment