Out-of-memory in pdf_codec_tiff_fuzzer |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6307227796504576 Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Out-of-memory (exceeds 2048 MB) Crash Address: Crash State: pdf_codec_tiff_fuzzer Sanitizer: memory (MSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=422909:423055 Minimized Testcase (0.33 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95-YHW7pzfhi0KVTvmaLPxWZ9t2h4WUy6R911U0NHkOtSGL64vXaG0gNqtbUC6e4NeQEPe7IKb_L1iZPhoAAg-3kCnlA-1ujkL-ds0twnZW8OntRc3ndjocy9YcEgoftXEj6TBfZ0xLhbkI360rNx07dcPGkmidSUDCvWWsVssZq_ImC2s-PNs0mEAZ2J_khKP6hJUgptmkjy6YsyNv9MxGZgdWdrtYMHnvq7iRdymCNJGk6KyE-n1RBji9WxViVGf4R0K7vqw6VtbVHf83EosRgXKvRYwHVx4DiUxAJt-b3I3DK_Cd2uh89Ko7h0NVvcTvGnv_kTqixeLhXi-ixyrSplTphhBQoTzbNH6YiuHjCoZxvQmeMFOL4AH1KCWZOEMl4vOY8QA4dLjBBa0H-j2zLJbG0w?testcase_id=6307227796504576 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jan 18 2017
,
Jan 19 2017
I looked at this a bit. It looks like libtiff is just allocating a lot of memory from TIFFReadDirEntryArray because |direntry| lies about its |tdir_count| and then we have: *count=(uint32)direntry->tdir_count; datasize=(*count)*typesize; data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray"); There is also a basic sanity check regarding the dimensions, and we don't want to be more strict with that. So not much we can do as far as I can tell.
,
Feb 28 2017
ClusterFuzz has detected this issue as fixed in range 453290:453333. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6307227796504576 Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Out-of-memory (exceeds 2048 MB) Crash Address: Crash State: pdf_codec_tiff_fuzzer Sanitizer: memory (MSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=422909:423055 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=453290:453333 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv956BeJv6CcVBrk9Lw2ulsXLCrlMMsdHKMIgilKIBIeyl6cxQGjJEnCINbtP-sqapq2yUrKKaHLNLxejleWPBjo4Re5c5GwPSaD6Jp0DZ9Iz8a8MC70DuqGNP4zGGb0q9_NXfWf-EfmoDVgR75_d3XWRQnmPWyPcw8vDX04hXXBasP655QKkk_sYcxPU8x8geHMuxnOk9o4BOH38g64wgk_5f327MJ38aBATLQEdyEJZ5k5epho9FnEmoc7MVvOn6HboptZURbaHcLg1q1F9HSSyp_qQ-U6lWIraUqdlT83awUqaqEibxPaEys99RWqSK5aR7htK57CMa_l3DyQXNe0IPFvRlH046v8geI_WDVgyUpNtajA?testcase_id=6307227796504576 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 28 2017
ClusterFuzz testcase 6307227796504576 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 1 2017
,
Mar 28 2017
This doesn't repro for me, npm@ can you give it a try.
,
Mar 28 2017
It reproduces for me. But the cause is a big malloc in libtiff[1]. WontFix or WDYT? [1] https://cs.chromium.org/chromium/src/third_party/pdfium/third_party/libtiff/tif_dirread.c?type=cs&q=tif_dirread.c:793&l=793
,
Mar 28 2017
,
Mar 29 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/47b8f070dc11308e0bef3a157f6c70fbcad4093a commit 47b8f070dc11308e0bef3a157f6c70fbcad4093a Author: Nicolas Pena <npm@chromium.org> Date: Wed Mar 29 19:20:57 2017 Do more checks before big allocs in TIFFReadDirEntryArray This CL fixes the only caller to TIFFReadDirEntryData with potentially large size so that we avoid big mallocs when we know we will fail. It does this as follows: - Avoid the unnecessary computations if datasize is very small. We don't want to be slower in this case. - If !isMapped(tif), we will Seek and Read. Check that ending position is reachable. In the other case, do a simple check for out of bounds. Bug: chromium:681311 Change-Id: Ia172d8b4d401753b7c8d5455dc1ada5335f6fa6b Reviewed-on: https://pdfium-review.googlesource.com/3253 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org> [modify] https://crrev.com/47b8f070dc11308e0bef3a157f6c70fbcad4093a/third_party/libtiff/tif_dirread.c [modify] https://crrev.com/47b8f070dc11308e0bef3a157f6c70fbcad4093a/third_party/libtiff/README.pdfium [add] https://crrev.com/47b8f070dc11308e0bef3a157f6c70fbcad4093a/third_party/libtiff/0019-oom-TIFFReadDirEntryArray.patch
,
Mar 29 2017
,
Mar 30 2017
ClusterFuzz has detected this issue as fixed in range 460637:460668. Detailed report: https://clusterfuzz.com/testcase?key=6307227796504576 Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Out-of-memory (exceeds 2048 MB) Crash Address: Crash State: pdf_codec_tiff_fuzzer Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=422909:423055 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=460637:460668 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv956BeJv6CcVBrk9Lw2ulsXLCrlMMsdHKMIgilKIBIeyl6cxQGjJEnCINbtP-sqapq2yUrKKaHLNLxejleWPBjo4Re5c5GwPSaD6Jp0DZ9Iz8a8MC70DuqGNP4zGGb0q9_NXfWf-EfmoDVgR75_d3XWRQnmPWyPcw8vDX04hXXBasP655QKkk_sYcxPU8x8geHMuxnOk9o4BOH38g64wgk_5f327MJ38aBATLQEdyEJZ5k5epho9FnEmoc7MVvOn6HboptZURbaHcLg1q1F9HSSyp_qQ-U6lWIraUqdlT83awUqaqEibxPaEys99RWqSK5aR7htK57CMa_l3DyQXNe0IPFvRlH046v8geI_WDVgyUpNtajA?testcase_id=6307227796504576 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 26 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/cbe6d1662e2b76a343702fc77334f6e68b854427 commit cbe6d1662e2b76a343702fc77334f6e68b854427 Author: Nicolas Pena <npm@chromium.org> Date: Mon Jun 26 19:22:32 2017 Add comment in libtiff patch This CL adds a comment to point to the upstream bug of a patch fixing an OOM. The fix is fine for us but not accepted upstream so it should be ignored once upstream fixes the bug. Bug: chromium:681311 Change-Id: I6986fb7c851e260e84f764449ff1ee46441e71b4 Reviewed-on: https://pdfium-review.googlesource.com/6953 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org> [modify] https://crrev.com/cbe6d1662e2b76a343702fc77334f6e68b854427/third_party/libtiff/README.pdfium |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mummare...@chromium.org
, Jan 18 2017Labels: Test-Predator-Wrong M-56
Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)