dsinclair, could you please take a look?

tsepez@ you were looking into some of this crypt code earlier, could this be related?

tsepez: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

tsepez: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

See also  bug 635046 .

tsepez@: Is this still on your radar?

Let's see if it still repros.  

Still repo'd but the information still doesn't make sense, in that the line it's pointing seems to use data that has been set earlier.

Argh, use of key[0] when key length is 0.

 152	j = (j + a + key[k]) & 0xFF;

We only wrap around below:

155	    if (++k >= (int)length) {
156	      k = 0;

No harm, since we're trying to open a password protected document with an empty password, its going to fail either way -> sev low.

See https://pdfium.googlesource.com/pdfium/+/a290470880669630dba46ebe0c94b44f36f34f00

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/cadb4711bdc9cb99113aad2acdbc47711f065626

commit cadb4711bdc9cb99113aad2acdbc47711f065626
Author: Lei Zhang <thestig@chromium.org>
Date: Wed May 03 01:47:28 2017

Add a unit test for CRYPT_ArcFourSetup().

BUG= chromium:686128 

Change-Id: Iad3ebbfd304dc145af2e694818864c4d25ccf99a
Reviewed-on: https://pdfium-review.googlesource.com/4793
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>

[modify] https://crrev.com/cadb4711bdc9cb99113aad2acdbc47711f065626/core/fdrm/crypto/fx_crypt.cpp
[modify] https://crrev.com/cadb4711bdc9cb99113aad2acdbc47711f065626/core/fdrm/crypto/fx_crypt.h
[modify] https://crrev.com/cadb4711bdc9cb99113aad2acdbc47711f065626/core/fdrm/crypto/fx_crypt_unittest.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2085b16e601642b8c9da76e95c280efd7df35d45

commit 2085b16e601642b8c9da76e95c280efd7df35d45
Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org>
Date: Wed May 03 03:45:22 2017

Roll src/third_party/pdfium/ d7188f7f9..cadb4711b (1 commit)

https://pdfium.googlesource.com/pdfium.git/+log/d7188f7f91a9..cadb4711bdc9

$ git log d7188f7f9..cadb4711b --date=short --no-merges --format='%ad %ae %s'
2017-05-02 thestig Add a unit test for CRYPT_ArcFourSetup().

Created with:
  roll-dep src/third_party/pdfium
BUG= 686128 


Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls


TBR=dsinclair@chromium.org

Change-Id: I36a220def9c931f30aac6fd561eb6698fe294981
Reviewed-on: https://chromium-review.googlesource.com/493838
Reviewed-by: <pdfium-deps-roller@chromium.org>
Commit-Queue: <pdfium-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#468885}
[modify] https://crrev.com/2085b16e601642b8c9da76e95c280efd7df35d45/DEPS

ClusterFuzz has detected this issue as fixed in range 468811:468856.

Detailed report: https://clusterfuzz.com/testcase?key=6581818276184064

Fuzzer: libfuzzer_pdfium_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  CRYPT_ArcFourSetup
  CRYPT_ArcFourCryptBlock
  CPDF_SecurityHandler::CheckUserPassword
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=468811:468856

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6581818276184064


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot