PDF fails to render in Chromium/times out in pdfium_fuzzer
Reported by
joseph.b...@gmail.com,
Feb 9 2017
|
|||||
Issue descriptionExample URL: See attached PDF Steps to reproduce the problem: 1. Open attached PDF in chromium (e.g.: "chromium timeout") or run it with pdfium_fuzzer (e.g.: "pdfium_fuzzer timeout"). 2. Wait and wait and wait. 3. Eventually give up on waiting for chromium or have pdfium_fuzzer timeout. What is the expected behavior? Something is displayed in a timely fashion like firefox or xpdf do. What went wrong? The pdfium_fuzzer timed out after the default timeout of 20 minutes. Then running the resulting pdf in chromium never renders the PDF for me (though I didn't wait much longer than 20 minutes). Does it occur on multiple sites: No Is it a problem with a plugin? N/A Did this work before? N/A Does this work in other browsers? Yes Chrome version: 6a917fd8663e32b65066fee2afdb2d463ee357eb-refs/heads/master@{#449289} Channel: n/a OS Version: kernel 4.9.8 on Arch Linux Flash Version: (Disabled) Attached is the reproducer PDF. Here is the libfuzzer output from when pdfium_fuzzer times out: ALARM: working on the last Unit for 1201 seconds and the timeout value is 1200 (use -timeout=N to change) ==7780== ERROR: libFuzzer: timeout after 1201 seconds #0 0x4d2d60 in __sanitizer_print_stack_trace (/home/joseph/chromium-fuzz/chromium/src/out/libfuzzer/pdfium_fuzzer+0x4d2d60) #1 0x5138f2 in fuzzer::Fuzzer::AlarmCallback() third_party/libFuzzer/src/FuzzerLoop.cpp:319:7 #2 0x7f4ed383e07f (/usr/lib/libpthread.so.0+0x1107f) #3 0x769adf in CPDF_MeshStream::GetVertexRow(CPDF_MeshVertex*, int, CFX_Matrix*) third_party/pdfium/core/fpdfapi/page/cpdf_meshstream.cpp:214:17 #4 0x701462 in DrawLatticeGouraudShading third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:533:17 #5 0x701462 in CPDF_RenderStatus::DrawShading(CPDF_ShadingPattern*, CFX_Matrix*, FX_RECT&, int, bool) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:2079 #6 0x702f5e in CPDF_RenderStatus::DrawShadingPattern(CPDF_ShadingPattern*, CPDF_PageObject const*, CFX_Matrix const*, bool) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:2130:3 #7 0x6ed62f in DrawPathWithPattern third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:2357:5 #8 0x6ed62f in CPDF_RenderStatus::ProcessPathPattern(CPDF_PathObject*, CFX_Matrix const*, int&, bool&) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:2367 #9 0x6eb633 in CPDF_RenderStatus::ProcessPath(CPDF_PathObject*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1245:3 #10 0x6e84d5 in CPDF_RenderStatus::ProcessObjectNoClip(CPDF_PageObject*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1133:14 #11 0x6e4e0b in CPDF_RenderStatus::RenderSingleObject(CPDF_PageObject*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1054:3 #12 0x6e453d in CPDF_RenderStatus::RenderObjectList(CPDF_PageObjectHolder const*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1026:5 #13 0x6ecc37 in CPDF_RenderStatus::ProcessForm(CPDF_FormObject const*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1232:10 #14 0x6e82f1 in CPDF_RenderStatus::ProcessObjectNoClip(CPDF_PageObject*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1142:14 #15 0x6e8c79 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject*, CFX_Matrix const*, IFX_Pause*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1095:3 #16 0x6df48b in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) third_party/pdfium/core/fpdfapi/render/cpdf_progressiverenderer.cpp:78:30 #17 0x565db6 in (anonymous namespace)::RenderPageImpl(CPDF_PageRenderContext*, CPDF_Page*, CFX_Matrix const&, FX_RECT const&, int, bool, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/fpdfview.cpp:115:26 #18 0x565141 in FPDF_RenderPage_Retail third_party/pdfium/fpdfsdk/fpdfview.cpp:994:3 #19 0x565141 in FPDF_RenderPageBitmap third_party/pdfium/fpdfsdk/fpdfview.cpp:728 #20 0x4f8c09 in RenderPage pdf/pdfium/fuzzers/pdfium_fuzzer.cc:72:5 #21 0x4f8c09 in RenderPdf pdf/pdfium/fuzzers/pdfium_fuzzer.cc:164 #22 0x4f8c09 in LLVMFuzzerTestOneInput pdf/pdfium/fuzzers/pdfium_fuzzer.cc:220 #23 0x516764 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:550:13 #24 0x516f17 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:501:3 #25 0x4fa02a in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) third_party/libFuzzer/src/FuzzerDriver.cpp:268:6 #26 0x4fefc0 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:517:9 #27 0x521bf8 in main third_party/libFuzzer/src/FuzzerMain.cpp:20:10 #28 0x7f4ed3298290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) SUMMARY: libFuzzer: timeout
,
Feb 22 2017
Tested the issue on chrome Stable #56.0.2924.87, Canary 58.0.3019.0 in Ubuntu 14.04 and was able to reproduce the issue. This is a Non-Regression issue since seeing this from M35 #35.0.1898.0, Making the status to Untriaged so that the issue would get addressed. Note : Able to reproduce the issue in MAC 10.12.3 and Win 10.0 Thank you.
,
Mar 1 2017
Yes, this input ends up hitting an infinite loop inside CPDF_MeshStream.
,
Mar 1 2017
https://pdfium-review.googlesource.com/2889
,
Mar 1 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/ef81390393ef5fed1ba168cff081d459eed9f260 commit ef81390393ef5fed1ba168cff081d459eed9f260 Author: Lei Zhang <thestig@chromium.org> Date: Wed Mar 01 16:45:36 2017 Fix infinite loops in CPDF_MeshStream. BUG= chromium:690501 Change-Id: I74b09d90a8082554a67f737eb6adc3bff82ed93e Reviewed-on: https://pdfium-review.googlesource.com/2889 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org> [modify] https://crrev.com/ef81390393ef5fed1ba168cff081d459eed9f260/core/fpdfapi/page/cpdf_streamcontentparser.cpp [modify] https://crrev.com/ef81390393ef5fed1ba168cff081d459eed9f260/core/fpdfapi/page/cpdf_meshstream.h [modify] https://crrev.com/ef81390393ef5fed1ba168cff081d459eed9f260/core/fpdfapi/render/cpdf_renderstatus.cpp [modify] https://crrev.com/ef81390393ef5fed1ba168cff081d459eed9f260/core/fpdfapi/page/cpdf_meshstream.cpp
,
Mar 1 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/64816da615023d3bb69a30562d7a27fa10da31c2 commit 64816da615023d3bb69a30562d7a27fa10da31c2 Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Wed Mar 01 18:25:16 2017 Roll src/third_party/pdfium/ d1aee7ce4..ef8139039 (2 commits). https://pdfium.googlesource.com/pdfium.git/+log/d1aee7ce4738..ef81390393ef $ git log d1aee7ce4..ef8139039 --date=short --no-merges --format='%ad %ae %s' 2017-03-01 thestig Fix infinite loops in CPDF_MeshStream. 2017-02-28 npm LibOpenJPEG upstream: check size in opj_j2k_read_siz Created with: roll-dep src/third_party/pdfium BUG= 690501 , 694042 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2723093003 Cr-Commit-Position: refs/heads/master@{#453976} [modify] https://crrev.com/64816da615023d3bb69a30562d7a27fa10da31c2/DEPS
,
Mar 1 2017
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ligim...@chromium.org
, Feb 10 2017