New issue
Advanced search Search tips

Issue 700764 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 700576
Owner:
Closed: Mar 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security

Blocking:
issue 62400



Sign in to add a comment

Bad-cast to CFX_DIBitmap from invalid vptr;_start

Project Member Reported by ClusterFuzz, Mar 12 2017

Issue description

Cc: tsepez@chromium.org
Components: Internals>Plugins>PDF
Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)
Possibly similar to  https://crbug.com/700576 , except this one looks like the fuzzer itself is hitting the bad cast (not within the code being fuzzed)?
Project Member

Comment 2 by sheriffbot@chromium.org, Mar 13 2017

Labels: M-57
Project Member

Comment 3 by sheriffbot@chromium.org, Mar 13 2017

Labels: Pri-1
Blocking: 62400
Labels: -Security_Impact-Stable -M-57 Security_Impact-None
XFA is not enabled on any branch of chromium.
Project Member

Comment 5 by ClusterFuzz, Mar 15 2017

ClusterFuzz has detected this issue as fixed in range 456940:456984.

Detailed report: https://clusterfuzz.com/testcase?key=4798231956684800

Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x000002cd4a00
Crash State:
  Bad-cast to CFX_DIBitmap from invalid vptr
  _start
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=434175:434379
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=456940:456984

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96pvrnThgatcvTzJ9_NdkjWbWsYsE1GLzN7yV-8b63_8ycWC5FRNcTciXFHBYqorpnmFVS-DVLgCgUE4EPtg496PsOuhhvComMWMYLhH5iubX_jrLrTlCDwxfP2pxXzPnRWTAUBsiJhA47U6oZnv99L7GSejWLMjYSH62wdwoTgg0UUfcyGcW7APh3EWlz32hxrb_XACvI5g_fIoocKWyRGk4RRzfRYyzZFrSn7gz1QkPgutI26TJze_fJYQxGhM2hp8gpjmvyvUux4s0f2O6zu_3k81VKor7rbDO9uyNGnHkSqRO4SeW3mSAc4jTXIA0T4E5ESYzV8r1CHjmfpRdU6iVh2ApKivnQb4RPKvrP8QKh88lI?testcase_id=4798231956684800


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Mar 15 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4798231956684800 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 7 by sheriffbot@chromium.org, Mar 15 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Mergedinto: 700576
Status: Duplicate (was: Verified)
Project Member

Comment 9 by sheriffbot@chromium.org, Jun 22 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment