Detailed report: https://clusterfuzz.com/testcase?key=6299170848899072 Fuzzer: ifratric_pdf_generic Job Type: mac_asan_chrome Platform Id: mac Crash Type: UNKNOWN READ Crash Address: 0x000000000008 Crash State: PDF_CreatorAppendObject PDF_CreatorAppendObject PDF_CreatorAppendObject Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=413791:414128 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96tX-RscQuNVIieH1EVRrEqnoK-Ocy6HhAjRJU9YAF-VyRJu34VcA5g2d74YkMHc0vBnOcR5ZGUtoeinFuw_DqgDVVus-bf2fM-DECHgr1ZwUzMGBOjBF7XW1ndvzCkqZTGKL76KdZhwJIsFG10L6Hsl97pM4Ho1fs9R0Ra0zbuYhmwcxrlCG50X6pGxScsGw8CbQ4D12tKLT--NZqQWsPIIFlvDnBG5EH-RpghxEefVkJlXkf5ptnfvF7NuP9JZku5oo1a2DJcrWiRON2ajdqpeOYoZ_Zz1FzJcLwNB4xDGpEs3kKXZuUSwkVoUOmFodZKjHt8EIqvV_lpv7dLanKkJZJOOAdSHIh0NXhsDT5I1VlBaf8_qMY8tlCd94c7jMwBzf1LiZIHvrNorQ8LfjTsfVVKyw?testcase_id=6299170848899072 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
PDFium roll has some CLs touching fpdf_edit_create.cpp.
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/6bdd824188bc9a2e6b24b5752a3170ce10185c1d commit 6bdd824188bc9a2e6b24b5752a3170ce10185c1d Author: Wei Li <weili@chromium.org> Date: Thu Mar 23 17:05:05 2017 Fix two CloneNonCycle issues CloneNonCycle() tries to detect cyclic object references without copying them. There are two issues: -- for elements in an array or a dictionary, they should be able to refer to the same object, which are not cyclic; -- for cyclic referenced elements in an array or a dictionary, do not clone the element at all. Having nullptr or <key, nullptr> as an element, like we did before, might cause crash when the element being accessed. BUG= chromium:701860 Change-Id: Id0304accde76ed06fa5ce640994c7628359600fb Reviewed-on: https://pdfium-review.googlesource.com/3156 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org> [add] https://crrev.com/6bdd824188bc9a2e6b24b5752a3170ce10185c1d/testing/resources/repeat_viewer_ref.in [modify] https://crrev.com/6bdd824188bc9a2e6b24b5752a3170ce10185c1d/fpdfsdk/fpdfppo_embeddertest.cpp [modify] https://crrev.com/6bdd824188bc9a2e6b24b5752a3170ce10185c1d/core/fpdfapi/parser/cpdf_array.cpp [add] https://crrev.com/6bdd824188bc9a2e6b24b5752a3170ce10185c1d/testing/resources/circular_viewer_ref.pdf [add] https://crrev.com/6bdd824188bc9a2e6b24b5752a3170ce10185c1d/testing/resources/repeat_viewer_ref.pdf [add] https://crrev.com/6bdd824188bc9a2e6b24b5752a3170ce10185c1d/testing/resources/circular_viewer_ref.in [modify] https://crrev.com/6bdd824188bc9a2e6b24b5752a3170ce10185c1d/core/fpdfapi/parser/cpdf_dictionary.cpp [modify] https://crrev.com/6bdd824188bc9a2e6b24b5752a3170ce10185c1d/core/fpdfapi/parser/cpdf_object_unittest.cpp
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/98e2804af2b390fb59ca7c8cb3a79fd496d3fd1d commit 98e2804af2b390fb59ca7c8cb3a79fd496d3fd1d Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Thu Mar 23 19:52:22 2017 Roll src/third_party/pdfium/ 4650ded3d..704aad8ef (4 commits) https://pdfium.googlesource.com/pdfium.git/+log/4650ded3dcce..704aad8efb32 $ git log 4650ded3d..704aad8ef --date=short --no-merges --format='%ad %ae %s' 2017-03-23 caryclark fix skia path debug 2017-03-23 dsinclair Cleanup some xfa/fxfa code. 2017-03-23 weili Fix two CloneNonCycle issues 2017-03-23 dsinclair Handle the Clip command list being empty Created with: roll-dep src/third_party/pdfium BUG= 701860 , 704442 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2770083002 Cr-Commit-Position: refs/heads/master@{#459187} [modify] https://crrev.com/98e2804af2b390fb59ca7c8cb3a79fd496d3fd1d/DEPS
ClusterFuzz has detected this issue as fixed in range 458746:463137. Detailed report: https://clusterfuzz.com/testcase?key=6299170848899072 Fuzzer: ifratric_pdf_generic Job Type: mac_asan_chrome Platform Id: mac Crash Type: UNKNOWN READ Crash Address: 0x000000000008 Crash State: PDF_CreatorAppendObject PDF_CreatorAppendObject PDF_CreatorAppendObject Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=413791:414128 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=458746:463137 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96tX-RscQuNVIieH1EVRrEqnoK-Ocy6HhAjRJU9YAF-VyRJu34VcA5g2d74YkMHc0vBnOcR5ZGUtoeinFuw_DqgDVVus-bf2fM-DECHgr1ZwUzMGBOjBF7XW1ndvzCkqZTGKL76KdZhwJIsFG10L6Hsl97pM4Ho1fs9R0Ra0zbuYhmwcxrlCG50X6pGxScsGw8CbQ4D12tKLT--NZqQWsPIIFlvDnBG5EH-RpghxEefVkJlXkf5ptnfvF7NuP9JZku5oo1a2DJcrWiRON2ajdqpeOYoZ_Zz1FzJcLwNB4xDGpEs3kKXZuUSwkVoUOmFodZKjHt8EIqvV_lpv7dLanKkJZJOOAdSHIh0NXhsDT5I1VlBaf8_qMY8tlCd94c7jMwBzf1LiZIHvrNorQ8LfjTsfVVKyw?testcase_id=6299170848899072 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Comment 1 by rsesek@chromium.org
, Mar 15 2017Status: Assigned (was: Untriaged)