Detailed report: https://clusterfuzz.com/testcase?key=4792267882889216 Fuzzer: libfuzzer_pdfium_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: IsSRGB() CPDF_ICCBasedCS::FindAlternateProfile CPDF_ICCBasedCS::v_Load Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=457280:457308 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv9461sB2TYsKNqcd6Q1-OnrOMkhx1SRDa8JafQVMFcg_Kbit9WLGbsnHLQE3Wzvo5RZV5swQM6M_p08Jx1mEy6cF5jFQzTtHSXcgQyqlQ7-HOSpYmjqFUK7nivdbiMG_7oSd-7X-dqsaVJ0h6KikmGF_mW2zICf2L-AkWsxsgHXa12h51fYw6kw31XCZELsl222yddbox907w_dtM6w25RcnM73e2b51PXidIWQigx1mXm0XS5aCyQwPooyjtn70FNoTu0hQf7G4MxSCzDXbAWFO0ftwdpBraWrOoeUN4zl9vv1UaRWnIN4xdnHgzifEQRz8ws-C7-oM9Dmhagx3EYPlgnYt2pvgIQ3dbzwcpymF9cnbBf-INaS5trpbrAE-PlkG0Bk5SgWSg89T3USffwxEMwGjIw?testcase_id=4792267882889216 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Author: Lei Zhang Project: chromium-pdfium Changelist: https://pdfium.googlesource.com/pdfium.git/+/a12159b17085796e2b72d2b49e850092e0b4e8b7 Time: Wed Mar 15 13:26:37 2017 -0700 Lines 361, 794-805, 813-815, 821-823, 828-831, 916-921 of file cpdf_colorspace.cpp which potentially caused crash are changed in this cl (frame #9, ""; frame #10, ""; frame #11, "CPDF_ColorSpace::Load"). Minimum distance from crash line to modified line: 0. (file: cpdf_colorspace.cpp, crashed on: 919, modified: 919).
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/ac6e2a059dbd74f6f9f1c216600496cfa5676387 commit ac6e2a059dbd74f6f9f1c216600496cfa5676387 Author: Lei Zhang <thestig@chromium.org> Date: Fri Mar 17 22:11:51 2017 Bring CPDF_ICCBasedCS closer to PDF spec. The spec says the N dictionary field is required and must be set to a valid value. Adjust the code based on this assertion. BUG=pdfium:675, chromium:691967 , chromium:702238 Change-Id: Iaa76fa0e16ce4aaa9822ad471668cbf8af5fb7cb Reviewed-on: https://pdfium-review.googlesource.com/3112 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Nicolás Peña <npm@chromium.org> [modify] https://crrev.com/ac6e2a059dbd74f6f9f1c216600496cfa5676387/core/fpdfapi/page/cpdf_colorspace.cpp [modify] https://crrev.com/ac6e2a059dbd74f6f9f1c216600496cfa5676387/core/fpdfapi/page/pageint.h [modify] https://crrev.com/ac6e2a059dbd74f6f9f1c216600496cfa5676387/core/fpdfapi/page/fpdf_page_colors.cpp
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3a77757bbeed5a9f744f68982fe6911c79227925 commit 3a77757bbeed5a9f744f68982fe6911c79227925 Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Sat Mar 18 02:36:56 2017 Roll src/third_party/pdfium/ 7630907c7..85f019a8e (5 commits) https://pdfium.googlesource.com/pdfium.git/+log/7630907c7ecb..85f019a8e7d3 $ git log 7630907c7..85f019a8e --date=short --no-merges --format='%ad %ae %s' 2017-03-17 thestig Add pdfium::clamp() as a placeholder for std::clamp(). 2017-03-17 thestig Use std::vector in CPDF_StreamContentParser. 2017-03-17 thestig Bring CPDF_ICCBasedCS closer to PDF spec. 2017-03-17 tsepez Replace CLines class with std::vector<Cline>. 2017-03-17 npm HardClip points a bit better in fx_agg_driver Created with: roll-dep src/third_party/pdfium BUG= 691967 , 702238 , 699982 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2756303003 Cr-Commit-Position: refs/heads/master@{#457932} [modify] https://crrev.com/3a77757bbeed5a9f744f68982fe6911c79227925/DEPS
ClusterFuzz has detected this issue as fixed in range 457921:457941. Detailed report: https://clusterfuzz.com/testcase?key=4792267882889216 Fuzzer: libfuzzer_pdfium_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: IsSRGB() CPDF_ICCBasedCS::FindAlternateProfile CPDF_ICCBasedCS::v_Load Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=457280:457308 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=457921:457941 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv9461sB2TYsKNqcd6Q1-OnrOMkhx1SRDa8JafQVMFcg_Kbit9WLGbsnHLQE3Wzvo5RZV5swQM6M_p08Jx1mEy6cF5jFQzTtHSXcgQyqlQ7-HOSpYmjqFUK7nivdbiMG_7oSd-7X-dqsaVJ0h6KikmGF_mW2zICf2L-AkWsxsgHXa12h51fYw6kw31XCZELsl222yddbox907w_dtM6w25RcnM73e2b51PXidIWQigx1mXm0XS5aCyQwPooyjtn70FNoTu0hQf7G4MxSCzDXbAWFO0ftwdpBraWrOoeUN4zl9vv1UaRWnIN4xdnHgzifEQRz8ws-C7-oM9Dmhagx3EYPlgnYt2pvgIQ3dbzwcpymF9cnbBf-INaS5trpbrAE-PlkG0Bk5SgWSg89T3USffwxEMwGjIw?testcase_id=4792267882889216 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Comment 1 by mummare...@chromium.org
, Mar 17 2017Labels: Test-Predator-Correct-CLs M-59
Owner: thestig@chromium.org
Status: Assigned (was: Untriaged)