New issue
Advanced search Search tips

Issue 708383 link

Starred by 1 user
Status: Fixed
Owner:
tsepez@chromium.org
Closed: Apr 2017
Cc:
npm@chromium.org
tsepez@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: ----
Type: Bug-Security

Blocking:
issue 62400



Sign in to add a comment

Bad-cast to CFDE_XMLElement from CFDE_XMLNode;XFA_FDEExtension_ResolveNamespaceQualifier;GetElementTagNamespaceURI

Project Member Reported by ClusterFuzz, Apr 5 2017

Comment 1 by dominickn@chromium.org, Apr 5 2017

Cc: tsepez@chromium.org npm@chromium.org
Components: Internals>Plugins>PDF
Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)
+PDFium folks with changes in the ClusterFuzz blame area. None of the CLs there actually touched anything in the crash stack though, so hopefully you can shed more light on this.
Project Member

Comment 2 by ClusterFuzz, Apr 5 2017 

ClusterFuzz has detected this issue as fixed in range 461873:461928.

Detailed report: https://clusterfuzz.com/testcase?key=5944525030948864

Fuzzer: libfuzzer_pdfium_xfa_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x000005ef9950
Crash State:
  Bad-cast to CFDE_XMLElement from CFDE_XMLNode
  XFA_FDEExtension_ResolveNamespaceQualifier
  GetElementTagNamespaceURI
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=461821:461873
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=461873:461928

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95Hk4DsIVjDaIG-sySZYHslW8amgGQ7IWaX9MqHdKeey3oP_w6uYBdy-GTvM_eqOfrq3OpzQRgbbPmV-LE6bpVkOBnqc1R8ktK1U0wSO73ygWKXUCHIn3rKSlGie6Mu5TEYt6j3glW7-ang82d8kWEDinCFUcagFrJL1AfXAnZRC0Hmj_NE7IiaWIVYxT-t2Nxx4fdRaeudZpP7R1YMSqqbWzdE5Yl0_XlA2tOrTcVZ0ShR6rfLN0W2QMlof6MaxTPFCeRZuS2CiaFuqOjmxXw82tUnO_7X8xuoqD7dKReLdPLSPc9AElXiEB3mQ42TbIQxDMTbE7q1bOz163rGuq8CVTWVqVsEmU-39rNhRCMGbhNFDsID2JNIsPoL9N-HB37XWYiX0DmJh0QVBV9My0rlAaODJw?testcase_id=5944525030948864


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 3 by ClusterFuzz, Apr 5 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5944525030948864 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 4 by dsinclair@chromium.org, Apr 5 2017

Blocking: 62400
Labels: -Security_Impact-Head ClusterFuzz-Wrong Security_Impact-None
Status: Assigned (was: Verified)
This is also XFA only, so removing the Security Impact. I have a feeling this one is flaky. I'll see if I can figure it out.

Comment 5 by tsepez@chromium.org, Apr 5 2017

Labels: -Security_Severity-High Security_Severity-Low
https://cs.chromium.org/chromium/src/third_party/pdfium/xfa/fxfa/parser/cxfa_simple_parser.cpp?rcl=ed4705b4db1405a5abef99ad1b2725eee65fedf8&l=424 shows that we cast first, and check later.  These should be reversed, but non-exploitable.

Comment 6 by tsepez@chromium.org, Apr 5 2017

Owner: tsepez@chromium.org

Comment 8 by tsepez@chromium.org, Apr 5 2017

Status: Fixed (was: Assigned)
Project Member

Comment 9 by sheriffbot@chromium.org, Apr 6 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 10 by sheriffbot@chromium.org, Jul 13 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 11 by infe...@chromium.org, Sep 18 2017

Labels: -ClusterFuzz-Wrong
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

Sign in to add a comment