Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in CPDF_PatchDrawer::Draw |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6258856994013184 Fuzzer: ifratric_pdf_generic Job Type: linux_msan_pdfium Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: CPDF_PatchDrawer::Draw CPDF_RenderStatus::DrawShading CPDF_RenderStatus::ProcessShading Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_pdfium&range=450401:450485 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95K22lnkImmIs2NSoZtOetltw0xXFQoesABdRAC3I-1R99pbrZ3A1cbFBdilUvjXJXSRotXoBlD2i5XIqn065Ad3BbHxR0D7syKrhOj2yrzbFXAzw1K-pXOch5U7w8bvQa2asdc04UoFw1mqlKt9n7pVTKCfC6uc5159RX44onwZCdt4exGtThPoLwButgh4z81_PzYrDxQrZE9c-4p3ledFA5hps5-2_Bn_Qj2yaTWLhp4eC85BlTCXzJCB3T-A0yJV_JU2IK2Dx3Y4Bl10U95huCmnq1kKEpOEKZntp6fK2zi4VyzFsgQVCPHLRBmwzlnzM8NYtM9gjfOovHLJ2m3otT-4ls4suSCx6s0QdZSOB4SN3Y?testcase_id=6258856994013184 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 21 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 21 2017
,
Apr 21 2017
CPDF_MeshStream::ReadColor() doesn't check the result of the GetRGB function before returning and doesn't initialize the values passed into GetRGB. It appears that most implementations will set values unconditionally, but at least one doesn't:
bool CPDF_IndexedCS::GetRGB(float* pBuf, float* R, float* G, float* B) const {
int index = static_cast<int32_t>(*pBuf);
if (index < 0 || index > m_MaxIndex)
return false;
,
Apr 21 2017
https://pdfium.googlesource.com/pdfium/+/940f559b985d4a742c21b21cb077a232e44dd289 is in the regression range and has changed CPDF_MeshStream::ReadColor(). dsinclair: Assigning to you as the author of that CL.
,
Apr 22 2017
,
Apr 24 2017
,
Apr 24 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/302cd78d00c280cb212a5934a7a8293851e9650c commit 302cd78d00c280cb212a5934a7a8293851e9650c Author: Dan Sinclair <dsinclair@chromium.org> Date: Mon Apr 24 18:22:24 2017 Initialize colour values The colour values returned from the ColorSpace GetRBG methods may not have set a value. This CL updates the CPDF_MeshStream to always initialize the values to 0 so they can't be used uninitialized. Bug: chromium:714074 Change-Id: Id2db5eabe31d2ff19f9330b2bc5c681680cf461d Reviewed-on: https://pdfium-review.googlesource.com/4450 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org> [modify] https://crrev.com/302cd78d00c280cb212a5934a7a8293851e9650c/core/fpdfapi/page/cpdf_meshstream.cpp
,
Apr 24 2017
,
Apr 24 2017
dsinclair: Thank you for the quick fix!
,
Apr 25 2017
ClusterFuzz has detected this issue as fixed in range 466717:466737. Detailed report: https://clusterfuzz.com/testcase?key=6258856994013184 Fuzzer: ifratric_pdf_generic Job Type: linux_msan_pdfium Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: CPDF_PatchDrawer::Draw CPDF_RenderStatus::DrawShading CPDF_RenderStatus::ProcessShading Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_pdfium&range=450401:450485 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_pdfium&range=466717:466737 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6258856994013184 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 25 2017
,
Apr 25 2017
,
Apr 26 2017
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 26 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/640ce01e14c2e9b7b4ee3928988ff82eb230620e commit 640ce01e14c2e9b7b4ee3928988ff82eb230620e Author: Dan Sinclair <dsinclair@chromium.org> Date: Wed Apr 26 13:32:34 2017 [Merge M59] Initialize colour values The colour values returned from the ColorSpace GetRBG methods may not have set a value. This CL updates the CPDF_MeshStream to always initialize the values to 0 so they can't be used uninitialized. TBR=tsepez@chromium.org Bug: chromium:714074 Change-Id: Id2db5eabe31d2ff19f9330b2bc5c681680cf461d Reviewed-on: https://pdfium-review.googlesource.com/4450 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org> (cherry picked from commit 302cd78d00c280cb212a5934a7a8293851e9650c) Change-Id: Ieaa639ed65c0ff8e654d6559818c32ff770d49d7 Reviewed-on: https://pdfium-review.googlesource.com/4530 Reviewed-by: dsinclair <dsinclair@chromium.org> [modify] https://crrev.com/640ce01e14c2e9b7b4ee3928988ff82eb230620e/core/fpdfapi/page/cpdf_meshstream.cpp
,
Apr 26 2017
,
Aug 1 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Apr 21 2017