New issue
Advanced search Search tips

Issue 716526 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Stack-overflow in CXML_Parser::ParseElement

Project Member Reported by ClusterFuzz, Apr 28 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5622057896509440

Fuzzer: ifratric_pdf_generic
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Stack-overflow
Crash Address: 0x7fff59528ed0
Crash State:
  CXML_Parser::ParseElement
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=352857:352959

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5622057896509440


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by shrike@chromium.org, Apr 28 2017

Components: Internals>Plugins>PDF
Labels: OS-Chrome OS-Linux OS-Windows
Owner: thestig@chromium.org
Status: Started (was: Untriaged)
https://pdfium-review.googlesource.com/c/4615/
Status: Fixed (was: Started)
Project Member

Comment 5 by bugdroid1@chromium.org, Apr 29 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7988a5c627d0f19ab14ccddfa532db52076c6ce5

commit 7988a5c627d0f19ab14ccddfa532db52076c6ce5
Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org>
Date: Sat Apr 29 02:21:35 2017

Roll src/third_party/pdfium/ 3b91290ba..ce8e51e6c (5 commits)

https://pdfium.googlesource.com/pdfium.git/+log/3b91290ba31e..ce8e51e6c444

$ git log 3b91290ba..ce8e51e6c --date=short --no-merges --format='%ad %ae %s'
2017-04-28 rbpotter Fix rotations
2017-04-28 thestig Clean up private methods in CBC_C40Encoder.
2017-04-28 tsepez Remove some more |new|s, part 4.
2017-04-28 thestig Limit recursion in CXML_Parser::ParseElement().
2017-04-28 thestig Disallow CPDF_FormField with deep node trees.

Created with:
  roll-dep src/third_party/pdfium
BUG= 713197 , 716526 


Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls


TBR=dsinclair@chromium.org

Change-Id: I81ccbaaacbb34cc9923714ca87841f2c756d6b3c
Reviewed-on: https://chromium-review.googlesource.com/490699
Reviewed-by: <pdfium-deps-roller@chromium.org>
Commit-Queue: <pdfium-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#468212}
[modify] https://crrev.com/7988a5c627d0f19ab14ccddfa532db52076c6ce5/DEPS

Project Member

Comment 6 by ClusterFuzz, Apr 29 2017

ClusterFuzz has detected this issue as fixed in range 468207:468214.

Detailed report: https://clusterfuzz.com/testcase?key=5622057896509440

Fuzzer: ifratric_pdf_generic
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Stack-overflow
Crash Address: 0x7fff59528ed0
Crash State:
  CXML_Parser::ParseElement
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=352857:352959
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=468207:468214

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5622057896509440


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment