New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 718503 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Aug 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug

Blocking:
issue 62400



Sign in to add a comment

ASSERT: pBuffer && iLength > 0

Project Member Reported by ClusterFuzz, May 4 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5865013129773056

Fuzzer: libfuzzer_pdf_xml_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  pBuffer && iLength > 0
  UTF16ToWChar
  CFX_SeekableStreamProxy::ReadString
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=465929:466779

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5865013129773056


Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Cc: tsepez@chromium.org msrchandra@chromium.org
Labels: M-60 Test-Predator-Correct-CLs
Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/283a0433b081f88275b2f7e8c04d3c41b9187ca6
Time: Thu Apr 20 14:11:21 2017 -0400
File cfx_seekablestreamproxy.cpp is changed in this cl (and is part of stack frame #9, ""; frame #10, "CFX_SeekableStreamProxy::ReadString")
Minimum distance from crash line to modified line: 59. (file: cfx_seekablestreamproxy.cpp, crashed on: 254, modified: 195). 

Author: Tom Sepez
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/aeee187c927c07f47a9e5886a417dcc58badefb6
Time: Thu Apr 20 14:31:18 2017 -0700
File cfx_xmlsyntaxparser.cpp is changed in this cl (and is part of stack frame #11, "CFX_XMLSyntaxParser::DoSyntaxParse")
Minimum distance from crash line to modified line: 68. (file: cfx_xmlsyntaxparser.cpp, crashed on: 144, modified: 76). 

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/cfb1944e245e20fe2ce0e94feebc06526db34fa1
Time: Thu Apr 20 13:13:04 2017 -0400
Files cfx_seekablestreamproxy.cpp, cfx_xmlsyntaxparser.cpp are changed in this cl (and is part of stack frame #9, ""; frame #10, "CFX_SeekableStreamProxy::ReadString")
Minimum distance from crash line to modified line: 72. (file: cfx_seekablestreamproxy.cpp, crashed on: 93, modified: 21).

@dsinclair -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.
Blocking: 62400
Labels: -M-60
XFA related code.
Components: Internals>Plugins>PDF
BTW, CF opened/closed this as bug 716953 previously.
Owner: thestig@chromium.org
Status: Started (was: Assigned)
https://pdfium-review.googlesource.com/11570, maybe
Project Member

Comment 6 by bugdroid1@chromium.org, Aug 22 2017

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/39fa751f84bc226c22d65c2fc5e7d3615dfe5ddb

commit 39fa751f84bc226c22d65c2fc5e7d3615dfe5ddb
Author: Lei Zhang <thestig@chromium.org>
Date: Tue Aug 22 13:06:33 2017

Avoid an ASSERT failure in CFX_SeekableStreamProxy.

BUG= chromium:718503 

Change-Id: I6ff332c2ab5320d1b5f39a9aa1564e7e3e243cbe
Reviewed-on: https://pdfium-review.googlesource.com/11570
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>

[modify] https://crrev.com/39fa751f84bc226c22d65c2fc5e7d3615dfe5ddb/core/fxcrt/cfx_seekablestreamproxy.cpp

Project Member

Comment 7 by bugdroid1@chromium.org, Aug 22 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d1b4461fda2d4c83e242cb721036112a10a8cd4f

commit d1b4461fda2d4c83e242cb721036112a10a8cd4f
Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org>
Date: Tue Aug 22 16:20:32 2017

Roll src/third_party/pdfium/ bde6f35d2..39fa751f8 (1 commit)

https://pdfium.googlesource.com/pdfium.git/+log/bde6f35d285b..39fa751f84bc

$ git log bde6f35d2..39fa751f8 --date=short --no-merges --format='%ad %ae %s'
2017-08-21 thestig Avoid an ASSERT failure in CFX_SeekableStreamProxy.

Created with:
  roll-dep src/third_party/pdfium
BUG= 718503 


Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls


TBR=dsinclair@chromium.org

Change-Id: I9c5c323bfeddcd9be2a8b037d3b7e5599dd1ea61
Reviewed-on: https://chromium-review.googlesource.com/626337
Reviewed-by: <pdfium-deps-roller@chromium.org>
Commit-Queue: <pdfium-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#496323}
[modify] https://crrev.com/d1b4461fda2d4c83e242cb721036112a10a8cd4f/DEPS

Status: Fixed (was: Started)
Project Member

Comment 9 by ClusterFuzz, Aug 23 2017

ClusterFuzz has detected this issue as fixed in range 496288:496324.

Detailed report: https://clusterfuzz.com/testcase?key=5865013129773056

Fuzzer: libFuzzer_pdf_xml_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  pBuffer && iLength > 0
  UTF16ToWChar
  CFX_SeekableStreamProxy::ReadString
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=465929:466779
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=496288:496324

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5865013129773056

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Aug 23 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5865013129773056 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment