New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 718504 link

Starred by 1 user
Status: Fixed
Owner:
dsinclair@chromium.org
Closed: May 2017
Cc:
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Out-of-memory in pdf_codec_icc_fuzzer

Project Member Reported by ClusterFuzz, May 4 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5969862804635648

Fuzzer: libfuzzer_pdf_codec_icc_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  pdf_codec_icc_fuzzer
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=468569:468582

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5969862804635648


Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by msrchandra@chromium.org, May 5 2017

Cc: msrchandra@chromium.org
Labels: M-60 Test-Predator-Wrong
Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL did not provide any possible suspects.
Using Code Search for the file, "pdf_codec_icc_fuzzer" assigning to the concern owner who might be related.

@dsinclair -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by dsinclair@chromium.org, May 8 2017

Components: Internals>Plugins>PDF
Project Member

Comment 3 by bugdroid1@chromium.org, May 8 2017 

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/852fb12d554abbbda65bbbf3720117a0aad5a9c9

commit 852fb12d554abbbda65bbbf3720117a0aad5a9c9
Author: Dan Sinclair <dsinclair@chromium.org>
Date: Mon May 08 18:50:02 2017

[lcms] Verify enough data to service request before allocating

If the count of items is large enough, there maybe not enough data in
the file to read. This Cl verifies we'll have enough data before
attempting to allocate the memory to store the results.

Bug:  chromium:718504 
Change-Id: I82e7df3511e529c4bd72a772e9d6e607a0615927
Reviewed-on: https://pdfium-review.googlesource.com/5110
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>

[add] https://crrev.com/852fb12d554abbbda65bbbf3720117a0aad5a9c9/third_party/lcms2-2.6/0018-verify-size-before-reading.patch
[modify] https://crrev.com/852fb12d554abbbda65bbbf3720117a0aad5a9c9/third_party/lcms2-2.6/README.pdfium
[modify] https://crrev.com/852fb12d554abbbda65bbbf3720117a0aad5a9c9/third_party/lcms2-2.6/src/cmstypes.c

Comment 4 by dsinclair@chromium.org, May 8 2017

Status: Fixed (was: Assigned)
Project Member

Comment 5 by ClusterFuzz, May 9 2017 

ClusterFuzz has detected this issue as fixed in range 470039:470149.

Detailed report: https://clusterfuzz.com/testcase?key=5969862804635648

Fuzzer: libfuzzer_pdf_codec_icc_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  pdf_codec_icc_fuzzer
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=468569:468582
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=470039:470149

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5969862804635648


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 6 by dsinclair@chromium.org, May 10 2017 

Upstream bug filed as: https://github.com/mm2/Little-CMS/issues/122

Sign in to add a comment