Undefined-shift in CFX_BitStream::GetBits |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6128384259391488 Fuzzer: libfuzzer_pdf_hint_table_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: CFX_BitStream::GetBits CPDF_HintTables::ReadSharedObjHintTable HintTableForFuzzing::Fuzz Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=413192:413325 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6128384259391488 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
May 8 2017
,
May 8 2017
,
May 8 2017
,
May 8 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/486f141ed1fa5b92f59d403c4b549ede2ea1a2c8 commit 486f141ed1fa5b92f59d403c4b549ede2ea1a2c8 Author: Dan Sinclair <dsinclair@chromium.org> Date: Mon May 08 18:38:02 2017 Check bits to decode will fit before decoding When decoding the CPDF_HintTable we read the dwDeltaGroupLen value out of the input stream which is a 16bit number. That value is then passed in to read a uint32_t of the object number. If we have a group length of > 32 bits we'll cause an undefined shift when we attempt to shift right more then 32 bits. This Cl bails out early if the dwDeltaGroupLen value is > 32 in order to stop the undefined shifts. Bug: chromium:718505 Change-Id: I919d6f4cd19826094a5e44d3a65d758029f5c236 Reviewed-on: https://pdfium-review.googlesource.com/5090 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org> [modify] https://crrev.com/486f141ed1fa5b92f59d403c4b549ede2ea1a2c8/core/fpdfapi/parser/cpdf_hint_tables.cpp
,
May 8 2017
,
May 9 2017
ClusterFuzz has detected this issue as fixed in range 470053:470151. Detailed report: https://clusterfuzz.com/testcase?key=6128384259391488 Fuzzer: libfuzzer_pdf_hint_table_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: CFX_BitStream::GetBits CPDF_HintTables::ReadSharedObjHintTable HintTableForFuzzing::Fuzz Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=413192:413325 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=470053:470151 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6128384259391488 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||
►
Sign in to add a comment |
||||
Comment 1 by msrchandra@chromium.org
, May 5 2017Components: Infra>Git
Labels: Test-Predator-Wrong-CLs M-58
Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)