Issue metadata
Sign in to add a comment
|
Heap-use-after-free in CPWL_Wnd::Destroy |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4515784671100928 Fuzzer: ifratric_pdf_generic Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Heap-use-after-free READ 1 Crash Address: 0x61300018b4c0 Crash State: CPWL_Wnd::Destroy CPWL_Wnd::Destroy CFFL_FormFiller::DestroyWindows Sanitizer: address (ASAN) Recommended Security Severity: High Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4515784671100928 Issue manually filed by: tsepez See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 2 2017
This one should be pretty easy to fix but I won't get a shot till late June. In the mean time, I think all that has to happen is the assignment to m_pVScrollBar at https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/pdfwindow/PWL_Wnd.cpp?rcl=1d95c68f912102dfda5d6e9ad7ca79411cda5900&l=272 needs to move up to line 256, since the scrollbar is likely one of the children about to bashed in the subsequent lines.
,
Jun 2 2017
,
Jun 3 2017
,
Jun 6 2017
,
Jun 9 2017
,
Jun 9 2017
https://pdfium-review.googlesource.com/c/6418/
,
Jun 13 2017
Above CL landed.
,
Jun 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e635c3f42d2634a3335fea3671efeb95b3b898da commit e635c3f42d2634a3335fea3671efeb95b3b898da Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org> Date: Tue Jun 13 19:01:54 2017 Roll src/third_party/pdfium/ d3b90ac1e..6500c6faf (5 commits) https://pdfium.googlesource.com/pdfium.git/+log/d3b90ac1ee24..6500c6faf82f $ git log d3b90ac1e..6500c6faf --date=short --no-merges --format='%ad %ae %s' 2017-06-13 npm Check validity of color indices in bmp_decode_rgb 2017-06-09 thestig Implement CPWL_ComboBox::OnDestroy() to manage unowned pointers. 2017-06-13 dsinclair Add CFGAS_FormatString helper to extract digits. 2017-06-09 hnakashima Converting CFX_ByteTextBuf to ostringstream in cpdf_pagecontentgenerator. 2017-06-09 hnakashima Converting CFX_ByteTextBuf to ostringstream in cpdf_syntax_parser.cpp. Created with: roll-dep src/third_party/pdfium BUG= 729041 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Change-Id: I5ec0ed1fb45141f2523c87034f4691e6207f0db6 Reviewed-on: https://chromium-review.googlesource.com/533894 Reviewed-by: <pdfium-deps-roller@chromium.org> Commit-Queue: <pdfium-deps-roller@chromium.org> Cr-Commit-Position: refs/heads/master@{#479087} [modify] https://crrev.com/e635c3f42d2634a3335fea3671efeb95b3b898da/DEPS
,
Jun 14 2017
ClusterFuzz has detected this issue as fixed in range 479057:479094. Detailed report: https://clusterfuzz.com/testcase?key=4515784671100928 Fuzzer: ifratric_pdf_generic Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Heap-use-after-free READ 1 Crash Address: 0x61300018b4c0 Crash State: CPWL_Wnd::Destroy CPWL_Wnd::Destroy CFFL_FormFiller::DestroyWindows Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_pdfium&range=476154:476189 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_pdfium&range=479057:479094 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4515784671100928 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 14 2017
,
Jun 14 2017
Issue 733170 has been merged into this issue.
,
Sep 20 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by tsepez@chromium.org
, Jun 2 2017Owner: thestig@chromium.org
Status: Assigned (was: Untriaged)