Issue metadata
Sign in to add a comment
|
Crash in InvalidParameter - util::printd calling wcsftime |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4780847940239360 Fuzzer: ifratric_acrojs Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0xdc6fa780 Crash State: InvalidParameter util::printd JSMethod<class util,&util::printd Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=443500:443512 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4780847940239360 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 14 2017
tsepez, PTAL?
,
Jun 15 2017
,
Jun 15 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 15 2017
,
Jun 15 2017
Not sure if this is really a regression.
,
Jun 16 2017
Also, I think this is just an invalid parameter crash inside of win32 wcsftime(). Probably should have a Security_Severity level downgrade. I think all we have to do is replace the wcsftime() call with FXSYS_wcsftime(), which filters out the invalid parameters.
,
Jun 16 2017
ClusterFuzz has detected this issue as fixed in range 479886:479921. Detailed report: https://clusterfuzz.com/testcase?key=4780847940239360 Fuzzer: ifratric_acrojs Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0xdc6fa780 Crash State: InvalidParameter util::printd JSMethod<class util,&util::printd Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=443500:443512 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=479886:479921 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4780847940239360 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 16 2017
But I haven't even fixed it yet?! https://pdfium-review.googlesource.com/6671
,
Jun 16 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/2bf942d8c21b653efdfdcae681769cffbfaa0663 commit 2bf942d8c21b653efdfdcae681769cffbfaa0663 Author: Lei Zhang <thestig@chromium.org> Date: Fri Jun 16 20:59:51 2017 Avoid a crash inside wcsftime() on Windows. BUG= chromium:733245 Change-Id: Ic9347e2cc245831c0b71fac1d531c33c5646ab3f Reviewed-on: https://pdfium-review.googlesource.com/6671 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Nicolás Peña <npm@chromium.org> [modify] https://crrev.com/2bf942d8c21b653efdfdcae681769cffbfaa0663/core/fxcrt/fx_system.cpp [modify] https://crrev.com/2bf942d8c21b653efdfdcae681769cffbfaa0663/fpdfsdk/javascript/util.cpp [modify] https://crrev.com/2bf942d8c21b653efdfdcae681769cffbfaa0663/testing/resources/javascript/util_printd_expected.txt [modify] https://crrev.com/2bf942d8c21b653efdfdcae681769cffbfaa0663/core/fxcrt/fx_system_unittest.cpp [modify] https://crrev.com/2bf942d8c21b653efdfdcae681769cffbfaa0663/testing/resources/javascript/util_printd.in
,
Jun 16 2017
,
Jun 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/492b1b382fb87f6a423ed08aab67833f2421b8e4 commit 492b1b382fb87f6a423ed08aab67833f2421b8e4 Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org> Date: Sat Jun 17 00:39:38 2017 Roll src/third_party/pdfium/ 1e25e1228..2bf942d8c (1 commit) https://pdfium.googlesource.com/pdfium.git/+log/1e25e122849b..2bf942d8c21b $ git log 1e25e1228..2bf942d8c --date=short --no-merges --format='%ad %ae %s' 2017-06-16 thestig Avoid a crash inside wcsftime() on Windows. Created with: roll-dep src/third_party/pdfium BUG= 733245 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Change-Id: Idef6a3a3f2bb27b134e1608a671b3b1173287231 Reviewed-on: https://chromium-review.googlesource.com/538999 Reviewed-by: <pdfium-deps-roller@chromium.org> Commit-Queue: <pdfium-deps-roller@chromium.org> Cr-Commit-Position: refs/heads/master@{#480243} [modify] https://crrev.com/492b1b382fb87f6a423ed08aab67833f2421b8e4/DEPS
,
Jun 17 2017
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.
,
Sep 23 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Jun 14 2017Summary: Crash in InvalidParameter - util::printd calling wcsftime (was: Crash in InvalidParameter)