New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 735248 link

Starred by 1 user
Status: Fixed
Owner:
npm@chromium.org
Closed: Jul 2017
Cc:
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Abrt in FX_AllocOrDie

Project Member Reported by ClusterFuzz, Jun 20 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5961652989329408

Fuzzer: libFuzzer_pdfium_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Abrt
Crash Address: 0x03e90000312d
Crash State:
  FX_AllocOrDie
  DrawLatticeGouraudShading
  CPDF_RenderStatus::DrawShading
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=480767:480794

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5961652989329408


Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by sandeepkumars@chromium.org, Jul 14 2017

Cc: msrchandra@chromium.org
Components: Internals>Plugins>PDF
Labels: M-61 Test-Predator-Correct-CLs
Owner: npm@chromium.org
Status: Assigned (was: Untriaged)
Assigning to concern owner from Predator results --
Regression information is not available. The result is the blame information

Author: Nico Weber
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/9d8ec5a6e37e8d1d4d4edca9040de234e2d4728f
Time: Tue Aug 04 13:00:21 2015 -0700
The CL last changed line 50 of file fx_memory.h, which is stack frame 1. 

Author: npm
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/483f3c485ac727cbf74c89e3912e5a4475d5f8f9
Time: Thu Nov 17 13:50:44 2016 -0800
The CL last changed line 537 of file cpdf_renderstatus.cpp, which is stack frame 2. 

Author: npm
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/483f3c485ac727cbf74c89e3912e5a4475d5f8f9
Time: Thu Nov 17 13:50:44 2016 -0800
The CL last changed line 2132 of file cpdf_renderstatus.cpp, which is stack frame 3. 

Author: npm
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/483f3c485ac727cbf74c89e3912e5a4475d5f8f9
Time: Thu Nov 17 13:50:44 2016 -0800
The CL last changed line 2180 of file cpdf_renderstatus.cpp, which is stack frame 4. 

Author: npm
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/483f3c485ac727cbf74c89e3912e5a4475d5f8f9
Time: Thu Nov 17 13:50:44 2016 -0800
The CL last changed line 2408 of file cpdf_renderstatus.cpp, which is stack frame 5. 

Author: npm
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/483f3c485ac727cbf74c89e3912e5a4475d5f8f9
Time: Thu Nov 17 13:50:44 2016 -0800
The CL last changed line 1296 of file cpdf_renderstatus.cpp, which is stack frame 6.

@npm -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You
Project Member

Comment 2 by bugdroid1@chromium.org, Jul 17 2017 

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/f768baf129fcafc4342193477e0c41c082ef5ca5

commit f768baf129fcafc4342193477e0c41c082ef5ca5
Author: Nicolas Pena <npm@chromium.org>
Date: Mon Jul 17 13:59:25 2017

Let CPDF_MeshStream::ReadVertexRow return a vector

In this CL, CPDF_MeshStream::ReadVertexRow returns a vector. The vector
size is not allocated in advance to prevent OOM attacks, since the size
is given as an input to the PDF.

Bug:  chromium:735248 
Change-Id: I3e2b020896f24715af5dfd9aa18768e6d64d6f76
Reviewed-on: https://pdfium-review.googlesource.com/7950
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>

[modify] https://crrev.com/f768baf129fcafc4342193477e0c41c082ef5ca5/core/fpdfapi/page/cpdf_meshstream.h
[modify] https://crrev.com/f768baf129fcafc4342193477e0c41c082ef5ca5/core/fpdfapi/render/cpdf_renderstatus.cpp
[modify] https://crrev.com/f768baf129fcafc4342193477e0c41c082ef5ca5/core/fpdfapi/page/cpdf_meshstream.cpp

Comment 3 by npm@chromium.org, Jul 20 2017

Status: Fixed (was: Assigned)

Sign in to add a comment