dsinclair/thestig: do you mind taking a look at this?

We may flip Skia off again in the near future.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 482264:482277.

Detailed report: https://clusterfuzz.com/testcase?key=5521449174695936

Fuzzer: anil_pdf_fuzzer
Job Type: linux_asan_pdfium
Platform Id: linux

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x608000011fa0
Crash State:
  CFX_FaceCache::~CFX_FaceCache
  CFX_Font::DeleteFace
  CFX_Font::~CFX_Font
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_pdfium&range=481531:481564
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_pdfium&range=482264:482277

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5521449174695936


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5521449174695936 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Candidate for Reward?

Reopening. "Fixed" because we turned off Skia paths.

No idea about rewards.

This edit fixes the fuzzer case, not sure if it is correct:

diff --git a/core/fxge/ge/cfx_facecache.cpp b/core/fxge/ge/cfx_facecache.cpp
index 6049729..f7ba844 100644
--- a/core/fxge/ge/cfx_facecache.cpp
+++ b/core/fxge/ge/cfx_facecache.cpp
@@ -358,10 +358,10 @@ const CFX_GlyphBitmap* CFX_FaceCache::LoadGlyphBitmap(const CFX_Font* pFont,
 #if defined _SKIA_SUPPORT_ || defined _SKIA_SUPPORT_PATHS_
 CFX_TypeFace* CFX_FaceCache::GetDeviceCache(const CFX_Font* pFont) {
   if (!m_pTypeface) {
-    m_pTypeface =
+    m_pTypeface = SafeRef(
         SkTypeface::MakeFromStream(
             new SkMemoryStream(pFont->GetFontData(), pFont->GetSize()))
-            .release();
+            .release());

fixed?

re #15: the current code doesn't show the bug because the feature is turned off as mentioned in #12. With the feature enabled, the edit described in #14 hides but does not fix the bug. A CL out for review https://pdfium-review.googlesource.com/c/6914 fixes the bug but violates checkdeps rules.

I believe this should be possible to fix by just releasing the unowned ptr. If this is a Probe issue it isn't a security issue as it only happens in ASAN builds and is to detect coding flaws.

Removing RB-Stable as Skia paths were disabled.

Relanded Cary's fix as the correct one.

since the bug is fixed. is this valid for reward?

Adding reward-topanel to consider for a reward.

The panel looked at this, but I'm afraid it's not eligible since one of our internal fuzzers found it found (see  issue 737137 ).  Sorry!

i would like to draw your attention to the fact that my fuzzer found it on 22nd June where as internal fuzzer found it on 27 June and as per rules mentioned in chrome reward program, I think following qualifying condition is met:

"#If you have a fuzzer running as part of our Chrome Fuzzer Program, you will not receive a reward if one of our fuzzers finds the same bug within 48 hours."

Kindly let me know if i am missing anything here or any change in policy which i missed.

Hi 41.w4r10r@ - thanks for that, I'll investigate.

Sorry, the info about other fuzzers hitting this case was in the clusterfuzz report of that other bug, not the bug itself, which I believe you wouldn't have access to. Attached is the list of all the fuzzers that hit this case. 

Deleted: Screen Shot 2017-08-08 at 09.51.38.png 98.3 KB

	Screen Shot 2017-08-08 at 09.51.38.png 98.3 KB View Download

ohh ok. Got it :)

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot