Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in chrome_pdf::PDFiumEngine::OnMouseUp |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5920051936100352 Fuzzer: ifratric_acrojs Job Type: windows_asan_chrome Platform Id: windows Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x0d32a19c Crash State: chrome_pdf::PDFiumEngine::OnMouseUp chrome_pdf::PDFiumEngine::HandleEvent chrome_pdf::OutOfProcessInstance::HandleInputEvent Sanitizer: address (ASAN) Recommended Security Severity: Low Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=482053:482102 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5920051936100352 Additional requirements: Requires Gestures Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 28 2017
,
Jun 28 2017
Clusterfuzz implicates https://chromium.googlesource.com/chromium/src/+/c32fae2601ea9890e50fa34caa8e80de1c007609 The OnMouseUp handler change doesn't seem to include this check which is found in other methods that access this field: if (last_page_mouse_down_ == -1) return false;
,
Jun 28 2017
I am currently working on making this change.
,
Jun 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ea6109f1b3034ec6557598194c72c2c3533a7aa5 commit ea6109f1b3034ec6557598194c72c2c3533a7aa5 Author: drgage <drgage@google.com> Date: Wed Jun 28 20:58:16 2017 Fix bug where Chromium crashes in PDFiumEngine::OnMouseUp(). Chromium previously crashed when a user right clicked outside of a form text area, and then left clicked in the form text area. This was due to an out of bounds error. The fix is checking that |last_page_mouse_down_| is not -1 before trying to set the PDF plugin's selected text. BUG= 59266 , 737529 Review-Url: https://codereview.chromium.org/2960753002 Cr-Commit-Position: refs/heads/master@{#483133} [modify] https://crrev.com/ea6109f1b3034ec6557598194c72c2c3533a7aa5/pdf/pdfium/pdfium_engine.cc
,
Jun 28 2017
,
Jun 29 2017
ClusterFuzz has detected this issue as fixed in range 483124:483186. Detailed report: https://clusterfuzz.com/testcase?key=5920051936100352 Fuzzer: ifratric_acrojs Job Type: windows_asan_chrome Platform Id: windows Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x0d32a19c Crash State: chrome_pdf::PDFiumEngine::OnMouseUp chrome_pdf::PDFiumEngine::HandleEvent chrome_pdf::OutOfProcessInstance::HandleInputEvent Sanitizer: address (ASAN) Recommended Security Severity: Low Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=482053:482102 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=483124:483186 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5920051936100352 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 29 2017
,
Oct 5 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jun 28 2017