New issue
Advanced search Search tips

Issue 743135 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Aug 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in TetrahedralInterpFloat

Project Member Reported by ClusterFuzz, Jul 14 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5612341487206400

Fuzzer: libFuzzer_pdf_codec_icc_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x608000070024
Crash State:
  TetrahedralInterpFloat
  _LUTevalFloat
  XFormSampler16
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=420440:420580

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5612341487206400


Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 

Comment 1 by raymes@chromium.org, Jul 14 2017

Cc: kcwu@chromium.org
Components: Internals>Plugins>PDF
Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)
dsinclair: there's a bunch of pdfium rolls in the regression range. Could you please help triage? 

Also +kcwu because it looks like there was a pdfium-related fuzzer change in the regression range too.
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 15 2017

Labels: M-61
Project Member

Comment 3 by sheriffbot@chromium.org, Jul 15 2017

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Jul 15 2017

Labels: Pri-1
Labels: -ReleaseBlock-Stable ReleaseBlock-NA
Removing the RB-Stable marker as this is existing code, not a new change. Will see if we can track down the issue.
Project Member

Comment 6 by sheriffbot@chromium.org, Jul 26 2017

Labels: -Security_Impact-Head Security_Impact-Beta
Project Member

Comment 7 by sheriffbot@chromium.org, Aug 1 2017

dsinclair: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by sheriffbot@chromium.org, Aug 15 2017

dsinclair: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by ClusterFuzz, Aug 26 2017

ClusterFuzz has detected this issue as fixed in range 497463:497522.

Detailed report: https://clusterfuzz.com/testcase?key=5612341487206400

Fuzzer: libFuzzer_pdf_codec_icc_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x608000070024
Crash State:
  TetrahedralInterpFloat
  _LUTevalFloat
  XFormSampler16
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=420440:420580
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=497463:497522

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5612341487206400

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Aug 26 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5612341487206400 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 11 by sheriffbot@chromium.org, Aug 26 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 12 by sheriffbot@chromium.org, Dec 2 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment