Stack-overflow in pdfium::internal::MakeUniqueResult<CXFA_FMToken>::Scalar pdfium::MakeUnique<CXFA |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4678341541232640 Fuzzer: libFuzzer_pdf_fm2js_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7ffe1bd0afe8 Crash State: pdfium::internal::MakeUniqueResult<CXFA_FMToken>::Scalar pdfium::MakeUnique<CXFA CXFA_FMLexer::NextToken CXFA_FMParser::NextToken Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=490660:490669 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4678341541232640 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 12 2017
,
Aug 15 2017
,
Aug 16 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/a169364e46956875db35fb1baacc4a0a1ee17f08 commit a169364e46956875db35fb1baacc4a0a1ee17f08 Author: Ryan Harrison <rharrison@chromium.org> Date: Wed Aug 16 19:02:51 2017 Add parse depth limit to FormCalc parser Due to the recursive nature of the FormCalc parser, deeply nested expressions can lead to memory being exhausted. This check is being added to have the parser exit early instead of running out of memory. This should reduce the number of false positives about addressing issues being found by fuzzers. BUG= chromium:752433 Change-Id: I511ecfb07e32073555e1fd1658f3b8b47f1a5a91 Reviewed-on: https://pdfium-review.googlesource.com/11170 Commit-Queue: Ryan Harrison <rharrison@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> [modify] https://crrev.com/a169364e46956875db35fb1baacc4a0a1ee17f08/xfa/fxfa/fm2js/cxfa_fmparser.h [modify] https://crrev.com/a169364e46956875db35fb1baacc4a0a1ee17f08/xfa/fxfa/fm2js/cxfa_fmparser_unittest.cpp [modify] https://crrev.com/a169364e46956875db35fb1baacc4a0a1ee17f08/xfa/fxfa/fm2js/cxfa_fmparser.cpp
,
Aug 16 2017
,
Aug 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/27ec0b7c12ce7e2e231cc7955f2946fe6915d897 commit 27ec0b7c12ce7e2e231cc7955f2946fe6915d897 Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org> Date: Wed Aug 16 20:51:01 2017 Roll src/third_party/pdfium/ ca8982977..a169364e4 (7 commits) https://pdfium.googlesource.com/pdfium.git/+log/ca89829775fe..a169364e4695 $ git log ca8982977..a169364e4 --date=short --no-merges --format='%ad %ae %s' 2017-08-16 rharrison Add parse depth limit to FormCalc parser 2017-08-16 rharrison Add in missting string length check 2017-08-16 thestig Fix potential OOM / integer overflow in CPDF_Parser. 2017-08-14 tsepez Check for possible empty object returns from NewFxDynamicObj() 2017-08-16 janeliulwq Fixed the return values of FPDFAnnot_Get{Rect|AttachmentPoints} 2017-08-16 dsinclair Remove CFWL_WidgetMgrDelegate 2017-08-15 janeliulwq Changed the return type of FPDFAnnot_Get{Rect|AttachmentPoints}() Created with: roll-dep src/third_party/pdfium BUG= 752433 , 754984 , 752796 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Change-Id: I1a6f55adde2f82919d1e644a9f1ccd5c301bba29 Reviewed-on: https://chromium-review.googlesource.com/617402 Reviewed-by: <pdfium-deps-roller@chromium.org> Commit-Queue: <pdfium-deps-roller@chromium.org> Cr-Commit-Position: refs/heads/master@{#494941} [modify] https://crrev.com/27ec0b7c12ce7e2e231cc7955f2946fe6915d897/DEPS
,
Aug 17 2017
ClusterFuzz has detected this issue as fixed in range 494860:494945. Detailed report: https://clusterfuzz.com/testcase?key=4678341541232640 Fuzzer: libFuzzer_pdf_fm2js_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7ffe1bd0afe8 Crash State: pdfium::internal::MakeUniqueResult<CXFA_FMToken>::Scalar pdfium::MakeUnique<CXFA CXFA_FMLexer::NextToken CXFA_FMParser::NextToken Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=490660:490669 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=494860:494945 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4678341541232640 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 17 2017
ClusterFuzz testcase 4678341541232640 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by msrchandra@chromium.org
, Aug 4 2017Labels: M-62 Test-Predator-Wrong
Owner: rharrison@chromium.org
Status: Assigned (was: Untriaged)