New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 759295 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Sep 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug

Blocking:
issue 62400



Sign in to add a comment

Stack-overflow in CXFA_FMParse::ParseExpression

Project Member Reported by ClusterFuzz, Aug 26 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4941711469182976

Fuzzer: libFuzzer_pdf_fm2js_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffd87324c98
Crash State:
  CXFA_FMParse::ParseExpression
  CXFA_FMParse::ParseBlockExpression
  CXFA_FMParse::ParseDoExpression
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=423792:423807

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4941711469182976

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Cc: msrchandra@chromium.org dsinclair@chromium.org
Labels: M-60 Test-Predator-Wrong
Owner: rharrison@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.
Assigning to concern owner who previously worked on similar issues.

@rharrison -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.
Components: Internals>Plugins>PDF
Status: Started (was: Assigned)
Blocking: 62400
Labels: -M-60 Security_Impact-None
XFA issue, not enabled in an releases
Project Member

Comment 5 by bugdroid1@chromium.org, Sep 20 2017

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/4fe8ea5bba4bd505b5bd35395c68799771b0bd7d

commit 4fe8ea5bba4bd505b5bd35395c68799771b0bd7d
Author: Ryan Harrison <rharrison@chromium.org>
Date: Wed Sep 20 16:10:06 2017

Add in missed parse recursion depth checks

Some of the calls in CXFA_FMParser on the prase recursion had been
missed when adding in the parse depth limiting logic. The fuzzers
found them.

BUG= chromium:759295 

Change-Id: Iad54beb356c4c555908797d4b58a42549c006e9e
Reviewed-on: https://pdfium-review.googlesource.com/14510
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>

[modify] https://crrev.com/4fe8ea5bba4bd505b5bd35395c68799771b0bd7d/xfa/fxfa/fm2js/cxfa_fmparser.cpp

Status: Fixed (was: Started)
Project Member

Comment 7 by bugdroid1@chromium.org, Sep 20 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bddfe0bd31d6409545fa1f1f9d24a9e9ea8a2e89

commit bddfe0bd31d6409545fa1f1f9d24a9e9ea8a2e89
Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org>
Date: Wed Sep 20 20:23:51 2017

Roll src/third_party/pdfium/ bc4818564..4fe8ea5bb (2 commits)

https://pdfium.googlesource.com/pdfium.git/+log/bc48185643b3..4fe8ea5bba4b

$ git log bc4818564..4fe8ea5bb --date=short --no-merges --format='%ad %ae %s'
2017-09-20 rharrison Add in missed parse recursion depth checks
2017-09-20 dsinclair Implement CFDE_TextEditEngine::GetIndex* methods.

Created with:
  roll-dep src/third_party/pdfium
BUG= 759295 


Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls


TBR=dsinclair@chromium.org

Change-Id: Ic7581ff8d456cd18dd1db471cea5b8ea17b962e4
Reviewed-on: https://chromium-review.googlesource.com/675843
Reviewed-by: <pdfium-deps-roller@chromium.org>
Commit-Queue: <pdfium-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#503233}
[modify] https://crrev.com/bddfe0bd31d6409545fa1f1f9d24a9e9ea8a2e89/DEPS

Project Member

Comment 8 by ClusterFuzz, Sep 21 2017

ClusterFuzz has detected this issue as fixed in range 503229:503270.

Detailed report: https://clusterfuzz.com/testcase?key=4941711469182976

Fuzzer: libFuzzer_pdf_fm2js_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffd87324c98
Crash State:
  CXFA_FMParse::ParseExpression
  CXFA_FMParse::ParseBlockExpression
  CXFA_FMParse::ParseDoExpression
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=423792:423807
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=503229:503270

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4941711469182976

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Sep 21 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 4941711469182976 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment