Integer-overflow in Buffer_itoa |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5080440062083072 Fuzzer: libFuzzer_pdfium_xfa_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: Buffer_itoa CFX_ByteString::FormatInteger CXFA_FM2JSContext::GenerateSomExpression Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=462191:462244 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5080440062083072 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 31 2017
,
Sep 1 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/dce09b18b48837d8006694b9dc3b2d026e5e7869 commit dce09b18b48837d8006694b9dc3b2d026e5e7869 Author: Henrique Nakashima <hnakashima@chromium.org> Date: Fri Sep 01 16:30:01 2017 Fix integer overflow in Buffer_itoa when passing INT_MIN. Bug: chromium:760034 Change-Id: Id0862749b1454e065de4de7d746a27e78ac58e30 Reviewed-on: https://pdfium-review.googlesource.com/12730 Commit-Queue: Henrique Nakashima <hnakashima@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> [modify] https://crrev.com/dce09b18b48837d8006694b9dc3b2d026e5e7869/core/fpdfapi/parser/cpdf_number.cpp [modify] https://crrev.com/dce09b18b48837d8006694b9dc3b2d026e5e7869/core/fxcrt/cfx_bytestring.h [modify] https://crrev.com/dce09b18b48837d8006694b9dc3b2d026e5e7869/core/fxcrt/cfx_bytestring_unittest.cpp [modify] https://crrev.com/dce09b18b48837d8006694b9dc3b2d026e5e7869/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp [modify] https://crrev.com/dce09b18b48837d8006694b9dc3b2d026e5e7869/core/fxcrt/cfx_bytestring.cpp
,
Sep 2 2017
ClusterFuzz has detected this issue as fixed in range 499325:499364. Detailed report: https://clusterfuzz.com/testcase?key=5080440062083072 Fuzzer: libFuzzer_pdfium_xfa_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: Buffer_itoa CFX_ByteString::FormatInteger CXFA_FM2JSContext::GenerateSomExpression Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=462191:462244 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=499325:499364 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5080440062083072 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 2 2017
ClusterFuzz testcase 5080440062083072 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by msrchandra@chromium.org
, Aug 29 2017Labels: M-62 Test-Predator-Wrong-CLs
Owner: hnakashima@chromium.org
Status: Assigned (was: Untriaged)