New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

PDFium TIFF Image Flate Decoder Code Execution Vulnerability

Reported by regiw...@sourcefire.com, Sep 5 2017

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50

Steps to reproduce the problem:
1. 
2. 
3. 

What is the expected behavior?

What went wrong?
review attached advisory

Did this work before? N/A 

Chrome version: <Copy from: 'about:version'>  Channel: n/a
OS Version: OS X 10.12
Flash Version: 

n/a
 
TALOS-2017-0432 - Google PDFium TIFF Image Flate Decoder Code Execution Vulnerability.txt
17.1 KB View Download
Components: Internals>Plugins>PDF
Summary: PDFium TIFF Image Flate Decoder Code Execution Vulnerability (was: Talos Security Advisory for Google PDFium)
2017-MM-DD (published patch date)
TALOS-2017-0432
CVE-2017-XXXX 


Google PDFium TIFF Image Flate Decoder Code Execution Vulnerability


### Summary

An off-by-one read/write on the heap vulnerability exists in the TIFF image decoder functionality of Pdfium as used by Google Chrome up to and including 60.0.3112.101. A specially crafted PDF file can trigger an off-by-one read and write on the heap resulting in memory corruption and a possible information leak and potential code execution. The victim needs to open a malicious PDF in the browser in order to trigger this vulnerability. 


### Tested Versions

Google Chrome 60.0.3112.101


### Product URLs

[https://pdfium.googlesource.com](https://pdfium.googlesource.com)


### CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H


### CWE

CWE-193: Off-by-one Error


### Details

Pdfium is an open source PDF renderer developed by Google and used extensively in the Chrome browser, online services as well as other standalone applications. This bug was triaged on the latest git version as well as the latest chromium address sanitizer build available (asan-linux-release-498039). 

A heap-buffer overflow is present in the code responsible for decoding a compressed TIFF image stream. While parsing pixel data of the flate decoded image stream, the function TIFF_PredictLine is reached:

  void TIFF_PredictLine(uint8_t* dest_buf,
                       uint32_t row_size,
                       int BitsPerComponent,
                       int Colors,
                       int Columns) {
  ...

   int BytesPerPixel = BitsPerComponent * Colors / 8;
   if (BitsPerComponent == 16) {
     for (uint32_t i = BytesPerPixel; i < row_size; i += 2) {
       uint16_t pixel =
           (dest_buf[i - BytesPerPixel] << 8) | dest_buf[i - BytesPerPixel + 1];
       pixel += (dest_buf[i] << 8) | dest_buf[i + 1];
       dest_buf[i] = pixel >> 8;
       dest_buf[i + 1] = (uint8_t)pixel;
     }
  ...

   }
  }

In the above code, during the for loop, 4 bytes will always be read from `dest_buffer` even if the length of the buffer is less than that. This can potentially lead to an off-by-one read on the heap, followed immediately by an off-by-one write. 
In order to reach the buggy code and trigger the vulnerable state, a couple of conditions need to be satisfied. In the previous function , `TIFF_Predictor`, we see: 

  bool TIFF_Predictor(uint8_t*& data_buf,
                      uint32_t& data_size,
                      int Colors,
                      int BitsPerComponent,
                      int Columns) {
    int row_size = (Colors * BitsPerComponent * Columns + 7) / 8;                         [1]
    if (row_size == 0)
      return false;
    const int row_count = (data_size + row_size - 1) / row_size;
    const int last_row_size = data_size % row_size;                                        [2]
    for (int row = 0; row < row_count; row++) {
      uint8_t* scan_line = data_buf + row * row_size;
      if ((row + 1) * row_size > (int)data_size) {
        row_size = last_row_size;                                                        [3]
      }
      TIFF_PredictLine(scan_line, row_size, BitsPerComponent, Colors, Columns);        [4]
    }
    return true;
  }

At [1], `row_size` is calculated and is a multiple of 8. At [2], the data size of the last row is calculated, as input data might not have a multiple of `row_size` bytes available. When the last row is being used (if the next row would end up outside the data size) `row_size` is set to `last_row_size` at [3]. At [4], vulnerable function `TIFF_PredictLine` is called with the calculated row_size. If we line up the buffer sizes and `last_row_size` properly, this can result in last_row_size being 3, where `Tiff_PredictLine` actually reads/writes 4 bytes from the data buffer , leading to off-by-one read/write. 

A sample PDF to trigger this bug is:

  %PDF-1.6
                     
  47 0 obj
  <</DecodeParms
          <<        /Columns 2
          /Colors 1
                  /BitsPerComponent 16
                  /Predictor 2>>
          /Filter/FlateDecode
          /W[0 0 0]>>
  stream
  ...
  endstream
  endobj
  startxref 30
  %%EOF

The content of the stream above just needs to satisfy one condition and that is that it must decode to a length that would result in 3 in the calculation at [2] in the previously mentioned code. The lowest length that satisfies these and some of the previously mentioned conditions is 23. The values of `Columns`, `Colors` and uncompressed stream lengths can be adjusted to control the sizes of the buffers, number of loops and bytes accessed and all ultimately get passed to their corresponding values to the functions that we mentioned.

Depending on the underlying allocator and other variables, abusing this bug for information leaks or memory overwrite might or might not be possible, but it could potentially be combined with other vulnerabilities to cause further memory corruption. 


### Crash Information 

Address Sanitizer output from latest build at the time (`asan-linux-release-498039`)

  Rendering PDF file poc_test.pdf.
  =================================================================
  ==67198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000003177 at pc 0x0000025b0826 bp 0x7fffffffcf70 sp 0x7fffffffcf68
  READ of size 1 at 0x603000003177 thread T0
      #0 0x25b0825 in _ZN12_GLOBAL__N_116TIFF_PredictLineEPhjiii ./out/Release/../../third_party/pdfium/core/fxcodec/codec/fx_codec_flate.cpp:478
      #1 0x25b0825 in ?? ??:0
      #2 0x25b2646 in TIFF_Predictor ./out/Release/../../third_party/pdfium/core/fxcodec/codec/fx_codec_flate.cpp:504
      #3 0x25b2646 in FlateOrLZWDecode ./out/Release/../../third_party/pdfium/core/fxcodec/codec/fx_codec_flate.cpp:805
      #4 0x25b2646 in ?? ??:0
      #5 0x2423440 in _Z24FPDFAPI_FlateOrLZWDecodebPKhjP15CPDF_DictionaryjPPhPj ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/fpdf_parser_decode.cpp:319
      #6 0x2423440 in ?? ??:0
      #7 0x24240a9 in _Z14PDF_DataDecodePKhjPK15CPDF_DictionaryjbPPhPjP14CFX_ByteStringPPS1_ crtstuff.c:?
      #8 0x24240a9 in ?? ??:0
      #9 0x2412602 in _ZN14CPDF_StreamAcc11LoadAllDataEbjb ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_stream_acc.cpp:45
      #10 0x2412602 in ?? ??:0
      #11 0x23faa1b in _ZN11CPDF_Parser14LoadCrossRefV5EPlb ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:1085
      #12 0x23faa1b in ?? ??:0
      #13 0x23ed71a in _ZN11CPDF_Parser17LoadAllCrossRefV5El ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:645
      #14 0x23ed71a in ?? ??:0
      #15 0x23eaf90 in _ZN11CPDF_Parser18StartParseInternalEP13CPDF_Document ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:248
      #16 0x23eaf90 in ?? ??:0
      #17 0x20f747b in _ZN12_GLOBAL__N_116LoadDocumentImplERK13CFX_RetainPtrI22IFX_SeekableReadStreamEPKc ./out/Release/../../third_party/pdfium/fpdfsdk/fpdfview.cpp:288
      #18 0x20f747b in ?? ??:0
      #19 0x20f7734 in FPDF_LoadCustomDocument ./out/Release/../../third_party/pdfium/fpdfsdk/fpdfview.cpp:629
      #20 0x20f7734 in ?? ??:0
      #21 0x4f64b0 in _ZN12_GLOBAL__N_19RenderPdfERKNSt3__112basic_stringIcNS0_11char_traitsIcEENS0_9allocatorIcEEEEPKcmRKNS_7OptionsES8_ ./out/Release/../../third_party/pdfium/samples/pdfium_test.cc:1406
      #22 0x4f64b0 in ?? ??:0
      #23 0x4f3b7f in main ./out/Release/../../third_party/pdfium/samples/pdfium_test.cc:1624
      #24 0x4f3b7f in ?? ??:0
      #25 0x7ffff624e82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
      #26 0x7ffff624e82f in ?? ??:0


  0x603000003177 is located 0 bytes to the right of 23-byte region [0x603000003160,0x603000003177)
  allocated by thread T0 here:
      #0 0x4c48e3 in __interceptor_malloc ??:?
      #1 0x4c48e3 in ?? ??:0
      #2 0x25b2106 in PartitionAllocGenericFlags ./out/Release/../../third_party/pdfium/third_party/base/allocator/partition_allocator/partition_alloc.h:787
      #3 0x25b2106 in FX_SafeAlloc ./out/Release/../../third_party/pdfium/core/fxcrt/fx_memory.h:46
      #4 0x25b2106 in FX_AllocOrDie ./out/Release/../../third_party/pdfium/core/fxcrt/fx_memory.h:67
      #5 0x25b2106 in FlateUncompress ./out/Release/../../third_party/pdfium/core/fxcodec/codec/fx_codec_flate.cpp:556
      #6 0x25b2106 in FlateOrLZWDecode ./out/Release/../../third_party/pdfium/core/fxcodec/codec/fx_codec_flate.cpp:794
      #7 0x25b2106 in ?? ??:0
      #8 0x2423440 in _Z24FPDFAPI_FlateOrLZWDecodebPKhjP15CPDF_DictionaryjPPhPj ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/fpdf_parser_decode.cpp:319
      #9 0x2423440 in ?? ??:0
      #10 0x24240a9 in _Z14PDF_DataDecodePKhjPK15CPDF_DictionaryjbPPhPjP14CFX_ByteStringPPS1_ crtstuff.c:?
      #11 0x24240a9 in ?? ??:0
      #12 0x2412602 in _ZN14CPDF_StreamAcc11LoadAllDataEbjb ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_stream_acc.cpp:45
      #13 0x2412602 in ?? ??:0
      #14 0x23faa1b in _ZN11CPDF_Parser14LoadCrossRefV5EPlb ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:1085
      #15 0x23faa1b in ?? ??:0
      #16 0x23ed71a in _ZN11CPDF_Parser17LoadAllCrossRefV5El ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:645
      #17 0x23ed71a in ?? ??:0
      #18 0x23eaf90 in _ZN11CPDF_Parser18StartParseInternalEP13CPDF_Document ./out/Release/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:248
      #19 0x23eaf90 in ?? ??:0
      #20 0x20f747b in _ZN12_GLOBAL__N_116LoadDocumentImplERK13CFX_RetainPtrI22IFX_SeekableReadStreamEPKc ./out/Release/../../third_party/pdfium/fpdfsdk/fpdfview.cpp:288
      #21 0x20f747b in ?? ??:0
      #22 0x20f7734 in FPDF_LoadCustomDocument ./out/Release/../../third_party/pdfium/fpdfsdk/fpdfview.cpp:629
      #23 0x20f7734 in ?? ??:0
      #24 0x4f64b0 in _ZN12_GLOBAL__N_19RenderPdfERKNSt3__112basic_stringIcNS0_11char_traitsIcEENS0_9allocatorIcEEEEPKcmRKNS_7OptionsES8_ ./out/Release/../../third_party/pdfium/samples/pdfium_test.cc:1406
      #25 0x4f64b0 in ?? ??:0
      #26 0x4f3b7f in main ./out/Release/../../third_party/pdfium/samples/pdfium_test.cc:1624
      #27 0x4f3b7f in ?? ??:0
      #28 0x7ffff624e82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
      #29 0x7ffff624e82f in ?? ??:0


  SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/user/pdfium/repo/asan-linux-release-498039/pdfium_test+0x25b0825)
  Shadow bytes around the buggy address:
    0x0c067fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c067fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c067fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c067fff8600: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
    0x0c067fff8610: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  =>0x0c067fff8620: fd fd fd fa fa fa fd fd fd fa fa fa 00 00[07]fa
    0x0c067fff8630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c067fff8640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c067fff8650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c067fff8660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c067fff8670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
  ==67198==ABORTING


Official, latest version of Chrome on Windows crashes with the following when run with PageHeap enabled (output from BugId):

  BugId:            OOBW[0x1FB]+0~1#b6d7 c40.313 
  Location:         chrome.exe!verifier.dll!AVrfpDphCheckPageHeapBlock 
  Description:      Page heap detected heap corruption at 0x8EA7FFB; at the end of a 507/0x1FB bytes heap block at 0x8EA7E00. This appears to be a classic buffer-overrun vulnerability. The following byte values were written to the corrupted area: 22. 
  Version:          chrome.exe: 60.0.3112.113 (x86)
  verifier.dll: 6.1.7600.16385 (x86) 
  Security impact:  Potentially highly exploitable security issue. 
  Integrity level:  0x2000 (Medium Integrity; this process appears to not be sandboxed!) 
  Arguments:  ['--enable-experimental-accessibility-features', '--enable-experimental-canvas-features', '--enable-experimental-input-view-features', '--enable-experimental-web-platform-features', '--enable-logging=stderr', '--enable-usermedia-screen-capturing', '--enable-viewport', '--enable-webgl-draft-extensions', '--enable-webvr', '--expose-internals-for-testing', '--disable-popup-blocking', '--disable-prompt-on-repost', '--force-renderer-accessibility', '--javascript-harmony', '--js-flags="--expose-gc"', '--no-sandbox', 'c:\\Users\\ea\\Desktop\\poc.pdf'] 

  Stack:
  verifier.dll!VerifierStopMessage + 0x1F8 (this frame is irrelevant to this bug)
  2.verifier.dll!AVrfpDphReportCorruptedBlock + 0x1C2 (this frame is irrelevant to this bug)
  3.verifier.dll!AVrfpDphCheckPageHeapBlock + 0x161 (id: c40)
  4.verifier.dll!AVrfpDphFindBusyMemory + 0xDA (id: 313)
  5.verifier.dll!AVrfpDphFindBusyMemoryAndRemoveFromBusyList + 0x20
  6.ntdll.dll!RtlpDebugPageHeapFree + ? (the exact offset is not known)
  7.ntdll.dll!RtlDebugFreeHeap + 0x2F
  8.ntdll.dll!RtlpFreeHeap + 0x5D
  9.ntdll.dll!RtlFreeHeap + 0x142
  10.kernel32.dll!HeapFree + 0x14
  11.chrome_child.dll + 0x163239 (no function symbol available)
  12.chrome_child.dll + 0x1852FAA (no function symbol available)
  13.chrome_child.dll + 0x184DDD1 (no function symbol available)
  14.chrome_child.dll + 0x1846493 (no function symbol available)
  15.chrome_child.dll + 0x18488BD (no function symbol available)
  16.chrome_child.dll + 0x18485B5 (no function symbol available)
  17.chrome_child.dll + 0x1823308 (no function symbol available)
  18.chrome_child.dll + 0x18175AB (no function symbol available)
  19.chrome_child.dll + 0x181413D (no function symbol available)
  20.chrome_child.dll + 0x181468D (no function symbol available)
  21.chrome_child.dll + 0x181F15A (no function symbol available)
  22.chrome_child.dll + 0x181E1AF (no function symbol available)
  23.chrome_child.dll + 0x17CA70A (no function symbol available)
  24.chrome_child.dll + 0x1437254 (no function symbol available)
  25.chrome_child.dll + 0x143797E (no function symbol available)
  26.chrome_child.dll + 0x16729C1 (no function symbol available)

  Page heap output for heap block near 0x8EA7FFB
     address 08ea7e00 found in
     _DPH_HEAP_ROOT @ 4161000
     in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                  8712000:          8ea7e00              1fb -          8ea7000             2000
     6ccf8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
     77876206 ntdll!RtlDebugAllocateHeap+0x00000030
     7783a127 ntdll!RtlpAllocateHeap+0x000000c4
     77805950 ntdll!RtlAllocateHeap+0x0000023a
     58de52c3 chrome_child!ovly_debug_event+0x0014dff3
     5a357dd2 chrome_child!IsSandboxedProcess+0x003fb31f
     5a3cf306 chrome_child!IsSandboxedProcess+0x00472853
     5a379bca chrome_child!IsSandboxedProcess+0x0041d117
     5a37a05d chrome_child!IsSandboxedProcess+0x0041d5aa
     5a38311c chrome_child!IsSandboxedProcess+0x00426669
     5a376b0e chrome_child!IsSandboxedProcess+0x0041a05b
     5a376493 chrome_child!IsSandboxedProcess+0x004199e0
     5a3788bd chrome_child!IsSandboxedProcess+0x0041be0a
     5a3785b5 chrome_child!IsSandboxedProcess+0x0041bb02
     5a353308 chrome_child!IsSandboxedProcess+0x003f6855
     5a3475ab chrome_child!IsSandboxedProcess+0x003eaaf8
     5a34413d chrome_child!IsSandboxedProcess+0x003e768a
     5a34468d chrome_child!IsSandboxedProcess+0x003e7bda
     5a34f15a chrome_child!IsSandboxedProcess+0x003f26a7
     5a34e1af chrome_child!IsSandboxedProcess+0x003f16fc
     5a2fa70a chrome_child!IsSandboxedProcess+0x0039dc57
     59f67254 chrome_child!IsSandboxedProcess+0x0000a7a1
     59f6797e chrome_child!IsSandboxedProcess+0x0000aecb
     5a1a29c1 chrome_child!IsSandboxedProcess+0x00245f0e
     5a1a2be2 chrome_child!IsSandboxedProcess+0x0024612f
     5a17e7ea chrome_child!IsSandboxedProcess+0x00221d37
     5a17e9fb chrome_child!IsSandboxedProcess+0x00221f48
     58c33f7e chrome_child+0x00103f7e
     58c31129 chrome_child+0x00101129
     58c33bc4 chrome_child+0x00103bc4
     58c996e8 chrome_child!ovly_debug_event+0x00002418
     58f54b95 chrome_child!ChromeMain+0x0000b501


### Credit 

Discovered by Aleksandar Nikolic of Cisco Talos.
http://talosintelligence.com/vulnerability-reports/


### Timeline


2017-09-05 - Vendor Disclosure
YYYY-MM-DD - Public Release

google pdfium trigger.pdf
324 bytes Download
Project Member

Comment 3 by ClusterFuzz, Sep 5 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5924241940938752.
Owner: dsinclair@chromium.org
Cc: dsinclair@chromium.org
Owner: npm@chromium.org
npm@ more TIFF fun if you've got time, feel free to assign back if you don't.
Project Member

Comment 6 by ClusterFuzz, Sep 5 2017

Status: WontFix (was: Unconfirmed)
ClusterFuzz testcase 5924241940938752 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Labels: ClusterFuzz-Wrong OS-Chrome OS-Linux OS-Windows
Status: Untriaged (was: WontFix)
Repros with ASAN here.
Cc: tsepez@chromium.org npm@chromium.org
Owner: thestig@chromium.org
Status: Started (was: Untriaged)
Uploaded https://pdfium-review.googlesource.com/13212
Labels: Security_Severity-Medium Security_Impact-Stable
Project Member

Comment 10 by sheriffbot@chromium.org, Sep 7 2017

Labels: M-61
Project Member

Comment 11 by sheriffbot@chromium.org, Sep 7 2017

Labels: -Pri-2 Pri-1
Project Member

Comment 12 by bugdroid1@chromium.org, Sep 8 2017

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/131c0eb2e34ece6ede6288842cb3004ec3c600d4

commit 131c0eb2e34ece6ede6288842cb3004ec3c600d4
Author: Lei Zhang <thestig@chromium.org>
Date: Fri Sep 08 22:51:02 2017

Fix an off by 1 error in TIFF_PredictLine().

BUG= chromium:762106 

Change-Id: I714d69320cc4fb81d535f811c18d4ef91fec44d3
Reviewed-on: https://pdfium-review.googlesource.com/13212
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>

[modify] https://crrev.com/131c0eb2e34ece6ede6288842cb3004ec3c600d4/core/fxcodec/codec/fx_codec_flate.cpp

Status: Fixed (was: Started)
Project Member

Comment 14 by bugdroid1@chromium.org, Sep 9 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/60ffdffea2683c732514874a7d3548d5acecf740

commit 60ffdffea2683c732514874a7d3548d5acecf740
Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org>
Date: Sat Sep 09 00:31:42 2017

Roll src/third_party/pdfium/ ee1e75790..131c0eb2e (1 commit)

https://pdfium.googlesource.com/pdfium.git/+log/ee1e757902d0..131c0eb2e34e

$ git log ee1e75790..131c0eb2e --date=short --no-merges --format='%ad %ae %s'
2017-09-08 thestig Fix an off by 1 error in TIFF_PredictLine().

Created with:
  roll-dep src/third_party/pdfium
BUG= 762106 


Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls


TBR=dsinclair@chromium.org

Change-Id: I7d6bba2e7c2c73d247a9390597f2b09e397663e8
Reviewed-on: https://chromium-review.googlesource.com/658400
Reviewed-by: <pdfium-deps-roller@chromium.org>
Commit-Queue: <pdfium-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#500756}
[modify] https://crrev.com/60ffdffea2683c732514874a7d3548d5acecf740/DEPS

Project Member

Comment 15 by sheriffbot@chromium.org, Sep 9 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Is there a public disclosure release date scheduled since this issue is now fixed?

Labels: -M-61 reward-topanel Merge-Request-62 M-62
regiwils@ - standard procedure is that the bug will be automatically opened to public view 14 weeks after the fix date.

This is very likely to be merged to M62, for a stable release in mid October (https://www.chromium.org/developers/calendar)
Project Member

Comment 18 by sheriffbot@chromium.org, Sep 11 2017

Labels: -Merge-Request-62 Merge-Review-62 Hotlist-Merge-Review
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Review-62 Merge-Approved-62
Approving merge to M62, branch: 3202. 
Project Member

Comment 20 by sheriffbot@chromium.org, Sep 15 2017

Cc: awhalley@google.com abdulsyed@google.com
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 21 by bugdroid1@chromium.org, Sep 15 2017

Labels: -merge-approved-62 merge-merged-3202
The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/fc556ac0c823bccffaff84fea7a118835f33147a

commit fc556ac0c823bccffaff84fea7a118835f33147a
Author: Lei Zhang <thestig@chromium.org>
Date: Fri Sep 15 21:37:14 2017

M62: Fix an off by 1 error in TIFF_PredictLine().

BUG= chromium:762106 
TBR=tsepez@chromium.org

Change-Id: I714d69320cc4fb81d535f811c18d4ef91fec44d3
Reviewed-on: https://pdfium-review.googlesource.com/13212
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
(cherry picked from commit 131c0eb2e34ece6ede6288842cb3004ec3c600d4)
Reviewed-on: https://pdfium-review.googlesource.com/14190
Reviewed-by: Lei Zhang <thestig@chromium.org>

[modify] https://crrev.com/fc556ac0c823bccffaff84fea7a118835f33147a/core/fxcodec/codec/fx_codec_flate.cpp

Labels: -ClusterFuzz-Wrong
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.
Labels: -reward-topanel reward-unpaid reward-2000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Cc: awhalley@chromium.org
Hi regiwils@ - the VRP panel has decided to award $2,000 for this report, and noted their thanks for the detailed bug explanation. A member of our finance team will be in touch to arrange payment.  Also, how would you like to be credited in release notes?  Thanks!
Labels: -reward-unpaid reward-inprocess
Thanks for the update and acknowledgement! We would like credit to appear as "Discovered by Aleksandar Nikolic of Cisco Talos."

Labels: Release-0-M62
Labels: CVE-2017-5133
Is this confirming public release?

While this bug is still private (by default it will be made public 14 weeks after the fix landed), it has been included in our release notes: https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html
Project Member

Comment 31 by sheriffbot@chromium.org, Dec 16 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 32 by sheriffbot@chromium.org, Mar 27

Labels: -M-62 M-65
Labels: CVE_description-submitted

Sign in to add a comment