New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 768089 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Sep 2017
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 1
Type: Bug

Blocking:
issue 62400



Sign in to add a comment

Null-dereference READ in CCodec_ProgressiveDecoder::GifInputRecordPositionBuf

Project Member Reported by ClusterFuzz, Sep 22 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5772214090858496

Fuzzer: libFuzzer_pdf_codec_gif_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  CCodec_ProgressiveDecoder::GifInputRecordPositionBuf
  CCodec_ProgressiveDecoder::GifInputRecordPositionBuf
  CGifContext::GetRecordPosition
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=503730:503770

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5772214090858496

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Cc: msrchandra@chromium.org pnangunoori@chromium.org
Labels: M-63 Test-Predator-Correct
Owner: rharrison@chromium.org
Status: Assigned (was: Untriaged)
Test Predator has given the following results:

Fix crash when rendering invalid GIF by rharrison@chromium.org
Minimum distance between changed lines and stacktrace lines in fx_codec_progress.cpp is 0
Top touched frame is #0 CCodec_ProgressiveDecoder::GifInputRecordPositionBuf(in fx_codec_progress.cpp)
Changed files ccodec_gifmodule.cpp, ccodec_progressivedecoder.h, fx_codec_progress.cpp, with the same CrashedDirectory(core/fxcodec/codec) as ccodec_gifmodule.cpp (in frame#4), fx_codec_progress.cpp (in frame#0, frame#5) Changed files cgifcontext.cpp, cgifcontext.h, fx_gif.cpp, fx_gif.h, with the same CrashedDirectory(core/fxcodec/lgif) as cgifcontext.cpp (in frame#2), fx_gif.cpp (in frame#3) Changed files xfa_codec_fuzzer.h, with the same CrashedDirectory(testing/libfuzzer) as xfa_codec_fuzzer.h (in frame#6)
Touched files in stacktrace - fx_codec_progress.cpp, cgifcontext.cpp, xfa_codec_fuzzer.h, ccodec_gifmodule.cpp, fx_gif.cpp
Changed files ccodec_gifmodule.cpp, ccodec_progressivedecoder.h, fx_codec_progress.cpp, fx_codec_def.h, cgifcontext.cpp, cgifcontext.h, fx_gif.cpp, fx_gif.h, xfa_codec_fuzzer.h, cxfa_ffimage.cpp, cxfa_ffpageview.cpp, cxfa_ffwidget.cpp, with the same CrashedComponent(Internals>Plugins>PDF) as cgifcontext.cpp (in frame#2), ccodec_gifmodule.cpp (in frame#4), fx_gif.cpp (in frame#3), fx_codec_progress.cpp (in frame#0, frame#5), xfa_codec_fuzzer.h (in frame#6)

@rharrison  -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.

Thank You.
Blocking: 62400
Labels: -M-63
GIF decoding is XFA only
Status: Started (was: Assigned)
Labels: Security_Impact-None
Project Member

Comment 5 by bugdroid1@chromium.org, Sep 26 2017

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/8c806cf08ff928630142f769ca689f7c89bfd648

commit 8c806cf08ff928630142f769ca689f7c89bfd648
Author: Ryan Harrison <rharrison@chromium.org>
Date: Tue Sep 26 20:05:13 2017

Confirm that a global palette has data before attempting to use it

Previous implementation assumed that if the local colour palette was
not specified and the global palette had its size specified, then use
the global. If the global palette is disable, it will not have data,
but it may have a size. Technically the size is giberish in this case,
but the value is allowed to be non-zero, so isn't a sufficient check.

BUG= chromium:768089 

Change-Id: Iaec15fcd65f3983056df7d56d29118a516334cd9
Reviewed-on: https://pdfium-review.googlesource.com/14819
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>

[modify] https://crrev.com/8c806cf08ff928630142f769ca689f7c89bfd648/core/fxcodec/codec/fx_codec_progress.cpp

Status: Fixed (was: Started)
Project Member

Comment 7 by bugdroid1@chromium.org, Sep 26 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3f5c52c33f9bc4ff49cc96025efead550b656773

commit 3f5c52c33f9bc4ff49cc96025efead550b656773
Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org>
Date: Tue Sep 26 23:11:24 2017

Roll src/third_party/pdfium/ 7d04f1b0a..3070e94f6 (4 commits)

https://pdfium.googlesource.com/pdfium.git/+log/7d04f1b0ab48..3070e94f608f

$ git log 7d04f1b0a..3070e94f6 --date=short --no-merges --format='%ad %ae %s'
2017-09-26 dsinclair Remove _FX_IOS_
2017-09-26 dsinclair Fix checks for FX_WIN64_DESKTOP
2017-09-26 rharrison Confirm that a global palette has data before attempting to use it
2017-09-26 rharrison Move LZW decoder out of fx_gif

Created with:
  roll-dep src/third_party/pdfium
BUG= 768089 


Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls


TBR=dsinclair@chromium.org

Change-Id: I76d65190d4b2765b754bea7cfc37ee09ed78477d
Reviewed-on: https://chromium-review.googlesource.com/685366
Reviewed-by: <pdfium-deps-roller@chromium.org>
Commit-Queue: <pdfium-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#504510}
[modify] https://crrev.com/3f5c52c33f9bc4ff49cc96025efead550b656773/DEPS

Project Member

Comment 8 by ClusterFuzz, Sep 27 2017

ClusterFuzz has detected this issue as fixed in range 504497:504542.

Detailed report: https://clusterfuzz.com/testcase?key=5772214090858496

Fuzzer: libFuzzer_pdf_codec_gif_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  CCodec_ProgressiveDecoder::GifInputRecordPositionBuf
  CCodec_ProgressiveDecoder::GifInputRecordPositionBuf
  CGifContext::GetRecordPosition
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=503730:503770
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=504497:504542

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5772214090858496

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Sep 27 2017

Labels: OS-Mac
Project Member

Comment 10 by ClusterFuzz, Sep 27 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5772214090858496 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment