Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in CCodec_ProgressiveDecoder::ReSampleScanline |
||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6454296907612160 Fuzzer: libFuzzer_pdf_codec_gif_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x604000000900 Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::GifReadScanline CGifContext::LoadFrame Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=398287:399171 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6454296907612160 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 24 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 24 2017
,
Sep 26 2017
Predator result: Clean up fx_codec_tiff.cpp. by thestig@chromium.org Minimum distance between changed lines and stacktrace lines in fx_codec_progress.cpp is 0 Top touched frame is #0 CCodec_ProgressiveDecoder::ReSampleScanline(in fx_codec_progress.cpp) Changed files ccodec_tiffmodule.h, fx_codec_progress.cpp, fx_codec_tiff.cpp, with the same CrashedDirectory(core/fxcodec/codec) as ccodec_gifmodule.cpp (in frame#3), fx_codec_progress.cpp (in frame#0, frame#1, frame#4) Touched files in stacktrace - fx_codec_progress.cpp Changed files ccodec_tiffmodule.h, fx_codec_progress.cpp, fx_codec_tiff.cpp, ccodec_progressivedecoder.h, with the same CrashedComponent(Internals>Plugins>PDF) as cgifcontext.cpp (in frame#2), ccodec_gifmodule.cpp (in frame#3), fx_codec_progress.cpp (in frame#0, frame#1, frame#4), xfa_codec_fuzzer.h (in frame#5) Get rid of NULLs in core/ by thestig@chromium.org Minimum distance between changed lines and stacktrace lines in fx_codec_progress.cpp is 0 Top touched frame is #0 CCodec_ProgressiveDecoder::ReSampleScanline(in fx_codec_progress.cpp) Changed files fx_codec.cpp, fx_codec_bmp.cpp, fx_codec_fax.cpp, fx_codec_flate.cpp, fx_codec_gif.cpp, fx_codec_icc.cpp, fx_codec_jbig.cpp, fx_codec_jpeg.cpp, fx_codec_jpx_opj.cpp, fx_codec_png.cpp, fx_codec_progress.cpp, fx_codec_tiff.cpp, with the same CrashedDirectory(core/fxcodec/codec) as ccodec_gifmodule.cpp (in frame#3), fx_codec_progress.cpp (in frame#0, frame#1, frame#4) Changed files fx_gif.cpp, fx_gif.h, with the same CrashedDirectory(core/fxcodec/lgif) as cgifcontext.cpp (in frame#2) Touched files in stacktrace - fx_codec_progress.cpp Changed files fx_crypt.cpp, cmaps_cns1.cpp, cmaps_gb1.cpp, cmaps_japan1.cpp, cmaps_korea1.cpp, fpdf_cmaps.cpp, cpdf_pagecontentgenerator.cpp, cpdf_creator.h, cpdf_cidfont.cpp, cpdf_cidfont.h, cpdf_font.cpp, cpdf_fontencoding.cpp, cpdf_simplefont.cpp, cpdf_simplefont.h, cpdf_type1font.cpp, fpdf_font.cpp, fpdf_font_cid.cpp, ttgsubtable.cpp, ttgsubtable.h, cpdf_allstates.cpp, cpdf_colorspace.cpp, cpdf_image.cpp, cpdf_textstate.cpp, fpdf_page_colors.cpp, fpdf_page_doc.cpp, fpdf_page_parser.cpp, fpdf_page_parser_old.cpp, cpdf_colorspace.h, cpdf_form.h, cpdf_image.h, pageint.h, cfdf_document.cpp, cpdf_array.cpp, cpdf_crypto_handler.cpp, cpdf_data_avail.cpp, cpdf_security_handler.cpp, cpdf_document.h, cpdf_pagerendercache.h, fpdf_render.cpp, fpdf_render_cache.cpp, fpdf_render_image.cpp, fpdf_render_pattern.cpp, fpdf_render_text.cpp, render_int.h, cpdf_variabletext.cpp, doc_action.cpp, doc_annot.cpp, doc_basic.cpp, doc_form.cpp, doc_tagged.cpp, doc_utils.cpp, doc_viewerPreferences.cpp, cpdf_variabletext.h, fpdf_doc.h, pdf_vt.h, fpdf_text_int.cpp, fx_codec.cpp, fx_codec_bmp.cpp, fx_codec_fax.cpp, fx_codec_flate.cpp, fx_codec_gif.cpp, fx_codec_icc.cpp, fx_codec_jbig.cpp, fx_codec_jpeg.cpp, fx_codec_jpx_opj.cpp, fx_codec_png.cpp, fx_codec_progress.cpp, fx_codec_tiff.cpp, ccodec_progressivedecoder.h, JBig2_Context.cpp, JBig2_Context.h, JBig2_Image.cpp, JBig2_PatternDict.cpp, JBig2_Segment.cpp, fx_bmp.cpp, fx_bmp.h, fx_gif.cpp, fx_gif.h, fx_arabic.cpp, fx_basic_array.cpp, fx_basic_bstring_unittest.cpp, fx_basic_gcc.cpp, fx_basic_list.cpp, fx_basic_maps.cpp, fx_extension.cpp, fxcrt_windows.cpp, fx_basic.h, fx_ext.h, fx_system.h, fx_ucd.h, fx_xml.h, xml_int.h, fx_agg_driver.h, fpf_skiafontmgr.cpp, fpf_skiafontmgr.h, fx_android_font.cpp, apple_int.h, fx_apple_platform.cpp, fx_mac_imp.cpp, fx_quartz_device.cpp, dib_int.h, fx_dib_convert.cpp, fx_dib_engine.cpp, fx_dib_main.cpp, fx_dib_transform.cpp, fx_freetype.cpp, fx_ge.cpp, fx_ge_device.cpp, fx_ge_font.cpp, fx_ge_fontmap.cpp, fx_ge_linux.cpp, fx_ge_path.cpp, fx_ge_text.cpp, fx_text_int.h, fx_dib.h, fx_font.h, fx_ge.h, fx_ge_win32.h, fx_skia_device.h, dwrite_int.h, fx_win32_dib.cpp, fx_win32_dwrite.cpp, fx_win32_gdipext.cpp, win32_int.h, fpdfdoc_embeddertest.cpp, fpdftext_embeddertest.cpp, fxet_edit.cpp, cfde_txtedtpage.cpp, fwl_datetimepickerimp.cpp, fwl_widgetimp.cpp, ifwl_widget.h, xfa_textlayout.cpp, cxfa_widgetdata.cpp, with the same CrashedComponent(Internals>Plugins>PDF) as cgifcontext.cpp (in frame#2), ccodec_gifmodule.cpp (in frame#3), fx_codec_progress.cpp (in frame#0, frame#1, frame#4), xfa_codec_fuzzer.h (in frame#5)
,
Sep 26 2017
,
Sep 26 2017
GIF is XFA only.
,
Sep 27 2017
,
Sep 27 2017
This is no longer reproducing on HEAD for me. I have fixed other issues that are similar to this near the crash site, so I am pretty that has been fixed.
,
Sep 28 2017
ClusterFuzz has detected this issue as fixed in range 504746:504782. Detailed report: https://clusterfuzz.com/testcase?key=6454296907612160 Fuzzer: libFuzzer_pdf_codec_gif_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x604000000900 Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::GifReadScanline CGifContext::LoadFrame Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=398287:399171 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=504746:504782 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6454296907612160 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 28 2017
,
Sep 29 2017
ClusterFuzz testcase 6454296907612160 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 4 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Sep 24 2017