Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in CCodec_ProgressiveDecoder::ReSampleScanline |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5290919049035776 Fuzzer: afl_pdf_codec_gif_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x602000001390 Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::GifReadScanline ReadScanline Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=504708:504760 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5290919049035776 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 30 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 30 2017
,
Sep 30 2017
Make names of GIF types less opaque by rharrison@chromium.org Changelist touched lines near the crashed line in frame #3 CGifContext::LoadFrame(int) (distance = 10 lines away) Top touched frame is #2 ReadScanline(in cgifcontext.cpp) Changed files cfx_lzwdecoder.h, cgifcontext.cpp, cgifcontext.h, fx_gif.cpp, fx_gif.h, with the same CrashedDirectory(core/fxcodec/lgif) as cgifcontext.cpp (in frame#2, frame#3) Touched files in stacktrace - cgifcontext.cpp Changed files cfx_lzwdecoder.h, cgifcontext.cpp, cgifcontext.h, fx_gif.cpp, fx_gif.h, with the same CrashedComponent(Internals>Plugins>PDF) as cgifcontext.cpp (in frame#2, frame#3), ccodec_gifmodule.cpp (in frame#4), fx_codec_progress.cpp (in frame#0, frame#1, frame#5), xfa_codec_fuzzer.h (in frame#6) Add in missing ! to conditional by rharrison@chromium.org Changelist touched lines near the crashed line in frame #3 CGifContext::LoadFrame(int) (distance = 70 lines away) Top touched frame is #2 ReadScanline(in cgifcontext.cpp) Changed files cgifcontext.cpp, with the same CrashedDirectory(core/fxcodec/lgif) as cgifcontext.cpp (in frame#2, frame#3) Touched files in stacktrace - cgifcontext.cpp Changed files cgifcontext.cpp, with the same CrashedComponent(Internals>Plugins>PDF) as cgifcontext.cpp (in frame#2, frame#3), ccodec_gifmodule.cpp (in frame#4), fx_codec_progress.cpp (in frame#0, frame#1, frame#5), xfa_codec_fuzzer.h (in frame#6)
,
Oct 1 2017
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
,
Oct 1 2017
,
Oct 2 2017
GIF is XFA only, thus not enabled in releases, changing impact and removing milestone.
,
Oct 3 2017
,
Oct 5 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/a3742637f501306f0ec3ffec73dbda8f22790863 commit a3742637f501306f0ec3ffec73dbda8f22790863 Author: Ryan Harrison <rharrison@chromium.org> Date: Thu Oct 05 17:43:45 2017 Make GIF decoder more standards complaint Fixed issue with unit tests that was causing raw data to be backwards and reverted related LSB -> MSB change that was introduced due to this. If global palette not set then the background colour index should be 0. Check that background colour index is valid when global palette exists. Check if transparency index is valid for the palette of the frame it is being applied to. BUG= chromium:770337 Change-Id: I5d9b648f45bbb4c93218664a7035e4d01dbeb627 Reviewed-on: https://pdfium-review.googlesource.com/15453 Commit-Queue: Ryan Harrison <rharrison@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org> [modify] https://crrev.com/a3742637f501306f0ec3ffec73dbda8f22790863/core/fxcodec/gif/cfx_gifcontext_unittest.cpp [modify] https://crrev.com/a3742637f501306f0ec3ffec73dbda8f22790863/core/fxcodec/gif/cfx_gifcontext.cpp
,
Oct 5 2017
,
Oct 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d4e1b8bcc5cfd9038eb81b4d5d79b724d505c0c2 commit d4e1b8bcc5cfd9038eb81b4d5d79b724d505c0c2 Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org> Date: Thu Oct 05 21:06:24 2017 Roll src/third_party/pdfium/ 4ce4f5f8a..480ca10f7 (12 commits) https://pdfium.googlesource.com/pdfium.git/+log/4ce4f5f8ab0b..480ca10f7a20 $ git log 4ce4f5f8a..480ca10f7 --date=short --no-merges --format='%ad %ae %s' 2017-10-05 dsinclair Remove unused CPVT_SecProps 2017-10-05 dsinclair Remove more unused params 2017-10-05 dsinclair Remove unused parameters 2017-10-05 rharrison Add ObservedPtr to catch Widget being killed by JS 2017-10-05 rharrison Add ObservedPtrs to catch issues in SaveData 2017-10-05 npm Create FreeType roll script 2017-10-04 rharrison Make GIF decoder more standards complaint 2017-10-05 dsinclair Move CPDF_RenderOptions members to private 2017-10-05 dsinclair Remove friend from CPDF_ApSettings 2017-10-05 npm Roll FT to ae7dc1f62d826083d418e86cce3f66a76dff038a 2017-10-05 dsinclair Remove friends from form code 2017-10-05 dsinclair Remove friends from CPDF_VariableText Created with: roll-dep src/third_party/pdfium BUG= 771979 , 756427 , 770337 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Change-Id: I875e810e00b7d619534e2dc24519c27088423e15 Reviewed-on: https://chromium-review.googlesource.com/703198 Reviewed-by: <pdfium-deps-roller@chromium.org> Commit-Queue: <pdfium-deps-roller@chromium.org> Cr-Commit-Position: refs/heads/master@{#506857} [modify] https://crrev.com/d4e1b8bcc5cfd9038eb81b4d5d79b724d505c0c2/DEPS
,
Oct 6 2017
,
Oct 7 2017
ClusterFuzz has detected this issue as fixed in range 506826:506859. Detailed report: https://clusterfuzz.com/testcase?key=5290919049035776 Fuzzer: afl_pdf_codec_gif_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x602000001390 Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::GifReadScanline ReadScanline Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=504708:504760 Fixed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=506826:506859 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5290919049035776 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 7 2017
ClusterFuzz testcase 5290919049035776 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 12 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Sep 30 2017