Issue metadata
Sign in to add a comment
|
Global-buffer-overflow in CXFA_Node::NameToElement |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5341594940342272 Fuzzer: libFuzzer_pdfium_xfa_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Global-buffer-overflow READ 4 Crash Address: 0x0000039868f8 Crash State: CXFA_Node::NameToElement CXFA_SimpleParser::NormalLoader CXFA_SimpleParser::ParseAsXDPPacket_TemplateForm Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=519355:519387 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5341594940342272 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Nov 28 2017
Automatically assigning owner based on suspected regression changelist https://pdfium.googlesource.com/pdfium/+/f473672fd6305fe97c749bde3b92e3c9c90e88d0 (Generate XFA node classes). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Nov 28 2017
,
Nov 28 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 28 2017
,
Nov 28 2017
XFA is not enabled on any branch of Chrome. Removing RB-Stable.
,
Nov 28 2017
,
Nov 28 2017
,
Nov 28 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/3ff28136fef69f1ecd81a9d0d8c278d7120d85f3 commit 3ff28136fef69f1ecd81a9d0d8c278d7120d85f3 Author: Dan Sinclair <dsinclair@chromium.org> Date: Tue Nov 28 17:05:08 2017 [XFA] Fix reading off end of name list When walking the Node name list, we need to verify the element returned is not the end element, not just if the element is not null. Bug: chromium:789113 Change-Id: I04c33a8f2066891e6031035e469c677c404fd724 Reviewed-on: https://pdfium-review.googlesource.com/19670 Reviewed-by: Ryan Harrison <rharrison@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org> [modify] https://crrev.com/3ff28136fef69f1ecd81a9d0d8c278d7120d85f3/xfa/fxfa/parser/cxfa_node_statics.cpp
,
Nov 29 2017
ClusterFuzz has detected this issue as fixed in range 519747:519798. Detailed report: https://clusterfuzz.com/testcase?key=5341594940342272 Fuzzer: libFuzzer_pdfium_xfa_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Global-buffer-overflow READ 4 Crash Address: 0x0000039868f8 Crash State: CXFA_Node::NameToElement CXFA_SimpleParser::NormalLoader CXFA_SimpleParser::ParseAsXDPPacket_TemplateForm Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=519355:519387 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=519747:519798 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5341594940342272 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 29 2017
ClusterFuzz testcase 5341594940342272 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 29 2017
,
Nov 29 2017
,
Nov 29 2017
Issue 789333 has been merged into this issue.
,
Mar 7 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Nov 28 2017Labels: Test-Predator-Auto-Components