Stack-overflow in CXFA_FMBinExpression::~CXFA_FMBinExpression |
||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6652461254443008 Fuzzer: libFuzzer_pdf_formcalc_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7ffde6a57ff8 Crash State: CXFA_FMBinExpression::~CXFA_FMBinExpression CXFA_FMDotDotAccessorExpression::~CXFA_FMDotDotAccessorExpression CXFA_FMDotDotAccessorExpression::~CXFA_FMDotDotAccessorExpression Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=510527:510556 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6652461254443008 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Jan 8 2018
Predator and CL could not provide any possible suspects. Using Code Search for the file, "cxfa_fmsimpleexpression.cpp" and observed there was some recent changes for the below file. Suspect CL: https://pdfium.googlesource.com/pdfium.git/+/efc879d226e98ddad36704d78f52037ccf4369dc rharrison@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner. Thanks!
,
Jan 8 2018
I am not sure if it is directly related to that CL, but given it is in the FormCalc fuzzer, it should be assigned to me. This in XFA code, so isn't turned on any releases at this point.
,
Jan 8 2018
,
Feb 1 2018
FormCalc things
,
Feb 14 2018
,
Feb 14 2018
,
Feb 15 2018
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/46f79aaad8330857e58cfd3928fdf91678112ae0 commit 46f79aaad8330857e58cfd3928fdf91678112ae0 Author: Dan Sinclair <dsinclair@chromium.org> Date: Thu Feb 15 15:09:45 2018 Add limit to number of formcalc expressions Currently it's possible to create a formcalc script which creates a large number of expressions. This will eventually cause stack exhaustion as we try to allocate the needed expression objects. This CL limits the number of parsed expressions in the PostExpression section in order to keep from failing due to stack overflow. Bug: chromium:799721 Change-Id: I69fca35db7f75ef97aec21c22fc06d926dfe2df6 Reviewed-on: https://pdfium-review.googlesource.com/26870 Commit-Queue: Ryan Harrison <rharrison@chromium.org> Reviewed-by: Ryan Harrison <rharrison@chromium.org> [modify] https://crrev.com/46f79aaad8330857e58cfd3928fdf91678112ae0/xfa/fxfa/fm2js/cxfa_fmparser.cpp
,
Feb 15 2018
,
Feb 16 2018
ClusterFuzz has detected this issue as fixed in range 537030:537040. Detailed report: https://clusterfuzz.com/testcase?key=6652461254443008 Fuzzer: libFuzzer_pdf_formcalc_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7ffde6a57ff8 Crash State: CXFA_FMBinExpression::~CXFA_FMBinExpression CXFA_FMDotDotAccessorExpression::~CXFA_FMDotDotAccessorExpression CXFA_FMDotDotAccessorExpression::~CXFA_FMDotDotAccessorExpression Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=510527:510556 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=537030:537040 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6652461254443008 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 16 2018
ClusterFuzz testcase 6652461254443008 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by ClusterFuzz
, Jan 6 2018Labels: Test-Predator-Auto-Components