Issue metadata
Sign in to add a comment
|
Stack-buffer-overflow in CFX_MemoryStream::ReadBlock |
||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6538653413933056 Fuzzer: libFuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Stack-buffer-overflow WRITE {*} Crash Address: 0x7f597767fed8 Crash State: CFX_MemoryStream::ReadBlock CFX_MemoryStream::ReadBlock CFX_BmpDecompressor::ReadData Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=536273:536283 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6538653413933056 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Feb 13 2018
Automatically assigning owner based on suspected regression changelist https://pdfium.googlesource.com/pdfium/+/ad905158b86269686f94ea76d1b700f68ea377d5 (Convert CFX_BmpDecompressor to use CFX_MemoryStream). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Feb 13 2018
,
Feb 13 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 13 2018
,
Feb 13 2018
Also XFA only.
,
Feb 13 2018
,
Feb 14 2018
,
Feb 15 2018
,
Feb 15 2018
ClusterFuzz testcase 4775682148925440 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Feb 15 2018
,
Feb 15 2018
,
Feb 15 2018
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/625e6fec9ddd1d023116f7bd22d2192ef9bc49c8 commit 625e6fec9ddd1d023116f7bd22d2192ef9bc49c8 Author: Ryan Harrison <rharrison@chromium.org> Date: Thu Feb 15 17:47:09 2018 Correctly seek when header size is larger then expected BUG= chromium:811733 Change-Id: Idce50b8ea4ca06fc77d5b3931557cd1d6fe48bd5 Reviewed-on: https://pdfium-review.googlesource.com/26710 Reviewed-by: Tom Sepez <tsepez@chromium.org> Reviewed-by: Henrique Nakashima <hnakashima@chromium.org> Commit-Queue: Ryan Harrison <rharrison@chromium.org> [modify] https://crrev.com/625e6fec9ddd1d023116f7bd22d2192ef9bc49c8/core/fxcodec/bmp/cfx_bmpdecompressor.cpp
,
Feb 15 2018
,
Feb 15 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1c7a6ab994d205d84cab9cd153b16b0edec9efaf commit 1c7a6ab994d205d84cab9cd153b16b0edec9efaf Author: pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Thu Feb 15 19:21:29 2018 Roll src/third_party/pdfium/ 46f79aaad..625e6fec9 (1 commit) https://pdfium.googlesource.com/pdfium.git/+log/46f79aaad833..625e6fec9ddd $ git log 46f79aaad..625e6fec9 --date=short --no-merges --format='%ad %ae %s' 2018-02-15 rharrison Correctly seek when header size is larger then expected Created with: roll-dep src/third_party/pdfium BUG= 811733 The AutoRoll server is located here: https://pdfium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. TBR=dsinclair@chromium.org Change-Id: I7ce520f7395224d24f8d793ff1e58035b8d75033 Reviewed-on: https://chromium-review.googlesource.com/922382 Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#537095} [modify] https://crrev.com/1c7a6ab994d205d84cab9cd153b16b0edec9efaf/DEPS
,
Feb 16 2018
ClusterFuzz has detected this issue as fixed in range 537089:537101. Detailed report: https://clusterfuzz.com/testcase?key=6538653413933056 Fuzzer: libFuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Stack-buffer-overflow WRITE {*} Crash Address: 0x7f597767fed8 Crash State: CFX_MemoryStream::ReadBlock CFX_MemoryStream::ReadBlock CFX_BmpDecompressor::ReadData Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=536273:536283 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=537089:537101 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6538653413933056 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 25 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ClusterFuzz
, Feb 13 2018Labels: Test-Predator-Auto-Components