Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in CFX_BmpDecompressor::ReadHeader |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5096426682712064 Fuzzer: libFuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: CFX_BmpDecompressor::ReadHeader CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::BmpDetectImageType Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=536273:536275 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5096426682712064 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Feb 13 2018
Automatically assigning owner based on suspected regression changelist https://pdfium.googlesource.com/pdfium/+/ad905158b86269686f94ea76d1b700f68ea377d5 (Convert CFX_BmpDecompressor to use CFX_MemoryStream). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Feb 13 2018
I think this is XFA only.
,
Feb 13 2018
,
Feb 14 2018
,
Feb 14 2018
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/a9eabe43437871b7b5f5569f0e3e1b9b3e01cedf commit a9eabe43437871b7b5f5569f0e3e1b9b3e01cedf Author: Ryan Harrison <rharrison@chromium.org> Date: Wed Feb 14 18:57:20 2018 Check that the request was satisfied in ReadData Currently the BMP decompressor doesn't verify the returned data length was the amount requested. This means we may end up with part of our structure uninitialized if we didn't copy in enough data. This CL verifies the length of data copied is the size we require. BUG= chromium:811853 Change-Id: I20e0e9b3ff1176a620fcb38c3c7e585848b7e428 Reviewed-on: https://pdfium-review.googlesource.com/26850 Commit-Queue: Ryan Harrison <rharrison@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org> [modify] https://crrev.com/a9eabe43437871b7b5f5569f0e3e1b9b3e01cedf/core/fxcodec/bmp/cfx_bmpdecompressor.cpp
,
Feb 14 2018
,
Feb 14 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/36b135264d1c4445c2d3d520f6b4824347e494a4 commit 36b135264d1c4445c2d3d520f6b4824347e494a4 Author: pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Wed Feb 14 21:49:14 2018 Roll src/third_party/pdfium/ 785d126bd..a9eabe434 (1 commit) https://pdfium.googlesource.com/pdfium.git/+log/785d126bd57a..a9eabe434378 $ git log 785d126bd..a9eabe434 --date=short --no-merges --format='%ad %ae %s' 2018-02-14 rharrison Check that the request was satisfied in ReadData Created with: roll-dep src/third_party/pdfium BUG= 811853 The AutoRoll server is located here: https://pdfium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. TBR=dsinclair@chromium.org Change-Id: I2925d01519ed10a285889d0f8b5b7300c52eefe5 Reviewed-on: https://chromium-review.googlesource.com/919601 Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#536830} [modify] https://crrev.com/36b135264d1c4445c2d3d520f6b4824347e494a4/DEPS
,
Feb 15 2018
ClusterFuzz has detected this issue as fixed in range 536784:536853. Detailed report: https://clusterfuzz.com/testcase?key=5096426682712064 Fuzzer: libFuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: CFX_BmpDecompressor::ReadHeader CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::BmpDetectImageType Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=536273:536275 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=536784:536853 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5096426682712064 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 15 2018
ClusterFuzz testcase 5096426682712064 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Feb 15 2018
,
May 24 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Feb 13 2018Labels: Test-Predator-Auto-Components