Stack-overflow in CXFA_FMBinExpression::~CXFA_FMBinExpression |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4586778345603072 Fuzzer: libFuzzer_pdf_formcalc_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7fff70bf6fe0 Crash State: CXFA_FMBinExpression::~CXFA_FMBinExpression CXFA_FMEqualityExpression::~CXFA_FMEqualityExpression CXFA_FMEqualityExpression::~CXFA_FMEqualityExpression Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=510527:510556 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4586778345603072 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Feb 17 2018
,
Mar 7 2018
,
Mar 7 2018
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/04d792fb7510e328f508bc81379ca15791af93e7 commit 04d792fb7510e328f508bc81379ca15791af93e7 Author: Dan Sinclair <dsinclair@chromium.org> Date: Wed Mar 07 20:44:47 2018 [formcalc] Consider width along with depth of tree When building the formcalc parser trees we need to limit on width along with depth. It's possible to generate a tree of a single depth but is more then 20k nodes wide. This will eventuall cause stack overflow issues. This CL re-uses the depth check for the grammar expressions in which we're extending the width of the tree we count that against our depth check. Bug: chromium:813346 Change-Id: I01f6567a75776a75374465eacc1ff546db46cac1 Reviewed-on: https://pdfium-review.googlesource.com/28170 Reviewed-by: Ryan Harrison <rharrison@chromium.org> Reviewed-by: Henrique Nakashima <hnakashima@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org> [modify] https://crrev.com/04d792fb7510e328f508bc81379ca15791af93e7/xfa/fxfa/fm2js/cxfa_fmparser_unittest.cpp [modify] https://crrev.com/04d792fb7510e328f508bc81379ca15791af93e7/xfa/fxfa/fm2js/cxfa_fmparser.cpp
,
Mar 7 2018
,
Mar 8 2018
ClusterFuzz has detected this issue as fixed in range 541704:541715. Detailed report: https://clusterfuzz.com/testcase?key=4586778345603072 Fuzzer: libFuzzer_pdf_formcalc_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7fff70bf6fe0 Crash State: CXFA_FMBinExpression::~CXFA_FMBinExpression CXFA_FMEqualityExpression::~CXFA_FMEqualityExpression CXFA_FMEqualityExpression::~CXFA_FMEqualityExpression Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=510527:510556 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=541704:541715 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4586778345603072 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 8 2018
ClusterFuzz testcase 4586778345603072 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Feb 17 2018Labels: Test-Predator-Auto-Components