New issue
Advanced search Search tips

Issue 819509 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Mar 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 1
Type: Bug

Blocking:
issue 62400



Sign in to add a comment

ASSERT: m_pExpression

Project Member Reported by ClusterFuzz, Mar 7 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5072556546326528

Fuzzer: libFuzzer_pdf_formcalc_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  m_pExpression
  CXFA_FMIfExpression::CXFA_FMIfExpression
  pdfium::internal::MakeUniqueResult<CXFA_FMIfExpression>::Scalar pdfium::MakeUniq
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=538350:538359

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5072556546326528

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Mar 7 2018

Components: Internals>Plugins>PDF
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Mar 7 2018

Labels: Test-Predator-Auto-Owner
Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://pdfium.googlesource.com/pdfium/+/aa2aff78e082f14e4bc418f68b27817f90e3f07a ([formcalc] Cleanup if expression parsing.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Blocking: 62400
Status: Started (was: Assigned)
Project Member

Comment 4 by bugdroid1@chromium.org, Mar 7 2018

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/749b609d11e855edf0aefdacbe4f81bb73d8d0d0

commit 749b609d11e855edf0aefdacbe4f81bb73d8d0d0
Author: Dan Sinclair <dsinclair@chromium.org>
Date: Wed Mar 07 18:48:37 2018

[formcalc] Handle bad elseif conditionals

This Cl adds checking for the conditionals of if and elseif expressions.
If the conditional fails to parse we should return nullptr. This already
happens by accident in the if() case, but with elseif() conditions we'll
fail the ASSERT in the CXFA_FMIfExpression constructor and crash.

This CL explicitly checks for the expressions and early exists if they
failed to parse.

Bug:  chromium:819509 
Change-Id: I9a90182c7709c8c4c0d3ae17d6be67cb668c0c6a
Reviewed-on: https://pdfium-review.googlesource.com/28131
Commit-Queue: dsinclair <dsinclair@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>

[modify] https://crrev.com/749b609d11e855edf0aefdacbe4f81bb73d8d0d0/xfa/fxfa/fm2js/cxfa_fmparser_unittest.cpp
[modify] https://crrev.com/749b609d11e855edf0aefdacbe4f81bb73d8d0d0/xfa/fxfa/fm2js/cxfa_fmparser.cpp

Status: Fixed (was: Started)
Cc: dsinclair@chromium.org
 Issue 819507  has been merged into this issue.
Project Member

Comment 7 by ClusterFuzz, Mar 8 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 4517596842688512 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 8 by ClusterFuzz, Mar 8 2018

ClusterFuzz has detected this issue as fixed in range 541534:541552.

Detailed report: https://clusterfuzz.com/testcase?key=5072556546326528

Fuzzer: libFuzzer_pdf_formcalc_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  m_pExpression
  CXFA_FMIfExpression::CXFA_FMIfExpression
  pdfium::internal::MakeUniqueResult<CXFA_FMIfExpression>::Scalar pdfium::MakeUniq
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=538350:538359
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=541534:541552

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5072556546326528

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
 Issue 819995  has been merged into this issue.
Project Member

Comment 10 by ClusterFuzz, Mar 8 2018

Labels: OS-Mac

Sign in to add a comment