New issue
Advanced search Search tips

Issue 835184 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Apr 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Global-buffer-overflow in fxcrt::WideString::WStringLength

Project Member Reported by ClusterFuzz, Apr 20 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5015582035148800

Fuzzer: ochang_search_index_mutator
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Global-buffer-overflow READ 2
Crash Address: 0x7ffb5a1acc66
Crash State:
  fxcrt::WideString::WStringLength
  CFX_Win32FontInfo::MapFont
  chrome_pdf::MapFontWithMetrics
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5015582035148800

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Apr 20 2018

Components: Internals>Plugins>PDF
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by sheriffbot@chromium.org, Apr 20 2018

Labels: M-66
Project Member

Comment 3 by sheriffbot@chromium.org, Apr 20 2018

Labels: Pri-1

Comment 4 by vakh@chromium.org, Apr 21 2018

Cc: dsinclair@chromium.org
Owner: tsepez@chromium.org
Status: Assigned (was: Untriaged)

Comment 6 by tsepez@chromium.org, Apr 23 2018

Probably sev-low at best as any leaked info is only used in a failing comparison against a value not directly under the document's control.

Comment 7 by tsepez@chromium.org, Apr 23 2018

Status: Fixed (was: Assigned)
Project Member

Comment 8 by bugdroid1@chromium.org, Apr 24 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e34993082fdbe8a42442592b77d3e29345bff1ad

commit e34993082fdbe8a42442592b77d3e29345bff1ad
Author: pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Date: Tue Apr 24 00:07:16 2018

Roll src/third_party/pdfium/ dd2a629f9..4e4147ecc (13 commits)

https://pdfium.googlesource.com/pdfium.git/+log/dd2a629f9ede..4e4147eccd25

$ git log dd2a629f9..4e4147ecc --date=short --no-merges --format='%ad %ae %s'
2018-04-23 dsinclair Make CFX_SeekableStreamProxy a subclass of IFX_SeekableReadStream
2018-04-23 dsinclair Change CFX_XML Save to take a write stream
2018-04-23 thestig Validate the Size dictionary entry in CPDF_SampledFunc.
2018-04-23 dsinclair Revert "Change CFX_XML Save to take a write stream"
2018-04-23 dsinclair Revert "Make CFX_SeekableStreamProxy a subclass of IFX_SeekableReadStream"
2018-04-23 dsinclair Make CFX_SeekableStreamProxy a subclass of IFX_SeekableReadStream
2018-04-23 dsinclair Change CFX_XML Save to take a write stream
2018-04-23 hnakashima Create FPDFPageObjMark_GetParamStringValue().
2018-04-23 tsepez Disable JavaScript entirely if no JSPlatform passed by embedder.
2018-04-23 tsepez Provide double-byte terminator in Windows font variant name.
2018-04-23 hnakashima Create API to get PageObject mark parameters.
2018-04-23 thestig Fix some nits in CPDF_SampledFunc().
2018-04-23 thestig Add more image size checks in CJBig2_Context.

Created with:
  roll-dep src/third_party/pdfium
BUG= chromium:835184 , chromium:834557 


The AutoRoll server is located here: https://pdfium-roll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.


TBR=dsinclair@chromium.org

Change-Id: Ib1c912e3943955d045f467a5885127d02d6ecac5
Reviewed-on: https://chromium-review.googlesource.com/1024884
Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#552914}
[modify] https://crrev.com/e34993082fdbe8a42442592b77d3e29345bff1ad/DEPS

Project Member

Comment 9 by ClusterFuzz, Apr 24 2018

ClusterFuzz has detected this issue as fixed in range 552911:552922.

Detailed report: https://clusterfuzz.com/testcase?key=5015582035148800

Fuzzer: ochang_search_index_mutator
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Global-buffer-overflow READ 2
Crash Address: 0x7ffb5a1acc66
Crash State:
  fxcrt::WideString::WStringLength
  CFX_Win32FontInfo::MapFont
  chrome_pdf::MapFontWithMetrics
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=552911:552922

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5015582035148800

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Apr 24 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5015582035148800 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 11 by sheriffbot@chromium.org, Apr 24 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 12 by sheriffbot@chromium.org, Apr 27 2018

Labels: Merge-Request-67
Project Member

Comment 13 by sheriffbot@chromium.org, Apr 27 2018

Labels: -Merge-Request-67 Merge-Review-67 Hotlist-Merge-Review
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: awhalley@chromium.org
+awhalley@ for M67 merge review. 
govind@ - good for 67
Approving merge to M67 branch 3396 based on comment #15. Please merge ASAP. Thank you.
Labels: -Merge-Review-67 Merge-Approved-67
Labels: -Merge-Approved-67 Merge-Merged
Merge m67 at https://pdfium-review.googlesource.com/c/pdfium/+/31630
Labels: -Merge-Merged merge-merged-67
Labels: Release-0-M67
Project Member

Comment 21 by sheriffbot@chromium.org, Jul 31

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment