New issue
Advanced search Search tips

Issue 838004 link

Starred by 1 user
Status: WontFix
Owner:
scroggo@chromium.org
Closed: May 2018
Cc:
scro...@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use-of-uninitialized-value in deflate_fast

Project Member Reported by ClusterFuzz, Apr 29 2018 
Detailed report: https://clusterfuzz.com/testcase?key=5828569012633600

Fuzzer: inferno_canvas_wrecker
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  deflate_fast
  Cr_z_deflate
  cr_png_compress_IDAT
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5828569012633600

Additional requirements: Requires HTTP

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
Project Member

Comment 1 by ClusterFuzz, Apr 29 2018

Components: Internals>Images>Codecs
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by sheriffbot@chromium.org, Apr 30 2018

Labels: Pri-1

Comment 3 by infe...@chromium.org, May 4 2018

Cc: scro...@google.com
Labels: Security_Impact-Head
Owner: scroggo@chromium.org
Status: Assigned (was: Untriaged)
scroggo@, this started around your commit - https://chromium.googlesource.com/chromium/src/+/e87a02987101e2dbe319a4aba6b52470f7624b4a. can you please take a look.

Comment 4 by scroggo@chromium.org, May 4 2018 

I don't see how the commit in #3 would have caused this. It just makes us more lenient on decoding PNGs, but this stack trace occurs when encoding PNGs.

There is some somewhat recent work in zlib, and we updated libpng recently (https://chromium-review.googlesource.com/902145), but those landed a bit before this commit. (The line in zlib we land on was landed three years ago in https://codereview.chromium.org/678423002/.)

We have another bug ( issue 808875 ) with uninitialized values going through PNG encoding, so maybe the two are related.
Project Member

Comment 5 by sheriffbot@chromium.org, May 5 2018

Labels: M-68
Project Member

Comment 6 by sheriffbot@chromium.org, May 19 2018 

scroggo: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by scroggo@chromium.org, May 21 2018

Status: WontFix (was: Assigned)
This issue is not reproducible.
Project Member

Comment 8 by sheriffbot@chromium.org, Aug 28

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment