Integer-overflow in CFX_ImageStretcher::ContinueQuickStretch |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4878119492911104 Fuzzer: libFuzzer_pdfium_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: CFX_ImageStretcher::ContinueQuickStretch CPDF_RenderStatus::ContinueSingleObject CPDF_RenderStatus::ContinueSingleObject Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=479170:479259 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4878119492911104 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
May 3 2018
Automatically assigning owner based on suspected regression changelist https://pdfium.googlesource.com/pdfium/+/957480c17682008ae2a14723868fcdcab89b6577 (Allow zero length streams when parsing.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
May 3 2018
Automatically adding ccs based on OWNERS file / target commit history. If this is incorrect, please add ClusterFuzz-Wrong label.
,
May 3 2018
rharrison@ more image clusterfuzz fun.
,
May 3 2018
,
May 7 2018
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/cb391259aefd52f09352d35a1bb5b56c0db6db11 commit cb391259aefd52f09352d35a1bb5b56c0db6db11 Author: Ryan Harrison <rharrison@chromium.org> Date: Mon May 07 15:39:45 2018 Use checked large integer in ContinueQuickStretch This existing code has the potential for an integer overflow in it. When overflow occurs in this function scaling may partially succeed. This is due to how out of range values are being clamped, which implicitly swallows the overflow. This CL changes the calculation to be performed in a 64-bit space and then attempts to down cast it back to 32-bit space at the end. Because there are multiple steps it is possible for an intermediate value to cause an overflow in 32 bit space, but the final value to be valid. If the downcast is not possible then the stretch operation is failed. An existing test case has been updated, since it encoded an incorrect result. BUG= chromium:839245 Change-Id: I637cc1e2d6c6c2d5394599104f76352c20ead021 Reviewed-on: https://pdfium-review.googlesource.com/32056 Reviewed-by: Henrique Nakashima <hnakashima@chromium.org> Commit-Queue: Ryan Harrison <rharrison@chromium.org> [modify] https://crrev.com/cb391259aefd52f09352d35a1bb5b56c0db6db11/core/fxcrt/fx_safe_types.h [modify] https://crrev.com/cb391259aefd52f09352d35a1bb5b56c0db6db11/core/fpdfapi/render/fpdf_render_loadimage_embeddertest.cpp [modify] https://crrev.com/cb391259aefd52f09352d35a1bb5b56c0db6db11/core/fxge/dib/cfx_imagestretcher.cpp
,
May 7 2018
,
May 7 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/856461f2365f7e76dea1f7a0391ccb41b3165be9 commit 856461f2365f7e76dea1f7a0391ccb41b3165be9 Author: pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Mon May 07 21:25:58 2018 Roll src/third_party/pdfium/ 36b3d1928..cb391259a (3 commits) https://pdfium.googlesource.com/pdfium.git/+log/36b3d19281e2..cb391259aefd $ git log 36b3d1928..cb391259a --date=short --no-merges --format='%ad %ae %s' 2018-05-07 rharrison Use checked large integer in ContinueQuickStretch 2018-05-07 thestig Mark parts of CJS_EventHandler as private. 2018-05-07 dsinclair [xml] Move members to method variables in CFX_XMLParser Created with: roll-dep src/third_party/pdfium BUG= chromium:839245 The AutoRoll server is located here: https://pdfium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. TBR=dsinclair@chromium.org Change-Id: I91eef5dbec4186b1bc00e9cae5fa627deda73dd7 Reviewed-on: https://chromium-review.googlesource.com/1047791 Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#556571} [modify] https://crrev.com/856461f2365f7e76dea1f7a0391ccb41b3165be9/DEPS
,
May 8 2018
ClusterFuzz has detected this issue as fixed in range 556568:556573. Detailed report: https://clusterfuzz.com/testcase?key=4878119492911104 Fuzzer: libFuzzer_pdfium_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: CFX_ImageStretcher::ContinueQuickStretch CPDF_RenderStatus::ContinueSingleObject CPDF_RenderStatus::ContinueSingleObject Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=479170:479259 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=556568:556573 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4878119492911104 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 8 2018
ClusterFuzz testcase 4878119492911104 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, May 3 2018Labels: Test-Predator-Auto-Components