Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in CPDF_DeviceCS::GetRGB |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6525040687054848 Fuzzer: ifratric_pdf_generic Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x603000020e1c Crash State: CPDF_DeviceCS::GetRGB CPDF_ICCBasedCS::GetRGB CPDF_DIBSource::TranslateScanline24bpp Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_pdfium&range=557034:557037 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6525040687054848 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
May 28 2018
Automatically assigning owner based on suspected regression changelist https://pdfium.googlesource.com/pdfium/+/5de481e71bcde25d31452b23a017bb783163a204 (Remove almost all usages of CFX_FixedBufGrow with std::vector). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
May 28 2018
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/ac8357b3ec7e1fe4000ebcae5ce65a38bfeb5cb1 commit ac8357b3ec7e1fe4000ebcae5ce65a38bfeb5cb1 Author: Nicolas Pena <npm@chromium.org> Date: Mon May 28 20:06:19 2018 Revert 'Remove almost all usages of CFX_FixedBufGrow with std::vector' This is a manual revert of the CL at: https://pdfium-review.googlesource.com/c/pdfium/+/32159 The only file manually changed was cpdf_renderstatus.cpp Reason for revert: the bug below shows that sometimes the vector size used is larger than the parameter given to CFX_FixedBufGrow. Thus, we will revert, then add vectors using std::max unless it's clear from the code that the code will never access indices outside. Bug: chromium:847247 Change-Id: Iee54af023c8564824418a7d34a6385b0bc418ff0 Reviewed-on: https://pdfium-review.googlesource.com/33050 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Nicolás Peña Moreno <npm@chromium.org> [modify] https://crrev.com/ac8357b3ec7e1fe4000ebcae5ce65a38bfeb5cb1/core/fpdfapi/page/cpdf_colorspace.cpp [modify] https://crrev.com/ac8357b3ec7e1fe4000ebcae5ce65a38bfeb5cb1/core/fpdfapi/render/cpdf_dibsource.cpp [modify] https://crrev.com/ac8357b3ec7e1fe4000ebcae5ce65a38bfeb5cb1/core/fxge/apple/fx_apple_platform.cpp [modify] https://crrev.com/ac8357b3ec7e1fe4000ebcae5ce65a38bfeb5cb1/core/fpdfapi/render/cpdf_renderstatus.cpp [modify] https://crrev.com/ac8357b3ec7e1fe4000ebcae5ce65a38bfeb5cb1/core/fxcodec/codec/fx_codec_icc.cpp
,
May 28 2018
,
May 28 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e3d50edbdf146ce2a6da4fa56f1f8ba44baaa26d commit e3d50edbdf146ce2a6da4fa56f1f8ba44baaa26d Author: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Mon May 28 21:15:31 2018 Roll src/third_party/pdfium/ fffdeebfd..ac8357b3e (1 commit) https://pdfium.googlesource.com/pdfium.git/+log/fffdeebfd0ed..ac8357b3ec7e $ git log fffdeebfd..ac8357b3e --date=short --no-merges --format='%ad %ae %s' 2018-05-28 npm Revert 'Remove almost all usages of CFX_FixedBufGrow with std::vector' Created with: roll-dep src/third_party/pdfium BUG= chromium:847247 The AutoRoll server is located here: https://pdfium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. TBR=dsinclair@chromium.org Change-Id: I8e7dfeed69578d855d76fad5c7fe34820bc67b6f Reviewed-on: https://chromium-review.googlesource.com/1075550 Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#562311} [modify] https://crrev.com/e3d50edbdf146ce2a6da4fa56f1f8ba44baaa26d/DEPS
,
May 29 2018
ClusterFuzz has detected this issue as fixed in range 562310:562311. Detailed report: https://clusterfuzz.com/testcase?key=6525040687054848 Fuzzer: ifratric_pdf_generic Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x603000020e1c Crash State: CPDF_DeviceCS::GetRGB CPDF_ICCBasedCS::GetRGB CPDF_DIBSource::TranslateScanline24bpp Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_pdfium&range=557034:557037 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_pdfium&range=562310:562311 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6525040687054848 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 29 2018
ClusterFuzz testcase 6525040687054848 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
May 29 2018
,
May 29 2018
Approving merge for M68.
,
May 29 2018
branch:3440
,
May 29 2018
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/d05394341e3a2140923f379cb1547f0600590a62 commit d05394341e3a2140923f379cb1547f0600590a62 Author: Nicolas Pena <npm@chromium.org> Date: Tue May 29 20:58:59 2018 Revert 'Remove almost all usages of CFX_FixedBufGrow with std::vector' This is a manual revert of the CL at: https://pdfium-review.googlesource.com/c/pdfium/+/32159 The only file manually changed was cpdf_renderstatus.cpp Reason for revert: the bug below shows that sometimes the vector size used is larger than the parameter given to CFX_FixedBufGrow. Thus, we will revert, then add vectors using std::max unless it's clear from the code that the code will never access indices outside. Bug: chromium:847247 Change-Id: Iee54af023c8564824418a7d34a6385b0bc418ff0 Reviewed-on: https://pdfium-review.googlesource.com/33050 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Nicolás Peña Moreno <npm@chromium.org> (cherry picked from commit ac8357b3ec7e1fe4000ebcae5ce65a38bfeb5cb1) Reviewed-on: https://pdfium-review.googlesource.com/33170 [modify] https://crrev.com/d05394341e3a2140923f379cb1547f0600590a62/core/fpdfapi/page/cpdf_colorspace.cpp [modify] https://crrev.com/d05394341e3a2140923f379cb1547f0600590a62/core/fpdfapi/render/cpdf_dibsource.cpp [modify] https://crrev.com/d05394341e3a2140923f379cb1547f0600590a62/core/fxge/apple/fx_apple_platform.cpp [modify] https://crrev.com/d05394341e3a2140923f379cb1547f0600590a62/core/fpdfapi/render/cpdf_renderstatus.cpp [modify] https://crrev.com/d05394341e3a2140923f379cb1547f0600590a62/core/fxcodec/codec/fx_codec_icc.cpp
,
Sep 4
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, May 28 2018Labels: Test-Predator-Auto-Components