Issue metadata
Sign in to add a comment
|
Crash in HintTableForFuzzing::Fuzz |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4633751804706816 Fuzzer: libFuzzer_pdf_hint_table_fuzzer Job Type: mac_libfuzzer_chrome_asan Platform Id: mac Crash Type: UNKNOWN READ Crash Address: 0x0007fffffff0 Crash State: HintTableForFuzzing::Fuzz pdf_hint_table_fuzzer.cc start Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=mac_libfuzzer_chrome_asan&range=565044:565142 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4633751804706816 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Jun 7 2018
,
Jun 7 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 7 2018
,
Jun 7 2018
Taking ownership to investigate.
,
Jun 7 2018
,
Jun 7 2018
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/e769ab578af3cf646f6268c992fd9c9dcd494708 commit e769ab578af3cf646f6268c992fd9c9dcd494708 Author: Ryan Harrison <rharrison@chromium.org> Date: Thu Jun 07 17:14:23 2018 Revert "Reland "Simplify CPDF_HintsTable."" This reverts commit d89f1bf48f017ab9f56df13299f75a906ed33cd0. Reason for revert: This CL has introduced at least two CF issues chromium:850407 , chromium:850440 . Additionally there is a number of changes that remove bounds checks, which I think are suspect. BUG= chromium:850407 , chromium:850440 Original change's description: > Reland "Simplify CPDF_HintsTable." > > This is a reland of 33591752d2cb14f2e07726ca52afce6efbdc07c9 > > Original change's description: > > Simplify CPDF_HintsTable. > > > > Use CPDF_LinearizedHeader directly. > > > > Change-Id: Id12402ef6e6f92fef68d0932df2e1ccb2dcf06aa > > Reviewed-on: https://pdfium-review.googlesource.com/15770 > > Reviewed-by: Lei Zhang <thestig@chromium.org> > > Commit-Queue: Lei Zhang <thestig@chromium.org> > > Change-Id: I2b5425a6533f4ce237f9ae6c483caa517105a5f7 > Reviewed-on: https://pdfium-review.googlesource.com/34130 > Reviewed-by: Lei Zhang <thestig@chromium.org> > Commit-Queue: Art Snake <art-snake@yandex-team.ru> TBR=thestig@chromium.org,tsepez@chromium.org,art-snake@yandex-team.ru Change-Id: I463b5b1330f809c2cb508cbf46a804b7a11526e4 No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://pdfium-review.googlesource.com/34350 Reviewed-by: Ryan Harrison <rharrison@chromium.org> Commit-Queue: Ryan Harrison <rharrison@chromium.org> [modify] https://crrev.com/e769ab578af3cf646f6268c992fd9c9dcd494708/core/fpdfapi/parser/cpdf_hint_tables.h [modify] https://crrev.com/e769ab578af3cf646f6268c992fd9c9dcd494708/core/fpdfapi/parser/cpdf_hint_tables.cpp
,
Jun 7 2018
,
Jun 7 2018
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/f51a4767ee7854991d94d6814aa13f5763f05760 commit f51a4767ee7854991d94d6814aa13f5763f05760 Author: Artem Strygin <art-snake@yandex-team.ru> Date: Thu Jun 07 18:01:27 2018 Check is first page number valid in CPDF_LinearizedHeader. Bug= chromium:850407 , chromium:850440 Change-Id: I0115f75677db618b0de5e1e78b13da80b1da9559 Reviewed-on: https://pdfium-review.googlesource.com/34390 Commit-Queue: Ryan Harrison <rharrison@chromium.org> Reviewed-by: Ryan Harrison <rharrison@chromium.org> [modify] https://crrev.com/f51a4767ee7854991d94d6814aa13f5763f05760/core/fpdfapi/parser/cpdf_linearized_header.cpp
,
Jun 8 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f8a8b721bbc47542d98e4eaf50f7d84b03c3da21 commit f8a8b721bbc47542d98e4eaf50f7d84b03c3da21 Author: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Fri Jun 08 01:49:55 2018 Roll src/third_party/pdfium 5ebfd64..798b832 (7 commits) https://pdfium.googlesource.com/pdfium.git/+log/5ebfd64..798b832 git log 5ebfd64..798b832 --date=short --no-merges --format='%ad %ae %s' 2018-06-07 rharrison@chromium.org Add expectations for xfa_node_caption.pdf 2018-06-07 rharrison@chromium.org Convert resolve_nodes.pdf into 3 test cases 2018-06-07 hnakashima@chromium.org Rename CPDF_PageObjectHolder::GetFormDict() to GetDict(). 2018-06-07 tsepez@chromium.org Remove friending in CFXJSE_Context. 2018-06-07 hnakashima@chromium.org Return from GenerateContent() if m_pObjHolder->GetFormDict() is null. 2018-06-07 art-snake@yandex-team.ru Check is first page number valid in CPDF_LinearizedHeader. 2018-06-07 rharrison@chromium.org Revert "Reland "Simplify CPDF_HintsTable."" Created with: gclient setdep -r src/third_party/pdfium@798b832 The AutoRoll server is located here: https://pdfium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. BUG= chromium:850407 , chromium:850440 TBR=dsinclair@chromium.org Change-Id: I61a7c7d21e28d4051f9959e05eae18c7b3bf9b5a Reviewed-on: https://chromium-review.googlesource.com/1092050 Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#565508} [modify] https://crrev.com/f8a8b721bbc47542d98e4eaf50f7d84b03c3da21/DEPS
,
Jun 8 2018
,
Jun 11 2018
,
Jun 14 2018
ClusterFuzz testcase 4633751804706816 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
,
Jun 15 2018
ClusterFuzz has detected this issue as fixed in range 567285:567358. Detailed report: https://clusterfuzz.com/testcase?key=4633751804706816 Fuzzer: libFuzzer_pdf_hint_table_fuzzer Job Type: mac_libfuzzer_chrome_asan Platform Id: mac Crash Type: UNKNOWN READ Crash Address: 0x0007fffffff0 Crash State: HintTableForFuzzing::Fuzz pdf_hint_table_fuzzer.cc start Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=mac_libfuzzer_chrome_asan&range=565044:565142 Fixed: https://clusterfuzz.com/revisions?job=mac_libfuzzer_chrome_asan&range=567285:567358 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4633751804706816 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 16 2018
ClusterFuzz testcase 4633751804706816 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 15
,
Sep 14
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jun 7 2018Labels: Test-Predator-Auto-Components