Integer-overflow in CJBig2_TRDProc::DecodeArith |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5053457132945408 Fuzzer: libFuzzer_pdf_codec_jbig2_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: CJBig2_TRDProc::DecodeArith CJBig2_SDDProc::DecodeArith CJBig2_Context::ParseSymbolDict Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=421422:421461 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5053457132945408 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Jun 30 2018
Automatically adding ccs based on OWNERS file / target commit history. If this is incorrect, please add ClusterFuzz-Wrong label.
,
Jul 2
Predator and CL could not provide any possible suspects. Using Code Search for the file, "JBig2_TrdProc.cpp" suspecting the below Cl might have caused this issue Suspect CL: https://pdfium.googlesource.com/pdfium.git/+/512509a5bb48cbd13fba80fbb5bd1a455f6d248d thestig@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner. Thanks!
,
Jul 2
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/7695dd0f9f5a5a91a0fdfc723edfe706a39c87f4 commit 7695dd0f9f5a5a91a0fdfc723edfe706a39c87f4 Author: Lei Zhang <thestig@chromium.org> Date: Mon Jul 02 21:20:23 2018 Check for more integer overflows in CJBig2_TRDProc. BUG= chromium:859284 Change-Id: I41ce5de4cca0a863dc6e60b64fd69d36c2672a64 Reviewed-on: https://pdfium-review.googlesource.com/36790 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org> [modify] https://crrev.com/7695dd0f9f5a5a91a0fdfc723edfe706a39c87f4/core/fxcodec/jbig2/JBig2_TrdProc.cpp
,
Jul 2
,
Jul 2
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e84bb14099b9546f8cb19353211aa05f2ee3b532 commit e84bb14099b9546f8cb19353211aa05f2ee3b532 Author: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Mon Jul 02 23:28:47 2018 Roll src/third_party/pdfium 61ff9b659a5b..555b41aebe00 (4 commits) https://pdfium.googlesource.com/pdfium.git/+log/61ff9b659a5b..555b41aebe00 git log 61ff9b659a5b..555b41aebe00 --date=short --no-merges --format='%ad %ae %s' 2018-07-02 tsepez@chromium.org Use std::vector<float> in cpdf_expintfunc.cpp 2018-07-02 thestig@chromium.org Access a span properly in DetectSRGB(). 2018-07-02 thestig@chromium.org Check for more integer overflows in CJBig2_TRDProc. 2018-07-02 tsepez@chromium.org Use std::vector in one more place in cpdf_colorspace.cpp Created with: gclient setdep -r src/third_party/pdfium@555b41aebe00 The AutoRoll server is located here: https://pdfium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. BUG= chromium:859284 TBR=dsinclair@chromium.org Change-Id: Icfb87ce79219363726143c02e70a8076b8b73241 Reviewed-on: https://chromium-review.googlesource.com/1123083 Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#572039} [modify] https://crrev.com/e84bb14099b9546f8cb19353211aa05f2ee3b532/DEPS
,
Jul 3
ClusterFuzz has detected this issue as fixed in range 572038:572040. Detailed report: https://clusterfuzz.com/testcase?key=5053457132945408 Fuzzer: libFuzzer_pdf_codec_jbig2_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: CJBig2_TRDProc::DecodeArith CJBig2_SDDProc::DecodeArith CJBig2_Context::ParseSymbolDict Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=421422:421461 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=572038:572040 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5053457132945408 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 3
ClusterFuzz testcase 5053457132945408 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 6
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/ee7c8c3f37698651ae57e2aea979b3dba1c8b39a commit ee7c8c3f37698651ae57e2aea979b3dba1c8b39a Author: Lei Zhang <thestig@chromium.org> Date: Fri Jul 06 21:11:39 2018 Fix regression in CJBig2_TRDProc. Commit 7695dd0f mistakenly changed a signed integer to unsigned. This is incorrect because right shifts for negative integers behave differently. BUG= chromium:859284 Change-Id: Id9c54848b15ace1de080c174f261dd2c064018e0 Reviewed-on: https://pdfium-review.googlesource.com/37230 Reviewed-by: Henrique Nakashima <hnakashima@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org> [modify] https://crrev.com/ee7c8c3f37698651ae57e2aea979b3dba1c8b39a/core/fxcodec/jbig2/JBig2_TrdProc.cpp
,
Jul 7
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4fab44f9518f26d65c3a30c76cbcd60e3796dece commit 4fab44f9518f26d65c3a30c76cbcd60e3796dece Author: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Sat Jul 07 01:58:35 2018 Roll src/third_party/pdfium 05aa09d3ebfd..ee7c8c3f3769 (2 commits) https://pdfium.googlesource.com/pdfium.git/+log/05aa09d3ebfd..ee7c8c3f3769 git log 05aa09d3ebfd..ee7c8c3f3769 --date=short --no-merges --format='%ad %ae %s' 2018-07-06 thestig@chromium.org Fix regression in CJBig2_TRDProc. 2018-07-06 hnakashima@chromium.org Maintain a stack of CPDF_ContentMark while parsing a stream. Created with: gclient setdep -r src/third_party/pdfium@ee7c8c3f3769 The AutoRoll server is located here: https://pdfium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. BUG= chromium:859284 TBR=dsinclair@chromium.org Change-Id: I3118333be577919fa3af649d12cef759ddb6d511 Reviewed-on: https://chromium-review.googlesource.com/1128028 Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#573141} [modify] https://crrev.com/4fab44f9518f26d65c3a30c76cbcd60e3796dece/DEPS |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Jun 30 2018Labels: Test-Predator-Auto-Components