Null-dereference READ in CPDF_StreamParser::ParseNextElement |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6174059398955008 Fuzzer: ifratric_pdf_generic Job Type: linux_msan_pdfium Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: CPDF_StreamParser::ParseNextElement CPDF_StreamContentParser::Parse CPDF_ContentParser::Parse Sanitizer: memory (MSAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6174059398955008 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jul 6
Predator and CL could not provide any possible suspects. Using the code search for the file, “cpdf_contentparser.cpp” assigning to concern owner from GIT blame. Suspecting Commit# https://pdfium.googlesource.com/pdfium.git/+/6eb7939300d1bc7c31afd5086c1b93d4a7628481 @hnakashima -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes. Thank You.
,
Jul 6
It's unrelated to my recent changes, as it reproduces before them. I'm looking for the culprit.
,
Jul 6
It's one of these: commit c667eb4e9ceeadc16e25274cfedf6f01a743daac Author: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Tue Jul 3 23:32:33 2018 +0000 Roll src/third_party/pdfium 95b0293a29b2..94f7b75b4d5d (5 commits) https://pdfium.googlesource.com/pdfium.git/+log/95b0293a29b2..94f7b75b4d5d git log 95b0293a29b2..94f7b75b4d5d --date=short --no-merges --format='%ad %ae %s' 2018-07-03 tsepez@chromium.org Use unowned ptr to Node from outside XFA node tree. 2018-07-03 tsepez@chromium.org Use UnownedPtr<> in cxfa_nodeiteratortemplate.h 2018-07-03 tsepez@chromium.org Use std::vector<float> in CPDF_Function. 2018-07-03 thestig@chromium.org Remove a parameter from CPDF_SyntaxParser::FindTag(). 2018-07-03 art-snake@yandex-team.ru Avoid duplicate data buffering in CPDF_SyntaxParser::ReadStream().
,
Jul 6
,
Jul 6
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/dd1083b47c029d2540aceb246bf80f549781f62f commit dd1083b47c029d2540aceb246bf80f549781f62f Author: Henrique Nakashima <hnakashima@chromium.org> Date: Fri Jul 06 17:28:46 2018 Revert "Avoid duplicate data buffering in CPDF_SyntaxParser::ReadStream()." This reverts commit 77f15f7883638a4ced131d74c053af10a5970ce9. Reason for revert: Causes crbug.com/860210 Bug: chromium:860210 Original change's description: > Avoid duplicate data buffering in CPDF_SyntaxParser::ReadStream(). > > Allow sub-streams created from an IFX_SeekableReadStream to provide > stream data without copying memory. > The data will only reside in the top-level stream. > > For example: > For file > http://www.major-landrover.ru/upload/attachments/f/9/f96aab07dab04ae89c8a509ec1ef2b31.pdf > (18 Mb) > > The memory usage is reduced by ~13 Mb. > > Change-Id: I2595c014d0fbe1fdd181cc04965cfd7d901c2d88 > Reviewed-on: https://pdfium-review.googlesource.com/35930 > Commit-Queue: Art Snake <art-snake@yandex-team.ru> > Reviewed-by: dsinclair <dsinclair@chromium.org> TBR=tsepez@chromium.org,dsinclair@chromium.org,art-snake@yandex-team.ru # Not skipping CQ checks because original CL landed > 1 day ago. Change-Id: I947fca17052765935a952a4f25ca48f6599c4af9 Reviewed-on: https://pdfium-review.googlesource.com/37210 Reviewed-by: Henrique Nakashima <hnakashima@chromium.org> Commit-Queue: Henrique Nakashima <hnakashima@chromium.org> [modify] https://crrev.com/dd1083b47c029d2540aceb246bf80f549781f62f/core/fpdfapi/parser/cpdf_syntax_parser.cpp [modify] https://crrev.com/dd1083b47c029d2540aceb246bf80f549781f62f/testing/embedder_test.cpp [modify] https://crrev.com/dd1083b47c029d2540aceb246bf80f549781f62f/core/fpdfapi/edit/cpdf_flateencoder.cpp [modify] https://crrev.com/dd1083b47c029d2540aceb246bf80f549781f62f/core/fpdfapi/edit/cpdf_flateencoder.h [modify] https://crrev.com/dd1083b47c029d2540aceb246bf80f549781f62f/testing/embedder_test.h
,
Jul 6
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fa002bec2565988729a58f9d46af7765c9520fec commit fa002bec2565988729a58f9d46af7765c9520fec Author: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Fri Jul 06 20:22:12 2018 Roll src/third_party/pdfium e3c4b205572e..05aa09d3ebfd (2 commits) https://pdfium.googlesource.com/pdfium.git/+log/e3c4b205572e..05aa09d3ebfd git log e3c4b205572e..05aa09d3ebfd --date=short --no-merges --format='%ad %ae %s' 2018-07-06 hnakashima@chromium.org Make MarkData::mMarks a vector of RetainPtr<CPDF_ContentMarkItem> 2018-07-06 hnakashima@chromium.org Revert "Avoid duplicate data buffering in CPDF_SyntaxParser::ReadStream()." Created with: gclient setdep -r src/third_party/pdfium@05aa09d3ebfd The AutoRoll server is located here: https://pdfium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. BUG= chromium:860210 TBR=dsinclair@chromium.org Change-Id: I3725cb13c5fee7372697f7890495be963ca3d8b3 Reviewed-on: https://chromium-review.googlesource.com/1128102 Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#573056} [modify] https://crrev.com/fa002bec2565988729a58f9d46af7765c9520fec/DEPS
,
Jul 7
ClusterFuzz has detected this issue as fixed in range 573054:573057. Detailed report: https://clusterfuzz.com/testcase?key=6174059398955008 Fuzzer: ifratric_pdf_generic Job Type: linux_msan_pdfium Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: CPDF_StreamParser::ParseNextElement CPDF_StreamContentParser::Parse CPDF_ContentParser::Parse Sanitizer: memory (MSAN) Fixed: https://clusterfuzz.com/revisions?job=linux_msan_pdfium&range=573054:573057 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6174059398955008 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 7
ClusterFuzz testcase 6174059398955008 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 11
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/7c694a4632dc3b11e26d66a44e598a211913d02a commit 7c694a4632dc3b11e26d66a44e598a211913d02a Author: Artem Strygin <art-snake@yandex-team.ru> Date: Wed Jul 11 16:25:14 2018 Fix crash and memory leak. Do not return size within CPDF_StreamAcc in case when read data failed. Also free buffers in this case. Bug: chromium:860210 Change-Id: Ifb2a061d7c8427409b68c33f213c5c55343fb946 Reviewed-on: https://pdfium-review.googlesource.com/37310 Reviewed-by: Henrique Nakashima <hnakashima@chromium.org> Commit-Queue: Art Snake <art-snake@yandex-team.ru> [modify] https://crrev.com/7c694a4632dc3b11e26d66a44e598a211913d02a/BUILD.gn [add] https://crrev.com/7c694a4632dc3b11e26d66a44e598a211913d02a/core/fpdfapi/parser/cpdf_stream_acc_unittest.cpp [modify] https://crrev.com/7c694a4632dc3b11e26d66a44e598a211913d02a/core/fpdfapi/parser/cpdf_stream_acc.cpp
,
Jul 11
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9717e66b37a4336e55a1e420bb998ec4f4e07553 commit 9717e66b37a4336e55a1e420bb998ec4f4e07553 Author: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Wed Jul 11 20:18:32 2018 Roll src/third_party/pdfium e7e454da8e38..b165ffb64e59 (2 commits) https://pdfium.googlesource.com/pdfium.git/+log/e7e454da8e38..b165ffb64e59 git log e7e454da8e38..b165ffb64e59 --date=short --no-merges --format='%ad %ae %s' 2018-07-11 thestig@chromium.org Use JSGetObject() in more places. 2018-07-11 art-snake@yandex-team.ru Fix crash and memory leak. Created with: gclient setdep -r src/third_party/pdfium@b165ffb64e59 The AutoRoll server is located here: https://pdfium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. BUG= chromium:860210 TBR=dsinclair@chromium.org Change-Id: I22163f80735fd7ab47b3879c5ebccd91b216a9e0 Reviewed-on: https://chromium-review.googlesource.com/1133860 Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#574305} [modify] https://crrev.com/9717e66b37a4336e55a1e420bb998ec4f4e07553/DEPS |
|||
►
Sign in to add a comment |
|||
Comment 1 by ClusterFuzz
, Jul 5