New issue
Advanced search Search tips

Issue 887626 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Sep 21
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in CPDF_StreamAcc::~CPDF_StreamAcc

Project Member Reported by ClusterFuzz, Sep 20

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5728712191115264

Fuzzer: ifratric_acrojs
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x62d0000b4400
Crash State:
  CPDF_StreamAcc::~CPDF_StreamAcc
  FPDFPage_Flatten
  chrome_pdf::PDFiumPrint::FlattenPrintData
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=592542:592577

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5728712191115264

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Sep 20

Components: Internals>Plugins>PDF
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Sep 20

Cc: thestig@chromium.org
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

Consolidate raw data processing path in CPDF_StreamAcc. by thestig@chromium.org - https://pdfium.googlesource.com/pdfium/+/41e49ec0259d4b02bf59fe581b9f48d7c2638456

Use MaybeOwned in CPDF_StreamAcc. by thestig@chromium.org - https://pdfium.googlesource.com/pdfium/+/d39389f6ec2eb96695d2645e1fc4e71fd7c5da08

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.
Owner: thestig@chromium.org
Labels: -Security_Severity-High Security_Severity-Low Pri-2
Status: Assigned (was: Untriaged)
ProbeForLowSeverityLifetimeIssue
Status: Started (was: Assigned)
https://pdfium-review.googlesource.com/c/pdfium/+/42893
Project Member

Comment 6 by bugdroid1@chromium.org, Sep 21

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/8e54f192f977824744cd14f04b6f35b79e0c42be

commit 8e54f192f977824744cd14f04b6f35b79e0c42be
Author: Lei Zhang <thestig@chromium.org>
Date: Fri Sep 21 18:11:47 2018

Fix destruction order with CPDF_StreamAcc.

Commit d39389f6 changed CPDF_StreamAcc to use MaybeOwned, so now callers
have to destroy it more carefully, so CPDF_StreamAcc does not end up
with a dangling pointer.

BUG= chromium:887626 

Change-Id: Id5e7af96aad6270c444485c1574182da5dbd9ebf
Reviewed-on: https://pdfium-review.googlesource.com/42893
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

[modify] https://crrev.com/8e54f192f977824744cd14f04b6f35b79e0c42be/fpdfsdk/fpdf_ppo.cpp
[modify] https://crrev.com/8e54f192f977824744cd14f04b6f35b79e0c42be/fpdfsdk/fpdf_flatten.cpp

Status: Fixed (was: Started)
Project Member

Comment 8 by sheriffbot@chromium.org, Sep 22

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 9 by ClusterFuzz, Sep 22

Labels: OS-Linux
Project Member

Comment 10 by bugdroid1@chromium.org, Sep 24

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6800720983c8b8a99ed7ee4cc227e6432b33f267

commit 6800720983c8b8a99ed7ee4cc227e6432b33f267
Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Date: Mon Sep 24 18:28:17 2018

Roll src/third_party/pdfium e65756725f82..97f4483de007 (14 commits)

https://pdfium.googlesource.com/pdfium.git/+log/e65756725f82..97f4483de007


git log e65756725f82..97f4483de007 --date=short --no-merges --format='%ad %ae %s'
2018-09-24 hnakashima@chromium.org Revert "Make potentially dangerous Actions require a user click."
2018-09-22 thestig@chromium.org Remove useless charset data in CFGAS_FontMgr.
2018-09-22 thestig@chromium.org Roll build/ f53effa79..dfca77bb0 (53 commits)
2018-09-22 thestig@chromium.org Move some CFGAS_FontMgr methods into an anonymous namespace.
2018-09-22 thestig@chromium.org Change CBC_QRCoderMatrixUtil::BuildMatrix() to return a bool.
2018-09-22 thestig@chromium.org Encapsulate CBC_QRCoderMatrixUtil code.
2018-09-22 thestig@chromium.org Remove CBC_CommonByteArray and CBC_QRCoderBlockPair.
2018-09-21 npm@chromium.org Cleanup in CCodec_FaxModule
2018-09-21 tsepez@chromium.org Replace CPDF_Color::Copy() with honest-to-goodness operator=().
2018-09-21 npm@chromium.org Make OutputIndex() a void method
2018-09-21 thestig@chromium.org Fix destruction order with CPDF_StreamAcc.
2018-09-21 thestig@chromium.org Remove unreachable code in CPDF_DIBBase.
2018-09-21 thestig@chromium.org Validate more image values in CPDF_DIBBase.
2018-09-20 hnakashima@chromium.org Make potentially dangerous Actions require a user click.


Created with:
  gclient setdep -r src/third_party/pdfium@97f4483de007

The AutoRoll server is located here: https://autoroll.skia.org/r/pdfium-autoroll

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.



BUG= chromium:851821 , chromium:887626 , chromium:851821 
TBR=dsinclair@chromium.org

Change-Id: I1cfa2cae8e4f0aae0ca74f00ecfc7e8a8060efa9
Reviewed-on: https://chromium-review.googlesource.com/1240534
Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#593606}
[modify] https://crrev.com/6800720983c8b8a99ed7ee4cc227e6432b33f267/DEPS

Project Member

Comment 11 by ClusterFuzz, Sep 25

ClusterFuzz has detected this issue as fixed in range 593585:593611.

Detailed report: https://clusterfuzz.com/testcase?key=5728712191115264

Fuzzer: ifratric_acrojs
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x62d0000b4400
Crash State:
  CPDF_StreamAcc::~CPDF_StreamAcc
  FPDFPage_Flatten
  chrome_pdf::PDFiumPrint::FlattenPrintData
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=592542:592577
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=593585:593611

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5728712191115264

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 12 by ClusterFuzz, Sep 25

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5728712191115264 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 13 by sheriffbot@chromium.org, Dec 29

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment