New issue
Advanced search Search tips

Issue 895009 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Oct 16
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Negative-size-param in CFX_CodecMemory::Consume

Project Member Reported by ClusterFuzz, Oct 12

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5181233636835328

Fuzzer: libFuzzer_pdf_codec_gif_fuzzer
Job Type: windows_libfuzzer_chrome_asan
Platform Id: windows

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  CFX_CodecMemory::Consume
  CCodec_ProgressiveDecoder::ReadMoreData
  CCodec_ProgressiveDecoder::GifContinueDecode
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=598479:598538

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5181233636835328

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Oct 12

Components: Internals>Plugins>PDF
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Oct 12

Labels: Test-Predator-Auto-Owner
Owner: tsepez@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://pdfium.googlesource.com/pdfium/+/8d8d3bc54593d2d86054d59669b86a959ec0b602 (Fix dangling reference in CFX_CodecMemory.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 13

Labels: Target-71 M-71
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 13

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 13

Labels: Pri-1
Cc: thestig@chromium.org
Project Member

Comment 7 by bugdroid1@chromium.org, Oct 16

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5817b2f8c0d0e184e78bebb8b343688154df5856

commit 5817b2f8c0d0e184e78bebb8b343688154df5856
Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Date: Tue Oct 16 03:36:14 2018

Roll src/third_party/pdfium 7c39bf7b87f8..1929d6e1d44e (16 commits)

https://pdfium.googlesource.com/pdfium.git/+log/7c39bf7b87f8..1929d6e1d44e


git log 7c39bf7b87f8..1929d6e1d44e --date=short --no-merges --format='%ad %ae %s'
2018-10-15 thestig@chromium.org Split pdfium_embeddertests sources.
2018-10-15 thestig@chromium.org Move fx_skia_device_unittest.cpp to pdfium_embeddertests.
2018-10-15 thestig@chromium.org Split pdfium_unittests sources.
2018-10-15 thestig@chromium.org Split public/ headers into their own source_set.
2018-10-15 thestig@chromium.org Restrict fxcrt's visibility to third_party.
2018-10-15 tsepez@chromium.org Clone dict before iteration in CJS_Document::get_info
2018-10-15 xlou@chromium.org Use CropBox instead of ArtBox or TrimBox
2018-10-15 tsepez@chromium.org Convert %s -> %ls for wide string error format.
2018-10-15 thestig@chromium.org Make core/ pass gn check.
2018-10-15 thestig@chromium.org Use more UnownedPtr in CPDF_FormControl.
2018-10-15 thestig@chromium.org Move CPDF_ModuleMgr methods into cpdf_modulemgr.cpp.
2018-10-15 thestig@chromium.org Make ":pdfium" pass gn check.
2018-10-15 tsepez@chromium.org Stop shadowing codec memory size with CCodec_ProgressiveDecoder::m_SrcSize
2018-10-15 thestig@chromium.org Make fxjs/ pass gn check.
2018-10-15 thestig@chromium.org Make fpdfsdk/ pass gn check.
2018-10-15 thestig@chromium.org Make xfa/ pass gn check.


Created with:
  gclient setdep -r src/third_party/pdfium@1929d6e1d44e

The AutoRoll server is located here: https://autoroll.skia.org/r/pdfium-autoroll

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.



BUG=chromium:895152, chromium:409670 , chromium:895009 
TBR=dsinclair@chromium.org

Change-Id: I95c8a745294172817f98cc2e21f0110bd5b978cf
Reviewed-on: https://chromium-review.googlesource.com/c/1282322
Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#599835}
[modify] https://crrev.com/5817b2f8c0d0e184e78bebb8b343688154df5856/DEPS

Project Member

Comment 8 by ClusterFuzz, Oct 16

ClusterFuzz has detected this issue as fixed in range 599827:599848.

Detailed report: https://clusterfuzz.com/testcase?key=5181233636835328

Fuzzer: libFuzzer_pdf_codec_gif_fuzzer
Job Type: windows_libfuzzer_chrome_asan
Platform Id: windows

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  CFX_CodecMemory::Consume
  CCodec_ProgressiveDecoder::ReadMoreData
  CCodec_ProgressiveDecoder::GifContinueDecode
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=598479:598538
Fixed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=599827:599848

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5181233636835328

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Oct 16

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5181233636835328 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by ClusterFuzz, Oct 16

ClusterFuzz has detected this issue as fixed in range 599827:599848.

Detailed report: https://clusterfuzz.com/testcase?key=5181233636835328

Fuzzer: libFuzzer_pdf_codec_gif_fuzzer
Job Type: windows_libfuzzer_chrome_asan
Platform Id: windows

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  CFX_CodecMemory::Consume
  CCodec_ProgressiveDecoder::ReadMoreData
  CCodec_ProgressiveDecoder::GifContinueDecode
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=598479:598538
Fixed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=599827:599848

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5181233636835328

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 11 by ClusterFuzz, Oct 16

ClusterFuzz has detected this issue as fixed in range 599827:599848.

Detailed report: https://clusterfuzz.com/testcase?key=5181233636835328

Fuzzer: libFuzzer_pdf_codec_gif_fuzzer
Job Type: windows_libfuzzer_chrome_asan
Platform Id: windows

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  CFX_CodecMemory::Consume
  CCodec_ProgressiveDecoder::ReadMoreData
  CCodec_ProgressiveDecoder::GifContinueDecode
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=598479:598538
Fixed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=599827:599848

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5181233636835328

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 12 by sheriffbot@chromium.org, Oct 16

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: Merge-Request-71
Project Member

Comment 14 by sheriffbot@chromium.org, Nov 8

Labels: -Merge-Request-71 Hotlist-Merge-Review Merge-Review-71
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: awhalley@google.com
+awhalley@ (Security TPM) for M71 merge review.
@govind - good for 71
Labels: -Merge-Review-71 Merge-Approved-71
Approving merge to M71 branch 3578 based on comment #15. Please merge ASAP. Thank you.
Re #18: Pls remove "Merge-Approved-71" label and apply "Merge-merged-71" label if all is done for M71. Thank you.
Labels: -Merge-Approved-71 Merge-Merged-71
FWIW, if the "Bug:" line in the merge CL contained "chromium:895009" then Bugdroid would have picked it up and set the Merge-Merged label automatically.
Labels: -ReleaseBlock-Stable
Project Member

Comment 23 by sheriffbot@chromium.org, Today (17 hours ago)

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment