Issue metadata
Sign in to add a comment
|
Null-dereference READ in fseeko64 |
||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4911409030496256 Fuzzer: libFuzzer_chromeos_gstoraster_fuzzer Job Type: libfuzzer_asan_chromeos Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: fseeko64 s_file_read_seek zsetfileposition Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_asan_chromeos&range=3138110:3138341 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4911409030496256 Issue filed automatically. See https://chromium.googlesource.com/chromiumos/docs/+/master/fuzzing.md#Reproducing-crashes-from-ClusterFuzz for more information.
,
Nov 19
This fixes the UBSAN errors (another bug) and the $subject issue. I'm not super familiar with Ghostscript's code structure though, and we have several other similar bugs already. I suspect that the file-handling issues should probably be poked upstream. Does anyone on the printing team want to actually take care of these sorts of things, or should I?
Assigning to Sean to figure the above.
diff --git a/base/sfxstdio.c b/base/sfxstdio.c
index 140796ef6c5a..eb8e33d18b83 100644
--- a/base/sfxstdio.c
+++ b/base/sfxstdio.c
@@ -126,7 +126,7 @@ s_file_read_seek(register stream * s, gs_offset_t pos)
s->srptr = s->cbuf + offset - 1;
return 0;
}
- if (pos < 0 || pos > s->file_limit ||
+ if (s->file == 0 || pos < 0 || pos > s->file_limit ||
gp_fseek_64(s->file, s->file_offset + pos, SEEK_SET) != 0
)
return ERRC;
diff --git a/base/std.h b/base/std.h
index c88399a71d48..73145edbf5e7 100644
--- a/base/std.h
+++ b/base/std.h
@@ -24,6 +24,8 @@
/* Include the architecture definitions. */
#include "arch.h"
+#include <limits.h>
+
/*
* Define the alignment that the memory manager must preserve.
* We assume all alignment moduli are powers of 2.
@@ -60,12 +62,12 @@ typedef ulong bits32;
/* Minimum and maximum values for the signed types. */
/* Avoid casts, to make them acceptable to strict ANSI compilers. */
-#define min_short (-1 << (ARCH_SIZEOF_SHORT * 8 - 1))
-#define max_short (~min_short)
-#define min_int (-1 << (ARCH_SIZEOF_INT * 8 - 1))
-#define max_int (~min_int)
-#define min_long (-1L << (ARCH_SIZEOF_LONG * 8 - 1))
-#define max_long (~min_long)
+#define min_short (SHRT_MIN)
+#define max_short (SHRT_MAX)
+#define min_int (INT_MIN)
+#define max_int (INT_MAX)
+#define min_long (LONG_MIN)
+#define max_long (LONG_MAX)
#define min_int64_t (-((int64_t)1) << (sizeof(int64_t) * 8 - 1))
#define max_int64_t (~min_int64_t)
,
Nov 21
I'll take it on. Getting changes landed upstream can take some hand holding. Thanks for the help Brian.
,
Dec 1
ClusterFuzz testcase 4911409030496256 appears to be flaky, updating reproducibility label.
,
Dec 1
Please ignore the last comment about testcase being unreproducible. The testcase is still reproducible. This happened due to a code refactoring on ClusterFuzz side, and the underlying root cause is now fixed. Resetting the label back to Reproducible. Sorry about the inconvenience caused from these incorrect notifications.
,
Dec 4
ClusterFuzz testcase 4911409030496256 appears to be flaky, updating reproducibility label.
,
Dec 4
Please ignore the last comment about testcase being unreproducible. The testcase is still reproducible. This was caused by another bug in ClusterFuzz that has been fixed. Sorry again for the inconvenience.
,
Dec 5
,
Dec 7
The NextAction date has arrived: 2018-12-07 |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ClusterFuzz
, Nov 18Labels: ClusterFuzz-Auto-CC