New issue
Advanced search Search tips

Issue 912224 link

Starred by 1 user
Status: Verified
Owner:
pawliczek@chromium.org
Closed: Dec 24
Cc:
valleau@chromium.org
pawliczek@chromium.org
luum@chromium.org
skau@chromium.org
metzman@chromium.org
manojgupta@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

Direct-leak in inflateInit2_

Project Member Reported by ClusterFuzz, Dec 5 
Detailed report: https://clusterfuzz.com/testcase?key=5927386715258880

Project: chromeos
Fuzzer: libFuzzer_chromeos_cups_ppdopen_fuzzer
Fuzz target binary: cups_ppdopen_fuzzer
Job Type: libfuzzer_asan_chromeos
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  inflateInit2_
  cups_fill
  cupsFileGetChar
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_asan_chromeos&range=3186655:3189552

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5927386715258880

Issue filed automatically.

See https://chromium.googlesource.com/chromiumos/docs/+/master/fuzzing.md#Reproducing-crashes-from-ClusterFuzz for more information.
Project Member

Comment 1 by ClusterFuzz, Dec 5

Cc: pawliczek@chromium.org valleau@chromium.org luum@chromium.org skau@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Comment 2 by pawliczek@chromium.org, Dec 19

Owner: pawliczek@chromium.org

Comment 3 by pawliczek@chromium.org, Dec 20

Status: Started (was: Untriaged)
Project Member

Comment 4 by bugdroid1@chromium.org, Dec 23

Labels: merge-merged-cups-2-2-8
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/cups/+/98f21db2925bd109bedd6916b80708f36d32feab

commit 98f21db2925bd109bedd6916b80708f36d32feab
Author: Piotr Pawliczek <pawliczek@google.com>
Date: Sun Dec 23 22:46:16 2018

cups: Correct bug in PPD parser

For some input data the function cupsFileGetChar(...) was incorrectly called
from the function ppd_read(...) after returning EOF in a previous call. This
causes incorrect state of cups_file and results in memory leak.

BUG= chromium:912224 
TEST=Tested on nautilus with cros_fuzz

Change-Id: I6861d9b87e56c152965c1a59dc5e0a4905781eb0
Reviewed-on: https://chromium-review.googlesource.com/1387166
Commit-Ready: Piotr Pawliczek <pawliczek@chromium.org>
Tested-by: Piotr Pawliczek <pawliczek@chromium.org>
Reviewed-by: David Valleau <valleau@chromium.org>

[modify] https://crrev.com/98f21db2925bd109bedd6916b80708f36d32feab/cups/ppd.c
Project Member

Comment 5 by ClusterFuzz, Dec 24 

ClusterFuzz has detected this issue as fixed in range 3269308:3269551.

Detailed report: https://clusterfuzz.com/testcase?key=5927386715258880

Fuzzer: libFuzzer_chromeos_cups_ppdopen_fuzzer
Fuzz target binary: cups_ppdopen_fuzzer
Job Type: libfuzzer_asan_chromeos
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  inflateInit2_
  cups_fill
  cupsFileGetChar
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_asan_chromeos&range=3186655:3189552
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_asan_chromeos&range=3269308:3269551

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5927386715258880

See https://chromium.googlesource.com/chromiumos/docs/+/master/fuzzing.md#Reproducing-crashes-from-ClusterFuzz for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Dec 24

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 5927386715258880 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment