Fixed
Status Update
No update yet.
Comments
li...@chromium.org
I noticed that there is an UNSAFE_TODO LoadJpxBitmap so assigning to tsepez to bump up the priority of investigating this particular TODO :)
Marking this as medium severity as an OOB read, and found-in to 125 since I repro'd it up to 125 as well.
th...@chromium.org
I tried using the Quick Upload button on
th...@chromium.org
So I'll bisect this locally and see when this started.
cl...@appspot.gserviceaccount.com
li...@chromium.org
Strange that Quick Upload didn't work for you, I did get an upload going at least. Did you use your chromium or google account?
th...@chromium.org
re:
th...@chromium.org
ti...@chromium.org
Looked into the upload issue - it's because ClusterFuzz only allows some privileged users to associate testcases with existing bugs. I think we should relax this constraint, filed
pe...@google.com
Setting milestone because of s2 severity.
ap...@google.com
Project: pdfium
Branch: main
commit 1135cbda250cc83d15fdf53fe5fc32674ac7079e
Author: Lei Zhang <thestig@chromium.org>
Date: Wed Jun 12 05:08:41 2024
Tolerate extra JPEG2000 image channels in CPDF_DIB::LoadJpxBitmap()
JPEG2000 images can have more color channels than the number of color
components. Thus checking for exactly 4 channels may be too strict. In
the case where the `JpxDecodeAction::kConvertArgbToRgb` action is in
use, remove the channel check when selecting the output image format.
Instead, use CHECK_GE() to make sure the code that chose to use
`kConvertArgbToRgb` only did that when there are 4 or more channels.
Bug: 345518608
Change-Id: I3574d82a0d74c6e50da929c6cabb2b0da7ebb208
Reviewed-on:https://pdfium-review.googlesource.com/c/pdfium/+/120331
Reviewed-by: Thomas Sepez <tsepez@google.com>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
M core/fpdfapi/page/cpdf_dib.cpp
https://pdfium-review.googlesource.com/120331
Branch: main
commit 1135cbda250cc83d15fdf53fe5fc32674ac7079e
Author: Lei Zhang <thestig@chromium.org>
Date: Wed Jun 12 05:08:41 2024
Tolerate extra JPEG2000 image channels in CPDF_DIB::LoadJpxBitmap()
JPEG2000 images can have more color channels than the number of color
components. Thus checking for exactly 4 channels may be too strict. In
the case where the `JpxDecodeAction::kConvertArgbToRgb` action is in
use, remove the channel check when selecting the output image format.
Instead, use CHECK_GE() to make sure the code that chose to use
`kConvertArgbToRgb` only did that when there are 4 or more channels.
Bug: 345518608
Change-Id: I3574d82a0d74c6e50da929c6cabb2b0da7ebb208
Reviewed-on:
Reviewed-by: Thomas Sepez <tsepez@google.com>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
M core/fpdfapi/page/cpdf_dib.cpp
ap...@google.com
Project: chromium/src
Branch: main
commit e06752a5a007a813484b5108169c8bde7293b935
Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Date: Thu Jun 13 00:37:15 2024
Roll PDFium from 33ece3a42388 to 51d856c2ff01 (13 revisions)
https://pdfium.googlesource.com/pdfium.git/+log/33ece3a42388..51d856c2ff01
2024-06-12 thestig@chromium.org Avoid another call to free resources during CPDF_Document destruction
2024-06-12 thestig@chromium.org Restore previous transparency rendering behavior
2024-06-12 thestig@chromium.org Roll third_party/skia/ ba0db3c0a..51eabd0d1 (249 commits; 1 trivial rolls)
2024-06-12 thestig@chromium.org Rewrite comments in CJPX_Decoder::StartDecode()
2024-06-12 thestig@chromium.org Tolerate extra JPEG2000 image channels in CPDF_DIB::LoadJpxBitmap()
2024-06-12 thestig@chromium.org Use std::unique_ptr in CJPX_Decoder
2024-06-12 tsepez@chromium.org Avoid UNSAFE_TODO() in CPDF_Bookmark.
2024-06-11 tsepez@chromium.org Remove last usage of #pragma allow_unsafe_buffers
2024-06-11 brkfstmnchr@gmail.com Add test for colorspace handling of regenerated streams
2024-06-11 thestig@chromium.org Remove some UNSAFE_TODOs in CFX_DIBitmap
2024-06-11 tsepez@chromium.org Avoid a few UNSAFE_TODO()s in CPDF_CIDFont.
2024-06-11 tsepez@chromium.org Avoid unsafe iteration and string construction in cpdf_font.cpp
2024-06-11 thestig@chromium.org Avoid addition calls to free resources during CPDF_Document destruction
If this roll has caused a breakage, revert this CL and stop the roller
using the controls here:
https://autoroll.skia.org/r/pdfium-autoroll
Please CC dhoss@chromium.org,pdfium-deps-rolls@chromium.org,thestig@chromium.org on the revert to ensure that a human
is aware of the problem.
To file a bug in PDFium:https://bugs.chromium.org/p/pdfium/issues/entry
To file a bug in Chromium:https://bugs.chromium.org/p/chromium/issues/entry
To report a problem with the AutoRoller itself, please file a bug:
https://issues.skia.org/issues/new?component=1389291&template=1850622
Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
Bug: chromium:345518608,chromium:346598551,chromium:346606150,chromium:42271122,chromium:42271133,chromium:42271176,chromium:42271776
Tbr: pdfium-deps-rolls@chromium.org
Change-Id: Ide9229fce14cc1fd89720550574c7f959fa98e0d
Reviewed-on:https://chromium-review.googlesource.com/c/chromium/src/+/5628374
Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Bot-Commit: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#1314370}
M DEPS
M third_party/pdfium
https://chromium-review.googlesource.com/5628374
Branch: main
commit e06752a5a007a813484b5108169c8bde7293b935
Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Date: Thu Jun 13 00:37:15 2024
Roll PDFium from 33ece3a42388 to 51d856c2ff01 (13 revisions)
2024-06-12 thestig@chromium.org Avoid another call to free resources during CPDF_Document destruction
2024-06-12 thestig@chromium.org Restore previous transparency rendering behavior
2024-06-12 thestig@chromium.org Roll third_party/skia/ ba0db3c0a..51eabd0d1 (249 commits; 1 trivial rolls)
2024-06-12 thestig@chromium.org Rewrite comments in CJPX_Decoder::StartDecode()
2024-06-12 thestig@chromium.org Tolerate extra JPEG2000 image channels in CPDF_DIB::LoadJpxBitmap()
2024-06-12 thestig@chromium.org Use std::unique_ptr in CJPX_Decoder
2024-06-12 tsepez@chromium.org Avoid UNSAFE_TODO() in CPDF_Bookmark.
2024-06-11 tsepez@chromium.org Remove last usage of #pragma allow_unsafe_buffers
2024-06-11 brkfstmnchr@gmail.com Add test for colorspace handling of regenerated streams
2024-06-11 thestig@chromium.org Remove some UNSAFE_TODOs in CFX_DIBitmap
2024-06-11 tsepez@chromium.org Avoid a few UNSAFE_TODO()s in CPDF_CIDFont.
2024-06-11 tsepez@chromium.org Avoid unsafe iteration and string construction in cpdf_font.cpp
2024-06-11 thestig@chromium.org Avoid addition calls to free resources during CPDF_Document destruction
If this roll has caused a breakage, revert this CL and stop the roller
using the controls here:
Please CC dhoss@chromium.org,pdfium-deps-rolls@chromium.org,thestig@chromium.org on the revert to ensure that a human
is aware of the problem.
To file a bug in PDFium:
To file a bug in Chromium:
To report a problem with the AutoRoller itself, please file a bug:
Documentation for the AutoRoller is here:
Bug: chromium:345518608,chromium:346598551,chromium:346606150,chromium:42271122,chromium:42271133,chromium:42271176,chromium:42271776
Tbr: pdfium-deps-rolls@chromium.org
Change-Id: Ide9229fce14cc1fd89720550574c7f959fa98e0d
Reviewed-on:
Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Bot-Commit: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#1314370}
M DEPS
M third_party/pdfium
th...@chromium.org
sp...@google.com
** NOTE: This is an automatically generated email **
Hello,
Congratulations! The Chrome Vulnerability Rewards Program (VRP) Panel has decided to award you $7000.00 for this report.
Rationale for this decision:
report of memory corruption in the renderer / sandboxed process
Important: This payment will be issued by Bugcrowd. You will receive an email from Bugcrowd in the next 24 hours which contains a submission you must claim to be rewarded.
If you do not receive an email from them, please check your spam folder and then reach out to us via a comment here. For issues related to Bugcrowd itself, please contact them viahttps://bugcrowd.com/support .
Thank you for your efforts and helping us make Chrome more secure for all users!
Cheers,
Chrome VRP Panel Bot
P.S. One other thing we'd like to mention:
* Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
Please contact security-vrp@chromium.org with any questions.
Hello,
Congratulations! The Chrome Vulnerability Rewards Program (VRP) Panel has decided to award you $7000.00 for this report.
Rationale for this decision:
report of memory corruption in the renderer / sandboxed process
Important: This payment will be issued by Bugcrowd. You will receive an email from Bugcrowd in the next 24 hours which contains a submission you must claim to be rewarded.
If you do not receive an email from them, please check your spam folder and then reach out to us via a comment here. For issues related to Bugcrowd itself, please contact them via
Thank you for your efforts and helping us make Chrome more secure for all users!
Cheers,
Chrome VRP Panel Bot
P.S. One other thing we'd like to mention:
* Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
Please contact security-vrp@chromium.org with any questions.
am...@chromium.org
Congratulations soiax! Thank you for your efforts and reporting this issue to us -- nice work!
pe...@google.com
This bug has been closed for more than 14 weeks. Removing issue access restrictions.
Description
The attached testcase crashes asan builds of pdfium/chrome on linux/windows:
Output of chromium-127.0.6521.0-win64-asan\pdfium_test.exe:
Chrome Version: tested asan builds of 125, 127
Operating System: windows, linux
Attached minimized testcase
Type of crash: tab
Reporter credit: soiax