Marti,
Thank for the fixes. The chromium bug most likely came from us too because
these fuzzers were ported over from chrome.
LCMS build seems to fail now:
cmscgats.c:2294:22: error: conflicting types for 'cmsIT8LoadFromMem'
cmsHANDLE CMSEXPORT cmsIT8LoadFromMem(cmsContext ContextID, void *Ptr,
cmsUInt32Number len)
^
../include/lcms2.h:1813:35: note: previous declaration is here
CMSAPI cmsHANDLE CMSEXPORT cmsIT8LoadFromMem(cmsContext ContextID,
const void *Ptr, cmsUInt32Number len);
^
depbase=`echo cmshalf.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/bash ../libtool --tag=CC --mode=compile clang
-DPACKAGE_NAME=\"lcms2\" -DPACKAGE_TARNAME=\"lcms2\"
-DPACKAGE_VERSION=\"2.8\" -DPACKAGE_STRING=\"lcms2\ 2.8\"
-DPACKAGE_BUGREPORT=\"\" -DPACKAGE_URL=\"\" -DSTDC_HEADERS=1
-DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1
-DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1
-DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=\".libs/\"
-DHAVE_PTHREAD=1 -DHasTHREADS=1 -I. -I../include -I../include -g
-fsanitize=address -fsanitize-coverage=edge,indirect-calls,8bit-counters
-MT cmshalf.lo -MD -MP -MF $depbase.Tpo -c -o cmshalf.lo cmshalf.c &&\
mv -f $depbase.Tpo $depbase.Plo
1 error generated.
Makefile:485: recipe for target 'cmscgats.lo' failed
make[1]: *** [cmscgats.lo] Error 1
make[1]: *** Waiting for unfinished jobs....
Is this something that got broken recently?
Also, we are not experts in lcms, are there any other good target functions
to fuzz?
On Sun, Dec 4, 2016 at 12:20 PM Marti <marti.ma...@littlecms.com> wrote:
> Thanks Mike,
>
>
>
> 3 of those cases refer to same bug, which I fixed easily.
>
>
>
>
> https://github.com/mm2/Little-CMS/commit/a87cb2d1c1242b849e9ce84bd19b8501d14154dd
>
>
>
> The fourth was already reported to me by chromium team, I guess when they
> discovered it. This is more difficult because you need to create a crafted
> ICC profile in order to trick lcms. I’m on it, will take some days.
>
>
>
> Regarding severity, IT8 parser is only a helper used by the companion
> demos. It is never used or called on all color management. Otherwise, I
> like to have all code robust and well tested, no matter it is used or not.
>
>
>
> Thanks again for reporting. A test case has been added to our automated
> harness testbed system, which is similar to what you are using.
>
>
>
> Best regards
>
> Marti Maria
>
> The LittleCMS project
>
> http://www.littlecms.com
>
>
>
>
>
>
>
> *From:* Mike Aizatsky [mailto:aizat...@google.com]
> *Sent:* Sunday, December 4, 2016 7:53 PM
> *To:* Marti <marti.ma...@littlecms.com>; lcms-user@lists.sourceforge.net
> *Subject:* Re: [Lcms-user] Reporting potential security vulnerabilities
> in lcms
>
>
>
> Marti,
>
>
>
> I've got your e-mail, thanks. I've CC'ed you on all 4 lcms bugs and they
> should be now visible to you:
>
>
>
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=142
>
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=157
>
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=166
>
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=192
>
>
>
>
>
> Can you check? The view should work as well:
> https://bugs.chromium.org/p/oss-fuzz/issues/list?q=Proj%3Alcms&saved=4&sort=-id&ts=1480876967
>
>
>
> Here's our reproducing guide:
>
> https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md
>
>
>
> We used address sanitizer.
>
>
>
> The code for our fuzzers:
>
>
> https://github.com/google/oss-fuzz/blob/master/projects/lcms/cmsIT8_load_fuzzer.c
>
>
> https://github.com/google/oss-fuzz/blob/master/projects/lcms/cms_transform_fuzzer.c
>
>
>
> We would really love to see them moved to your repository and integrated
> with your build system.
>
>
>
> Just feed input bytes to these functions or you can use a standalone
> driver like this:
>
>
>
>
> https://reviews.llvm.org/diffusion/L/browse/llvm/trunk/lib/Fuzzer/standalone/StandaloneFuzzTargetMain.c
>
>
>
> Let me know if you have any questions or problems reproducing.
>
>
>
> On Sat, Dec 3, 2016 at 1:06 AM Marti <marti.ma...@littlecms.com> wrote:
>
> Hello Mike,
>
>
>
> At first, I would thank you very much for all the effort you have put in
> making lcms more secure. I appreciate.
>
>
>
> I will contact you by a separate email from my google account.
>
>
>
> If anybody else in the list are interested in this stuff, please let me
> know. Please note this is related to security and therefore I will not
> publicly list the vulnerabilities found. On depending on the severity, I
> can do a maintenance release to deal with that.
>
>
>
> Best regards
>
> Marti Maria
>
> The LittleCMS project
>
> http://www.littlecms.com
>
>
>
>
>
> *From:* Mike Aizatsky [mailto:aizat...@google.com]
> *Sent:* Friday, December 2, 2016 7:58 PM
> *To:* lcms-user@lists.sourceforge.net
> *Subject:* [Lcms-user] Reporting potential security vulnerabilities in
> lcms
>
>
>
> Hi!
>
>
>
> Our OSS-Fuzz fuzzing effort (
> https://testing.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html)
> has located several potential issues in lcms library (crash, heap use after
> free, heap buffer overflow) using the fuzz targets we developed (
> https://github.com/google/oss-fuzz/tree/master/projects/lcms)
>
>
>
> These crashes are now filed in a security-protected monorail tracker (
> https://bugs.chromium.org/p/oss-fuzz/issues/list) and we'd like to find
> lcms developers to take a look at them.
>
>
>
> We will CC developers on these issues to give them access to stack traces
> and reproducer data. For that we'd need an e-mail with associated gmail
> account.
>
> We will also set up the process to auto-CC these e-mails when we find more
> issues.
>
>
>
>
>
> --
>
> Mike
> Sent from phone
>
> --
>
> Mike
> Sent from phone
>
--
Mike
Sent from phone
------------------------------------------------------------------------------
_______________________________________________
Lcms-user mailing list
Lcms-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lcms-user
