Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Email to this user bounced
Closed: Nov 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
OOB read in media::ScaleYUVToRGB32
Project Member Reported by infe...@chromium.org, Oct 25 2011 Back to list
credit: Cris + ASAN + ClusterFuzz

Bot CLUSTER_FUZZ_92 on platform LINUX
Chromium Revision : 106933
Webkit Revision : 98222

/mnt/scratch0/chrome/src/out/Release/chrome --allow-file-access-from-files --disable-click-to-play --disable-hang-monitor --disable-metrics --disable-popup-blocking --disable-prompt-on-repost --enable-desktop-notifications --enable-experimental-extension-apis --enable-extension-apps --enable-extension-timeline-api --enable-geolocation --enable-indexed-database --enable-nacl --enable-native-web-workers --enable-search-provider-api-v2 --enable-video-track --force-internal-pdf --incognito --js-flags="--expose-gc" --new-window --no-default-browser-check --no-first-run --no-process-singleton-dialog --no-sandbox --single-process --disable-gpu-plugin --disable-gpu-rendering --disable-accelerated-compositing --disable-webgl --disable-accelerated-2d-canvas --user-data-dir=/mnt/scratch0/FuzzTmp/t91 

=================================================================
==5911== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f26e15a4b52 at pc 0x7f2706dc13f4 bp 0x7f26e747d4b0 sp 0x7f26e747d4a8
READ of size 1 at 0x7f26e15a4b52 thread T14
    #0 0x7f2706dc13f4 in media::ScaleYUVToRGB32(unsigned char const*, unsigned char const*, unsigned char const*, unsigned char*, int, int, int, int, int, int, int, media::YUVType, media::Rotate, media::ScaleFilter) 
    #1 0x7f27071b357c in webkit_glue::VideoRendererImpl::FastPaint(media::VideoFrame*, SkCanvas*, gfx::Rect const&) 
    #2 0x7f27071b2366 in webkit_glue::VideoRendererImpl::Paint(SkCanvas*, gfx::Rect const&) 
    #3 0x7f27071c9c68 in webkit_glue::WebMediaPlayerProxy::Paint(SkCanvas*, gfx::Rect const&) 
    #4 0x7f27071c5d19 in webkit_glue::WebMediaPlayerImpl::paint(SkCanvas*, WebKit::WebRect const&) 
    #5 0x7f270394173c in WebKit::WebMediaPlayerClientImpl::paintCurrentFrameInContext(WebCore::GraphicsContext*, WebCore::IntRect const&) 
    #6 0x7f2705065c9f in WebCore::RenderVideo::paintReplaced(WebCore::PaintInfo&, WebCore::IntPoint const&) 
    #7 0x7f2704fd6197 in WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::IntPoint const&) 
    #8 0x7f2704ef7f68 in WebCore::RenderImage::paint(WebCore::PaintInfo&, WebCore::IntPoint const&) 
    #9 0x7f2704f39dd2 in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) 
    #10 0x7f2704f3a8c9 in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) 
    #11 0x7f2704f3a8c9 in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) 
    #12 0x7f2704f373ff in WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, unsigned int) 
    #13 0x7f270495ff85 in WebCore::FrameView::paintContents(WebCore::GraphicsContext*, WebCore::IntRect const&) 
    #14 0x7f2704073e25 in WebCore::ScrollView::paint(WebCore::GraphicsContext*, WebCore::IntRect const&) 
    #15 0x7f27038698d6 in WebKit::WebFrameImpl::paintWithContext(WebCore::GraphicsContext&, WebKit::WebRect const&) 
    #16 0x7f2703869c05 in WebKit::WebFrameImpl::paint(SkCanvas*, WebKit::WebRect const&) 
    #17 0x7f27038a63fe in WebKit::WebViewImpl::paint(SkCanvas*, WebKit::WebRect const&) 
    #18 0x7f270690ad16 in RenderWidget::PaintRect(gfx::Rect const&, gfx::Point const&, skia::PlatformCanvas*) 
    #19 0x7f270690f3da in RenderWidget::DoDeferredUpdate() 
    #20 0x7f270690cf9a in RenderWidget::InvalidationCallback() 
    #21 0x7f27021f1029 in base::subtle::TaskClosureAdapter::Run() 
    #22 0x7f270217e93e in MessageLoop::RunTask(MessageLoop::PendingTask const&) 
    #23 0x7f270217f029 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) 
    #24 0x7f27021801ea in MessageLoop::DoWork() 
    #25 0x7f2702189cf7 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) 
    #26 0x7f270217d66b in MessageLoop::RunInternal() 
    #27 0x7f270217bb29 in MessageLoop::Run() 
    #28 0x7f27021f43f8 in base::Thread::ThreadMain() 
    #29 0x7f27021f322c in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:0
    #30 0x7f2707449115 in AsanThread::ThreadStart() /usr/local/google/asan/address-sanitizer/asan/asan_thread.cc:102
    #31 0x7f26fc5f99ca in start_thread /build/buildd/eglibc-2.11.1/nptl/pthread_create.c:300
    #32 0x7f26fa77970d in ?? /build/buildd/eglibc-2.11.1/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:114
0x7f26e15a4b52 is located 99 bytes to the right of 43631-byte region [0x7f26e159a080,0x7f26e15a4aef)
allocated by thread T20 here:
    #1 0x7f2706da3b81 in media::VideoFrame::AllocateYUV() 
    #2 0x7f2706da35e2 in media::VideoFrame::CreateFrame(media::VideoFrame::Format, unsigned long, unsigned long, base::TimeDelta, base::TimeDelta) 
    #3 0x7f270738ad97 in media::FFmpegVideoDecodeEngine::Initialize(MessageLoop*, media::VideoDecodeEngine::EventHandler*, media::VideoDecodeContext*, media::VideoDecoderConfig const&) 
    #4 0x7f27073799b1 in media::FFmpegVideoDecoder::Initialize(media::DemuxerStream*, base::Callback<void ()()> const&, base::Callback<void ()(media::PipelineStatistics const&)> const&) 
    #5 0x7f270738054d in base::internal::Invoker4<false, base::internal::InvokerStorage4<void (media::FFmpegVideoDecoder::*)(media::DemuxerStream*, base::Callback<void ()()> const&, base::Callback<void ()(media::PipelineStatistics const&)> const&), media::FFmpegVideoDecoder*, scoped_refptr<media::DemuxerStream>, base::Callback<void ()()>, base::Callback<void ()(media::PipelineStatistics const&)> >, void (media::FFmpegVideoDecoder::*)(media::DemuxerStream*, base::Callback<void ()()> const&, base::Callback<void ()(media::PipelineStatistics const&)> const&)>::DoInvoke(base::internal::InvokerStorageBase*) 
    #6 0x7f270217e93e in MessageLoop::RunTask(MessageLoop::PendingTask const&) 
    #7 0x7f270217f029 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) 
    #8 0x7f27021801ea in MessageLoop::DoWork() 
    #9 0x7f2702189cf7 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) 
    #10 0x7f270217d66b in MessageLoop::RunInternal() 
    #11 0x7f270217bb29 in MessageLoop::Run() 
    #12 0x7f27021f43f8 in base::Thread::ThreadMain() 
    #13 0x7f27021f322c in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:0
    #14 0x7f2707449115 in AsanThread::ThreadStart() /usr/local/google/asan/address-sanitizer/asan/asan_thread.cc:102
Thread T14 created by T0 here:
    #1 0x7f27021f2ff9 in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, unsigned long*) base/threading/platform_thread_posix.cc:0
    #2 0x7f27021f2efa in base::PlatformThread::Create(unsigned long, base::PlatformThread::Delegate*, unsigned long*) 
    #3 0x7f27021f3c3d in base::Thread::StartWithOptions(base::Thread::Options const&) 
    #4 0x7f27062eb196 in BrowserRenderProcessHost::Init(bool) 
    #5 0x7f27061b51d4 in RenderViewHost::CreateRenderView(std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> > const&) 
    #6 0x7f2706263656 in TabContents::CreateRenderViewForRenderManager(RenderViewHost*) 
    #7 0x7f2706263a1d in non-virtual thunk to TabContents::CreateRenderViewForRenderManager(RenderViewHost*) 
    #8 0x7f2706245af9 in RenderViewHostManager::Navigate(NavigationEntry const&) 
    #9 0x7f2706256985 in TabContents::NavigateToEntry(NavigationEntry const&, NavigationController::ReloadType) 
    #10 0x7f2706256894 in TabContents::NavigateToPendingEntry(NavigationController::ReloadType) 
    #11 0x7f27062364dc in NavigationController::NavigateToPendingEntry(NavigationController::ReloadType) 
    #12 0x7f270623773c in NavigationController::LoadEntry(NavigationEntry*) 
    #13 0x7f2700bfeed6 in browser::Navigate(browser::NavigateParams*) 
    #14 0x7f2700bed358 in BrowserInit::LaunchWithProfile::OpenTabsInBrowser(Browser*, bool, std::vector<BrowserInit::LaunchWithProfile::Tab, std::allocator<BrowserInit::LaunchWithProfile::Tab> > const&) 
    #15 0x7f2700bea186 in BrowserInit::LaunchWithProfile::ProcessSpecifiedURLs(std::vector<GURL, std::allocator<GURL> > const&) 
    #16 0x7f2700be8ef6 in BrowserInit::LaunchWithProfile::ProcessStartupURLs(std::vector<GURL, std::allocator<GURL> > const&) 
    #17 0x7f2700be7048 in BrowserInit::LaunchWithProfile::ProcessLaunchURLs(bool, std::vector<GURL, std::allocator<GURL> > const&) 
    #18 0x7f2700be516a in BrowserInit::LaunchWithProfile::Launch(Profile*, std::vector<GURL, std::allocator<GURL> > const&, bool) 
    #19 0x7f2700be2da7 in BrowserInit::LaunchBrowser(CommandLine const&, Profile*, FilePath const&, BrowserInit::IsProcessStartup, BrowserInit::IsFirstRun, int*) 
    #20 0x7f2700bf0a9f in BrowserInit::ProcessCmdLineImpl(CommandLine const&, FilePath const&, bool, Profile*, int*, BrowserInit*) 
    #21 0x7f2701a50d9b in ChromeBrowserMainParts::PreMainMessageLoopRunInternal() 
    #22 0x7f2701a4a8b4 in ChromeBrowserMainParts::PreMainMessageLoopRun() 
    #23 0x7f270604fdfa in BrowserMain(MainFunctionParams const&) 
    #24 0x7f2701fa548a in (anonymous namespace)::RunNamedProcessTypeMain(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main.cc:0
    #25 0x7f2701fa4ce0 in content::ContentMain(int, char const**, content::ContentMainDelegate*) 
    #26 0x7f27008f40e7 in ChromeMain 
    #27 0x7f27008f333b in main 
    #28 0x7f26fa6b1c4d in __libc_start_main /build/buildd/eglibc-2.11.1/csu/libc-start.c:258
Thread T20 created by T14 here:
    #1 0x7f27021f2ff9 in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, unsigned long*) base/threading/platform_thread_posix.cc:0
    #2 0x7f27021f2efa in base::PlatformThread::Create(unsigned long, base::PlatformThread::Delegate*, unsigned long*) 
    #3 0x7f27021f3c3d in base::Thread::StartWithOptions(base::Thread::Options const&) 
    #4 0x7f27021f39c3 in base::Thread::Start() 
    #5 0x7f2706da1aee in media::MessageLoopFactoryImpl::GetMessageLoop(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) 
    #6 0x7f27071bfdfa in webkit_glue::WebMediaPlayerImpl::Initialize(WebKit::WebFrame*, bool, scoped_refptr<webkit_glue::WebVideoRenderer>) 
    #7 0x7f27068d9a4a in RenderViewImpl::createMediaPlayer(WebKit::WebFrame*, WebKit::WebMediaPlayerClient*) 
    #8 0x7f2703940080 in WebKit::WebMediaPlayerClientImpl::loadInternal() 
    #9 0x7f270410ef55 in WebCore::MediaPlayer::loadWithNextMediaEngine(WebCore::MediaPlayerFactory*) 
    #10 0x7f270410e0f1 in WebCore::MediaPlayer::load(WTF::String const&, WebCore::ContentType const&) 
    #11 0x7f2703e736a6 in WebCore::HTMLMediaElement::loadResource(WebCore::KURL const&, WebCore::ContentType&) 
    #12 0x7f2703e720c7 in WebCore::HTMLMediaElement::selectMediaResource() 
    #13 0x7f2703e7060a in WebCore::HTMLMediaElement::loadInternal() 
    #14 0x7f27040897f8 in WebCore::ThreadTimers::sharedTimerFiredInternal() 
    #15 0x7f27021f1029 in base::subtle::TaskClosureAdapter::Run() 
    #16 0x7f270217e93e in MessageLoop::RunTask(MessageLoop::PendingTask const&) 
    #17 0x7f270217f029 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) 
    #18 0x7f27021801ea in MessageLoop::DoWork() 
    #19 0x7f2702189cf7 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) 
    #20 0x7f270217d66b in MessageLoop::RunInternal() 
    #21 0x7f270217bb29 in MessageLoop::Run() 
    #22 0x7f27021f43f8 in base::Thread::ThreadMain() 
    #23 0x7f27021f322c in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:0
    #24 0x7f2707449115 in AsanThread::ThreadStart() /usr/local/google/asan/address-sanitizer/asan/asan_thread.cc:102
==5911== ABORTING
Shadow byte and word:
  0x1fe4dc2b496a: fa
  0x1fe4dc2b4968: fa fa fa fa fa fa fa fa
More shadow bytes:
  0x1fe4dc2b4948: 00 00 00 00 00 00 00 00
  0x1fe4dc2b4950: 00 00 00 00 00 00 00 00
  0x1fe4dc2b4958: 00 00 00 00 00 07 fb fb
  0x1fe4dc2b4960: fa fa fa fa fa fa fa fa
=>0x1fe4dc2b4968: fa fa fa fa fa fa fa fa
  0x1fe4dc2b4970: fa fa fa fa fa fa fa fa
  0x1fe4dc2b4978: fa fa fa fa fa fa fa fa
  0x1fe4dc2b4980: fa fa fa fa fa fa fa fa
  0x1fe4dc2b4988: fa fa fa fa fa fa fa fa

 
min--fuzz-bitflip-hadspw.webm
3.9 KB Download
Cc: aohe...@gmail.com
cc:ing Aki, not sure if this is related?
Owner: cevans@chromium.org
I'll have a look at this tomorrow unless you object, Andrew?
Cc: scherkus@chromium.org rbultje@chromium.org
Labels: SecImpacts-Beta
Status: Started
Definitely fires in my ASAN build of Chrome 16, so affects Beta.
Valgrind doesn't seem to see it. I'll fire up an ASAN build on M15 branch & trunk...
Comment 4 by kcc@chromium.org, Nov 9 2011
>> Valgrind doesn't seem to see it.
Valgrind's redzone size is 16 bytes and here you have OOB by 99. 
Valgrind-variant (the one we use for Chrome) uses 64 bytes:
http://code.google.com/p/valgrind-variant/source/browse/trunk/valgrind/memcheck/mc_include.h#45
but it may still be not enough. 
Labels: Mstone-16
Does not seem to affect M15. Does still affect M17 trunk.
So a probable M16 regression which we should try and fix before launch. I'm looking further.
Ok, I believe it's a regression from here: http://src.chromium.org/viewvc/chrome/trunk/src/media/base/video_frame.cc?r1=93276&r2=103961

Root cause: rounding errors for YV12 videos with odd pixel heights.

Looks to me as if the current code is the worst of both worlds: it overallocates for non-YUV videos with odd pixel heights and underallocates for YV12 videos with odd pixel heights.

Patch in review: http://codereview.chromium.org/8511043/
Project Member Comment 7 by bugdroid1@chromium.org, Nov 10 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=109480

------------------------------------------------------------------------
r109480 | cevans@chromium.org | Thu Nov 10 11:40:21 PST 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/media/base/video_frame.cc?r1=109480&r2=109479&pathrev=109480

Correct some rounding errors introduced recently.

BUG= 101494 
Review URL: http://codereview.chromium.org/8511043
------------------------------------------------------------------------
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
Labels: -Merge-Approved Merge-Merged
Merged to M16 at r110466
Project Member Comment 10 by bugdroid1@chromium.org, Nov 17 2011
Labels: merge-merged-912
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=110466

------------------------------------------------------------------------
r110466 | cevans@chromium.org | Wed Nov 16 23:37:49 PST 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/912/src/media/base/video_frame.cc?r1=110466&r2=110465&pathrev=110466

Merge 109480 - Correct some rounding errors introduced recently.

BUG= 101494 
Review URL: http://codereview.chromium.org/8511043

TBR=cevans@chromium.org
Review URL: http://codereview.chromium.org/8585024
------------------------------------------------------------------------
Comment 11 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Project Member Comment 12 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 13 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-Internals -Feature-Media -SecSeverity-Medium -Stability-AddressSanitizer -SecImpacts-Beta -Mstone-16 Cr-Internals-Media Security-Impact-Beta Security-Severity-Medium Cr-Internals Performance-Memory-AddressSanitizer Type-Bug-Security M-16
Project Member Comment 14 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 15 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 17 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 18 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 19 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Labels: ClusterFuzz
Project Member Comment 21 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 22 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment