New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 368980: Heap-buffer-overflow in ff_er_frame_end

Reported by ClusterFuzz, May 1 2014 Project Member

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6153391745007616

Fuzzer: Inferno_flicker
Job Type: Linux_asan_chrome_media

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x7f2babc85a80
Crash State:
  - crash stack -
  ff_er_frame_end
  field_end
  decode_frame
  

Minimized Testcase (5283.80 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95U-FLBY-zi4bHFQVKXdYR-muUX7935zXfqYSSMVL4bgb0BMtMRVBoEa1H0UyjwHwWSD9Cs1Wp2dtIEHbgU_XvO6U0yoF0W6keCxIRufoD50CKb0pWV4-NJiyZr_kDID2J5q7ka7R8fbe7jNs2lcSRDKJy4z5hjiU_5G1AyFQsyDXjVYCY
 

Comment 1 by infe...@chromium.org, May 1 2014

Cc: scherkus@chromium.org
Owner: dalecur...@chromium.org
Status: Assigned
Dale, can you please take a look or help with an owner.

Comment 2 by ClusterFuzz, May 1 2014

Project Member
ClusterFuzz has detected this issue as fixed in latest custom build.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6153391745007616

Fuzzer: Inferno_flicker
Job Type: Linux_asan_chrome_media

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x7f2babc85a80
Crash State:
  - crash stack -
  ff_er_frame_end
  field_end
  decode_frame
  

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95U-FLBY-zi4bHFQVKXdYR-muUX7935zXfqYSSMVL4bgb0BMtMRVBoEa1H0UyjwHwWSD9Cs1Wp2dtIEHbgU_XvO6U0yoF0W6keCxIRufoD50CKb0pWV4-NJiyZr_kDID2J5q7ka7R8fbe7jNs2lcSRDKJy4z5hjiU_5G1AyFQsyDXjVYCY

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 3 by dalecur...@chromium.org, May 1 2014

Hah, weird, I don't think it's fixed...

Comment 4 by infe...@chromium.org, May 1 2014

This can happen with flaky tests, ignore the CF notification.

Comment 5 by dalecur...@chromium.org, May 3 2014

Hmm, this will be a bit tricky since I can't repro this with ffplay so it's hard to send upstream.  I think it doesn't repro there because FFmpeg uses a larger allocation for frames than we do.  I'll keep digging.

Comment 6 by ClusterFuzz, May 6 2014

Project Member
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6754388464893952

Fuzzer: Inferno_flicker
Job Type: Linux_asan_chrome_media

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x7f7e80af7280
Crash State:
  - crash stack -
  ff_er_frame_end
  field_end
  decode_frame
  

Minimized Testcase (263.90 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96FFPQC0KPwfBb9DQ6GZ5WQEjB6cR4Iyc33FfbFt5HmbO-8-ndPwHniQAhxTaXXX2iU7_MDYD1_fmXBaZrZwqfaXPLLLpq0jNzQ7hDvjLVEOZoEfQjT-tHPlkqDy8TrfJYx27KketLrUmfsA4aWxqGiurCAbRCFUkPG26ZZ7TU2EERlk60

Additional requirements: Requires Interaction Gestures

Comment 8 by infe...@chromium.org, May 6 2014

Labels: -Security_Severity-Medium Security_Severity-High

Comment 9 by bugdroid1@chromium.org, May 7 2014

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/96e8ffb4e805c7266a2fc1fbe0e470052019bad9

commit 96e8ffb4e805c7266a2fc1fbe0e470052019bad9
Author: dalecurtis@chromium.org <dalecurtis@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Wed May 07 16:55:55 2014 +0000

Replicate FFmpeg's video frame allocation strategy.

This should avoid accidental overreads and overwrites due to our
VideoFrame's not being as large as FFmpeg expects.

BUG= 368980 
TEST=new regression test

Review URL: https://codereview.chromium.org/270193002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@268831 0039d316-1c4b-4281-b951-d872f2087c98

Comment 10 by bugdroid1@chromium.org, May 7 2014

Project Member
------------------------------------------------------------------
r268831 | dalecurtis@chromium.org | 2014-05-07T16:55:55.837615Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/media/filters/ffmpeg_video_decoder.cc?r1=268831&r2=268830&pathrev=268831
   M http://src.chromium.org/viewvc/chrome/trunk/src/media/ffmpeg/ffmpeg_regression_tests.cc?r1=268831&r2=268830&pathrev=268831

Replicate FFmpeg's video frame allocation strategy.

This should avoid accidental overreads and overwrites due to our
VideoFrame's not being as large as FFmpeg expects.

BUG= 368980 
TEST=new regression test

Review URL: https://codereview.chromium.org/270193002
-----------------------------------------------------------------

Comment 11 by infe...@chromium.org, May 7 2014

Labels: Security_Impact-Stable Security_Impact-Beta M-35 Merge-Triage
Status: Fixed

Comment 12 by ClusterFuzz, May 9 2014

Project Member
ClusterFuzz has detected this issue as fixed in latest custom build.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6754388464893952

Fuzzer: Inferno_flicker
Job Type: Linux_asan_chrome_media

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x7f7e80af7280
Crash State:
  - crash stack -
  ff_er_frame_end
  field_end
  decode_frame
  

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96FFPQC0KPwfBb9DQ6GZ5WQEjB6cR4Iyc33FfbFt5HmbO-8-ndPwHniQAhxTaXXX2iU7_MDYD1_fmXBaZrZwqfaXPLLLpq0jNzQ7hDvjLVEOZoEfQjT-tHPlkqDy8TrfJYx27KketLrUmfsA4aWxqGiurCAbRCFUkPG26ZZ7TU2EERlk60

Additional requirements: Requires Interaction Gestures

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 13 by timwillis@chromium.org, May 12 2014

This needs to bake in a dev build before merging to M35, so it's probably going to land in M35 patch 1 at the earliest.

Comment 14 by ClusterFuzz, May 13 2014

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 15 by timwillis@chromium.org, May 22 2014

Labels: -Merge-Triage Merge-Requested
This is already in M36 and is a high impact security bug, is a relatively small change and has had a lot of bake time.

Merge requested for M35 patch 1 (branch 1916).

Comment 16 by timwillis@chromium.org, May 28 2014

kareng@ - Bump - Merge-Requested for M35 patch 1 (branch 1916). Please see c#15 for context.

Comment 17 by timwillis@chromium.org, May 28 2014

Cc: kareng@google.com
Adding Karen this time.

Comment 18 by kareng@google.com, May 29 2014

Labels: -Merge-Requested Merge-Approved

Comment 19 by bugdroid1@chromium.org, May 29 2014

Project Member
Labels: -Merge-Approved merge-merged-1916
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ce0130c4da4fb54786f335f8085336f0024d9f22

commit ce0130c4da4fb54786f335f8085336f0024d9f22
Author: dalecurtis@google.com <dalecurtis@google.com@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Thu May 29 18:04:46 2014

Merge 268831 "Replicate FFmpeg's video frame allocation strategy."

> Replicate FFmpeg's video frame allocation strategy.
> 
> This should avoid accidental overreads and overwrites due to our
> VideoFrame's not being as large as FFmpeg expects.
> 
> BUG= 368980 
> TEST=new regression test
> 
> Review URL: https://codereview.chromium.org/270193002

TBR=dalecurtis@chromium.org

Review URL: https://codereview.chromium.org/308733002

git-svn-id: svn://svn.chromium.org/chrome/branches/1916/src@273520 0039d316-1c4b-4281-b951-d872f2087c98

Comment 20 by bugdroid1@chromium.org, May 29 2014

Project Member
------------------------------------------------------------------
r273520 | dalecurtis@google.com | 2014-05-29T18:04:46.012152Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1916/src/media/ffmpeg/ffmpeg_regression_tests.cc?r1=273520&r2=273519&pathrev=273520
   M http://src.chromium.org/viewvc/chrome/branches/1916/src/media/filters/ffmpeg_video_decoder.cc?r1=273520&r2=273519&pathrev=273520

Merge 268831 "Replicate FFmpeg's video frame allocation strategy."

> Replicate FFmpeg's video frame allocation strategy.
> 
> This should avoid accidental overreads and overwrites due to our
> VideoFrame's not being as large as FFmpeg expects.
> 
> BUG= 368980 
> TEST=new regression test
> 
> Review URL: https://codereview.chromium.org/270193002

TBR=dalecurtis@chromium.org

Review URL: https://codereview.chromium.org/308733002
-----------------------------------------------------------------

Comment 21 by timwillis@chromium.org, Jun 3 2014

Labels: Release-1-M35

Comment 22 by timwillis@chromium.org, Jun 9 2014

Labels: CVE-2014-3157

Comment 23 by ClusterFuzz, Aug 13 2014

Project Member
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.

Comment 24 by ClusterFuzz, Feb 2 2016

Project Member
Labels: -Security_Impact-Beta

Comment 25 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 26 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 27 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 28 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Comment 29 by sheriffbot@chromium.org, Jul 29 2018

Project Member
Labels: Pri-1

Sign in to add a comment