New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Closed: Sep 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Use-of-uninitialized-value in webrtc::AudioDecoder::ConvertSpeechType
Project Member Reported by ClusterFuzz, Sep 5 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6701007590391808

Fuzzer: Phoglund_webrtc_peerconnection
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  webrtc::AudioDecoder::ConvertSpeechType
  webrtc::acm2::ACMISAC::Decode
  webrtc::NetEqImpl::DecodeLoop
  

Minimized Testcase (14.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97oRDveZ5CsTxkjGsBmau9IStzF5rMlazZadrdy5El4Dafc58ZHy570Zq2FamXjdGWj_TFzNA63GJ_p8EJ5gZCXRsjJideEWW9QJy7KfcWJueKk0FK8PK0YUv519ikKbf0wJ-u_5wF-fzgCPq_wy8DLcwm6jw

Additional requirements: Requires Gestures

Additional requirements: Requires HTTP

Filer: inferno
 
Cc: mallinath@chromium.org
Labels: Cr-Blink-WebRTC
Owner: phoglund@chromium.org
Status: Assigned
Project Member Comment 2 by ClusterFuzz, Sep 5 2014
Labels: Pri-1
Cc: -mallinath@chromium.org tlegrand@chromium.org phoglund@chromium.org
Owner: hlundin@chromium.org
Appears ACM_ISAC_DECODE_B doesn't always fill in a value for temp_type at https://code.google.com/p/chromium/codesearch#chromium/src/third_party/webrtc/modules/audio_coding/main/acm2/acm_isac.cc&sq=package:chromium&type=cs&l=742&rcl=1409711490. Perhaps the fuzzer causes the decode to fail somehow and the code doesn't handle the failure right?

Couldn't see any recent changes in that code so this has probably been there but not been provoked until now (not sure when CF spun up the MSAN fuzzer either).
Labels: M-37
Status: Started
Project Member Comment 7 by ClusterFuzz, Sep 8 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage M-38 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Project Member Comment 8 by ClusterFuzz, Sep 12 2014
ClusterFuzz has detected this issue as fixed in range 294363:294571.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6701007590391808

Fuzzer: Phoglund_webrtc_peerconnection
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  webrtc::AudioDecoder::ConvertSpeechType
  webrtc::acm2::ACMISAC::Decode
  webrtc::NetEqImpl::DecodeLoop
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=294363:294571

Minimized Testcase (14.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97oRDveZ5CsTxkjGsBmau9IStzF5rMlazZadrdy5El4Dafc58ZHy570Zq2FamXjdGWj_TFzNA63GJ_p8EJ5gZCXRsjJideEWW9QJy7KfcWJueKk0FK8PK0YUv519ikKbf0wJ-u_5wF-fzgCPq_wy8DLcwm6jw

Additional requirements: Requires Gestures

Additional requirements: Requires HTTP

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Cc: timwillis@chromium.org
Labels: -M-37 -Merge-Triage iOS-Merge-Requested
Matthew - Merge requested for M38 (Branch 2125)
Cc: infe...@chromium.org
I assume this didn't make it to M38? I'll need to change my query for chasing bugs - I didn't realize that iOS bugs use a "iOS-Merge-Requested" label.
Labels: -iOS-Merge-Requested -M-38 Release-0-M39 M-39
This is not a iOS bug. We can let this roll into M39 (pain with webrtc roll to branch and this is sec-medium).
Project Member Comment 12 by ClusterFuzz, Dec 15 2014
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 13 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 14 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment