New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Closed: Oct 2014
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Blocking:
issue 426560



Sign in to add a comment
UNKNOWN in media::container_names::DetermineContainer
Project Member Reported by ClusterFuzz, Oct 22 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4578994040078336

Fuzzer: Cdiehl_peach
Job Type: Linux_asan_chrome_media

Crash Type: UNKNOWN
Crash Address: 0x624f80048910
Crash State:
  media::container_names::DetermineContainer
  media::FFmpegGlue::OpenContext
  void base::internal::ReturnAsParamAdapter<bool>
  

Minimized Testcase (318.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95JL5rQtgSQe580KoMgoaSslSntku4vLNpFQPMBWlvfB7QghmCmWCBYx0uWlsexcEzbaTcaJXuFr4iFrDnQQEzTay_oLb_cOzjsxxomZO2VMn3IM7ggOoJiK3UwwvEXs4GiF4-r-MC6MDN2NXQhBloMYEFbgrAqmOnaMgoLPQ80QFFjrSQ

Filer: inferno
 
Cc: scherkus@chromium.org nordi...@gmail.com
Owner: dalecur...@chromium.org
Status: Assigned
Dale, can you please take a look.
Project Member Comment 2 by ClusterFuzz, Oct 22 2014
Labels: Pri-1
Cc: xhw...@chromium.org
xhwang@, do you have time to take a look this one ?
Comment 4 by xhw...@chromium.org, Oct 23 2014
Cc: jrumm...@chromium.org
jrummell: This crash happens in DetermineContainer(). Can you take a look?
Comment 5 by xhw...@chromium.org, Oct 24 2014
Cc: -jrumm...@chromium.org dalecur...@chromium.org
Owner: jrumm...@chromium.org
Status: Started
Comment 6 by xhw...@chromium.org, Oct 24 2014
Blocking: chromium:426560
Project Member Comment 7 by bugdroid1@chromium.org, Oct 25 2014
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b2006ac87cec58363090e7d5e10d5d9e3bbda9f9

commit b2006ac87cec58363090e7d5e10d5d9e3bbda9f9
Author: jrummell <jrummell@chromium.org>
Date: Sat Oct 25 00:36:28 2014

Add extra checks to avoid integer overflow.

BUG= 425980 
TEST=no crash with ASAN

Review URL: https://codereview.chromium.org/659743004

Cr-Commit-Position: refs/heads/master@{#301249}

[modify] https://chromium.googlesource.com/chromium/src.git/+/b2006ac87cec58363090e7d5e10d5d9e3bbda9f9/media/base/container_names.cc

Status: Fixed
Project Member Comment 9 by ClusterFuzz, Oct 25 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Project Member Comment 10 by ClusterFuzz, Oct 30 2014
ClusterFuzz has detected this issue as fixed in latest custom build.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4578994040078336

Fuzzer: Cdiehl_peach
Job Type: Linux_asan_chrome_media

Crash Type: UNKNOWN
Crash Address: 0x624f80048910
Crash State:
  media::container_names::DetermineContainer
  media::FFmpegGlue::OpenContext
  void base::internal::ReturnAsParamAdapter<bool>
  

Minimized Testcase (318.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95JL5rQtgSQe580KoMgoaSslSntku4vLNpFQPMBWlvfB7QghmCmWCBYx0uWlsexcEzbaTcaJXuFr4iFrDnQQEzTay_oLb_cOzjsxxomZO2VMn3IM7ggOoJiK3UwwvEXs4GiF4-r-MC6MDN2NXQhBloMYEFbgrAqmOnaMgoLPQ80QFFjrSQ

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Labels: -Merge-Triage Merge-Requested M-39
Please merge to M39 (2171 branch) soon.
Labels: Security_Impact-Stable
Labels: -Merge-Requested Merge-Approved
merge approved for m39 branch 2171.
Project Member Comment 14 by bugdroid1@chromium.org, Oct 30 2014
Labels: -Merge-Approved merge-merged-2171
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/047c3fcf527f2c6262d8ad135631dc5149ec6e60

commit 047c3fcf527f2c6262d8ad135631dc5149ec6e60
Author: John Rummell <jrummell@chromium.org>
Date: Thu Oct 30 23:17:15 2014

Merge to M39: Add extra checks to avoid integer overflow.

BUG= 425980 
TEST=no crash with ASAN

Review URL: https://codereview.chromium.org/659743004

Cr-Commit-Position: refs/heads/master@{#301249}
(cherry picked from commit b2006ac87cec58363090e7d5e10d5d9e3bbda9f9)

R=xhwang@chromium.org

Review URL: https://codereview.chromium.org/695673002

Cr-Commit-Position: refs/branch-heads/2171@{#312}
Cr-Branched-From: 267aeeb8d85c8503a7fd12bd14654b8ea78d3974-refs/heads/master@{#297060}

[modify] https://chromium.googlesource.com/chromium/src.git/+/047c3fcf527f2c6262d8ad135631dc5149ec6e60/media/base/container_names.cc

Labels: Release-0-M39
Labels: -reward-topanel reward-unpaid reward-500 CVE-2014-7908
Thanks for the fuzzer contribution! This one qualified for a $500 reward.
Labels: -reward-unpaid reward-inprocess
Payment in process.
Labels: -reward-inprocess
Processing via our e-payment system can take up to six weeks, but the reward should be on its way to you. Thanks again for your help!
Project Member Comment 19 by ClusterFuzz, Feb 2 2015
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 20 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 21 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment