Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Closed: Mar 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: ----
Type: Bug-Security



Sign in to add a comment
Use-of-uninitialized-value in ebml_read_num
Project Member Reported by clusterf...@chromium.org, Feb 24 2016 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6299764108296192

Fuzzer: attekett_surku_fuzzer
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  ebml_read_num
  ebml_parse
  matroska_parse_seekhead_entry
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=376801:376900

Minimized Testcase (18.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95EzbR7Co9GCjTik35eTo7CxE9TH3y-8o0d0guBUMJ_xoPC8t-T9_6QkgrdbK47bAqWEl3djwhvmy5p_roHo8rocuwtWBbGgugeVvCXElM0QU9eavO7de3oz25I1FBnM5s6r_cw3KQqnei0oixiT4j3m6gf3fAVAV1FoHWytG3Vs_RqPlQ

Filer: aarya

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Comment 1 by och...@chromium.org, Feb 24 2016
Components: Internals>Media>FFmpeg
Labels: M-49
Owner: dalecur...@chromium.org
Status: Assigned
Dale, could you please take a look, or help find an owner?
Cc: dalecur...@chromium.org
Owner: xhw...@chromium.org
xhwang@ is working on the ffmpeg roll for m50.
Comment 3 by xhw...@chromium.org, Feb 26 2016
Cc: xhw...@chromium.org
Owner: hubbe@chromium.org
hubbe: This seems to be caused by your MultiBuffer CL. Could you please take a look?

Author: hubbe
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/dd6151100c52e52929d5e09f5f7fb15653c67f14
Time: Mon Nov 30 22:22:13 2015
The CL last changed line 325 of file resource_multibuffer_data_provider.cc, which is stack frame 2.
Project Member Comment 4 by clusterf...@chromium.org, Feb 27 2016
ClusterFuzz has detected this issue as fixed in range 377688:377898.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6299764108296192

Fuzzer: attekett_surku_fuzzer
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  ebml_read_num
  ebml_parse
  matroska_parse_seekhead_entry
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=376801:376900
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=377688:377898

Minimized Testcase (18.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95EzbR7Co9GCjTik35eTo7CxE9TH3y-8o0d0guBUMJ_xoPC8t-T9_6QkgrdbK47bAqWEl3djwhvmy5p_roHo8rocuwtWBbGgugeVvCXElM0QU9eavO7de3oz25I1FBnM5s6r_cw3KQqnei0oixiT4j3m6gf3fAVAV1FoHWytG3Vs_RqPlQ

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member Comment 5 by clusterf...@chromium.org, Feb 29 2016
Labels: -Security_Impact-Head Security_Impact-Beta
Project Member Comment 6 by clusterf...@chromium.org, Mar 3 2016
Labels: -Security_Impact-Beta Security_Impact-Stable
Comment 7 by hubbe@chromium.org, Mar 7 2016
Status: Fixed
Project Member Comment 8 by clusterf...@chromium.org, Mar 10 2016
Labels: -Restrict-View-SecurityTeam Merge-Triage M-50 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Cc: timwillis@chromium.org
Labels: Merge-Request-50
Comment 10 by tin...@google.com, Mar 25 2016
Labels: -Merge-Request-50 Merge-Approved-50 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M50 (branch: 2661)
Please merge your change to M50 branch (2661) by EOD Monday(03/28), so we can take it for next week beta cut. Thank you.
Please merge your change to M50 branch 2661 ASAP as we're getting close to M50 beta candidate cut for this week. Thank you.
Comment 13 by hubbe@chromium.org, Mar 28 2016
I think this was fixed before the m50 branch cut, so no need to merge anything AFAIK. Unless I'm mistaken, this was fixed in: https://codereview.chromium.org/1729223003

Labels: -Merge-Approved-50
Yeah, seems like NO M50 merge is needed here.

CL: https://codereview.chromium.org/1729223003
CL Committed: https://crrev.com/fdfdd80259808aa3329001efd9ca1fab00091ffb
Cr-Commit-Position: refs/heads/master@{#377709}
  
M50 Branched Chromium at revision: 378081. Removing "Merge-Approved-50" label. Please correct me if I'm missing anything here. Thank you.


Labels: Release-0-M50
Labels: CVE-2016-1654
Labels: -reward-topanel reward-1500 reward-unpaid
Thanks again for the fuzzer contribution, Atte! This one qualified for a $1500 reward.
Project Member Comment 18 by sheriffbot@chromium.org, Apr 14 2016
Labels: -M-49
Labels: -reward-unpaid reward-inprocess
Labels: -Merge-Triage
Project Member Comment 21 by sheriffbot@chromium.org, Jun 14 2016
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 22 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 23 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment