New issue
Advanced search Search tips

Issue 599625 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in media::AudioBus::AudioBus

Project Member Reported by ClusterFuzz, Mar 31 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5465468940320768

Fuzzer: inferno_flicker
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x0c136084
Crash State:
  media::AudioBus::AudioBus
  media::AudioBus::CreateWrapper
  media::MultiChannelResampler::MultiChannelResampler
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=379959:383563

Minimized Testcase (94.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94Y_hu_e_RviVRmA4x2Gv3p9Y5GMKO5uKnIsdbWtM8S68gOiP4Qsz5wt4w8MbUo3SX2z_1bbgzPPmSWeYBnmvjZxAT1rBeG5OefCilgxfYF5ct66ABclZaUFy7pLlZ4amhfGzvaDx3Edj4GbRFn7qBdCmFT4nJ6Z4aTgdqQ0afzzI346Dk

Filer: inferno

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Owner: chcunningham@chromium.org
Status: Assigned (was: Available)
Author: chcunningham
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/1675282361cc4dfa9e25beaabeb8c2e104140713
Time: Thu Mar 17 18:58:00 2016
File audio_renderer_mixer_input.cc is changed in this cl (and is part of stack frame #6, "media::AudioRendererMixerInput::Play")
Minimum distance from crash line to modified line: 13. (file: audio_renderer_mixer_input.cc, crashed on: 98, modified: 111).
Cc: dalecur...@chromium.org
Hey inferno, seems we only have stack for the allocation, not the overflow. I can try a local repro, but is there any way to get the bot to give me a stack?
Project Member

Comment 4 by ClusterFuzz, Mar 31 2016

Labels: Pri-1
Cc: infe...@chromium.org
Inferno, could you reply to #3?  Thanks!
Project Member

Comment 6 by ClusterFuzz, Apr 3 2016

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5465468940320768

Fuzzer: inferno_flicker
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x0c136084
Crash State:
  media::AudioBus::AudioBus
  media::AudioBus::CreateWrapper
  media::MultiChannelResampler::MultiChannelResampler
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=379959:383563

Minimized Testcase (94.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94Y_hu_e_RviVRmA4x2Gv3p9Y5GMKO5uKnIsdbWtM8S68gOiP4Qsz5wt4w8MbUo3SX2z_1bbgzPPmSWeYBnmvjZxAT1rBeG5OefCilgxfYF5ct66ABclZaUFy7pLlZ4amhfGzvaDx3Edj4GbRFn7qBdCmFT4nJ6Z4aTgdqQ0afzzI346Dk

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Cc: tguilbert@chromium.org
Might be the same as  issue 599846  though the traces are different. chcunningham@ is OOO for a while, so over to some other folk.  cc:tguilbert@ who will be looking into that issue.
Components: Internals>Media>Audio
Labels: M-51
Project Member

Comment 9 by ClusterFuzz, Apr 5 2016

Labels: ReleaseBlock-Beta
This medium+ severity security issue is a regression on trunk.

Please fix this asap. If you are unable to look into this soon, please revert your change.

- Your friendly ClusterFuzz
We're about 2 weeks away from M51 Beta launch. Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged ASAP. 
Labels: -ReleaseBlock-Beta ReleaseBlock-Stable M-50
Owner: tguilbert@chromium.org
M50 Stable is launching very soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged ASAP. All changes MUST be merged into the release branch by 5pm on Apr-8 to make into the desktop Stable final build cut. Thanks!
Project Member

Comment 13 by ClusterFuzz, Apr 7 2016

Labels: ReleaseBlock-Beta
This medium+ severity security issue is a regression on trunk.

Please fix this asap. If you are unable to look into this soon, please revert your change.

- Your friendly ClusterFuzz
Project Member

Comment 14 by sheriffbot@chromium.org, Apr 7 2016

Labels: -Security_Impact-Head Security_Impact-Beta
Project Member

Comment 15 by bugdroid1@chromium.org, Apr 7 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/43eed5f900264ff88be25806c883dab2011260fa

commit 43eed5f900264ff88be25806c883dab2011260fa
Author: tguilbert <tguilbert@chromium.org>
Date: Thu Apr 07 23:34:48 2016

Fixing AudioBuffer params and channel layout bugs

Work for AAC implicit signaling introduced the possiblity for audio rendering
configs to change to change midstream. Checking for channel layout changes
caused a regression and caused 6 channel audio playback to fail.

Clusterfuzz also detected some heap buffer overflow issues, when the decoded
audio buffers we receive have a different channel layout or sample rate than
the ones we expect.

This change allows FfmpegAudioDecoder to ignore channel layout changes on non
AAC codec. It also checks that decoded AudioBuffer sample rate and channel
count match the expected parameters before adding them to the splicer queue, in
AudioRendererImpl.

BUG= 599625 ,  599846 ,  600538 
TEST=manual tests on an ASAN build, with ffmpeg_regression_test to follow
REVIEW=dalecurtis

Review URL: https://codereview.chromium.org/1868983004

Cr-Commit-Position: refs/heads/master@{#385922}

[modify] https://crrev.com/43eed5f900264ff88be25806c883dab2011260fa/media/filters/ffmpeg_audio_decoder.cc
[modify] https://crrev.com/43eed5f900264ff88be25806c883dab2011260fa/media/renderers/audio_renderer_impl.cc

Seems like fix at comment #15 landed at last night canary. If it looks good, please request a merge to M50 & M51. Thank you. 
Marked  issue 599846  for merge.
Project Member

Comment 18 by bugdroid1@chromium.org, Apr 8 2016

Labels: merge-merged-2661
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7f2efb0b0cde7dffa231f43418eeddf9ef897ecc

commit 7f2efb0b0cde7dffa231f43418eeddf9ef897ecc
Author: Dale Curtis <dalecurtis@chromium.org>
Date: Fri Apr 08 19:35:09 2016

Merge M50: "Fixing AudioBuffer params and channel layout bugs"

Work for AAC implicit signaling introduced the possiblity for audio rendering
configs to change to change midstream. Checking for channel layout changes
caused a regression and caused 6 channel audio playback to fail.

Clusterfuzz also detected some heap buffer overflow issues, when the decoded
audio buffers we receive have a different channel layout or sample rate than
the ones we expect.

This change allows FfmpegAudioDecoder to ignore channel layout changes on non
AAC codec. It also checks that decoded AudioBuffer sample rate and channel
count match the expected parameters before adding them to the splicer queue, in
AudioRendererImpl.

BUG= 599625 ,  599846 ,  600538 
TEST=manual tests on an ASAN build, with ffmpeg_regression_test to follow
REVIEW=dalecurtis

Review URL: https://codereview.chromium.org/1868983004

Cr-Commit-Position: refs/heads/master@{#385922}
(cherry picked from commit 43eed5f900264ff88be25806c883dab2011260fa)

Review URL: https://codereview.chromium.org/1870113003 .

Cr-Commit-Position: refs/branch-heads/2661@{#533}
Cr-Branched-From: ef6f6ae5e4c96622286b563658d5cd62a6cf1197-refs/heads/master@{#378081}

[modify] https://crrev.com/7f2efb0b0cde7dffa231f43418eeddf9ef897ecc/media/filters/ffmpeg_audio_decoder.cc
[modify] https://crrev.com/7f2efb0b0cde7dffa231f43418eeddf9ef897ecc/media/renderers/audio_renderer_impl.cc

Status: Fixed (was: Assigned)
Project Member

Comment 20 by bugdroid1@chromium.org, Apr 8 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/adb97b41fa91b752c3b99f67e3f370a36e6cedf4

commit adb97b41fa91b752c3b99f67e3f370a36e6cedf4
Author: Dale Curtis <dalecurtis@chromium.org>
Date: Fri Apr 08 23:14:51 2016

Fix incorrect merge of security fix.

(cherry picked from commit 923f48d50fe35ac3ee00a80cc848a2e2983f106d)

BUG= 599625 

Review URL: https://codereview.chromium.org/1868403002 .

Cr-Commit-Position: refs/branch-heads/2661@{#536}
Cr-Branched-From: ef6f6ae5e4c96622286b563658d5cd62a6cf1197-refs/heads/master@{#378081}

[modify] https://crrev.com/adb97b41fa91b752c3b99f67e3f370a36e6cedf4/media/renderers/audio_renderer_impl.cc

Project Member

Comment 21 by ClusterFuzz, Apr 9 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 22 by sheriffbot@chromium.org, Jul 16 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 23 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 24 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment