Integer-overflow in opus_packet |
|||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5348140953108480 Fuzzer: libfuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: opus_packet ogg_packet ogg_get_length Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9721NXWfVBrExF-v-qMCromqo6bYYJKmawFf0rgD0t3AbxK1JQqEZquNnuI4yzm0SVvu9Gc85vGwS3SRVXhrII2JGsyHThVmRjo0Sbk18mBsV9-VvjYIvViAaQAhZsV-7YOQktDkZ2CwzChP1HiKn76vMJcqg Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 6 2016
,
Apr 6 2016
,
Apr 6 2016
=>wolenetz who will be working on the ffmpeg roll for m-51
,
Apr 6 2016
,
Apr 8 2016
,
Apr 28 2016
,
Apr 29 2016
Sharding this one to tguilbert@. Thanks Thomas! This one is probably also in M-50. Please check as part of fixing this.
,
May 7 2016
This repros using the ToT ffplay. On this line: https://code.google.com/p/chromium/codesearch#chromium/src/third_party/ffmpeg/libavformat/oggdec.c&sq=package:chromium&type=cs&l=367 gp is assigned the value of 2^63, which is then assigned to os->granule, which is ok, because they are both unsigned longs. Starting from this line: https://code.google.com/p/chromium/codesearch#chromium/src/third_party/ffmpeg/libavformat/oggparseopus.c&sq=package:chromium&type=cs&l=145 The value from os->granule minus an amount 'x' is stored in priv->cur_dts (a signed long), and then priv->cur_dts is re-incremented by the same value 'x', triggering the signed overflow. I will coordinate with chcunningham in order to get the fixes upstream and in chrome.
,
May 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/7c3fccefe652fcaf4e937132af10c7703db7028a commit 7c3fccefe652fcaf4e937132af10c7703db7028a Author: Michael Niedermayer <michael@niedermayer.cc> Date: Tue May 10 21:12:58 2016 avformat/oggparseopus: Check that granule pos is within the supported range Larger values would imply file durations of astronomic proportions and cause overflows Fixes integer overflow Fixes: usan_int64_overflow Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 8efaee3710baa87af40556a622bf2d96a27c6425) BUG= 600959 Change-Id: Ib48df949577a34d81277e681c750aa1cccc965bc [modify] https://crrev.com/7c3fccefe652fcaf4e937132af10c7703db7028a/libavformat/oggparseopus.c [modify] https://crrev.com/7c3fccefe652fcaf4e937132af10c7703db7028a/chromium/patches/README
,
May 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/79fb282a377bd92f2a679babae5c627a4f4f118a commit 79fb282a377bd92f2a679babae5c627a4f4f118a Author: tguilbert <tguilbert@chromium.org> Date: Thu May 12 03:21:23 2016 Roll src/third_party/ffmpeg/ 20d74768d..77fdc79ab (3 commits). https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/20d74768dcd9..77fdc79ab485 $ git log 20d74768d..77fdc79ab --date=short --no-merges --format='%ad %ae %s' 2016-05-11 michael avformat/utils: Check bps before using it in a shift in ff_get_pcm_codec_id() 2016-05-09 chcunningham libavformat/oggdec: Free stream private when header parsing fails. 2016-05-10 michael avformat/oggparseopus: Check that granule pos is within the supported range BUG= 600959 , 602185 , 603495 R=wolenetz Review-Url: https://codereview.chromium.org/1969993003 Cr-Commit-Position: refs/heads/master@{#393167} [modify] https://crrev.com/79fb282a377bd92f2a679babae5c627a4f4f118a/DEPS
,
May 13 2016
ClusterFuzz has detected this issue as fixed in range 392658:393412. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5348140953108480 Fuzzer: libfuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: opus_packet ogg_packet ogg_get_length Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=392658:393412 Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9721NXWfVBrExF-v-qMCromqo6bYYJKmawFf0rgD0t3AbxK1JQqEZquNnuI4yzm0SVvu9Gc85vGwS3SRVXhrII2JGsyHThVmRjo0Sbk18mBsV9-VvjYIvViAaQAhZsV-7YOQktDkZ2CwzChP1HiKn76vMJcqg See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 13 2016
,
May 13 2016
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
,
May 13 2016
Approving merge to M51 branch 2704 based on email thread "Re: Heads up: upcoming ffmpeg DEPS roll for M50/M51". Please merge your change to M51 branch 2704 before 5:00 PM PST Monday (05/16).So we can take it for next week LAST M51 beta release. Thank you.
,
May 16 2016
The following revision refers to this bug: http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=87918 ------------------------------------------------------------------ r87918 | chcunningham@google.com | 2016-05-16T18:28:23.295236Z -----------------------------------------------------------------
,
May 16 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||
►
Sign in to add a comment |
|||||||||||||||
Comment 1 by mmoroz@chromium.org
, Apr 6 2016Labels: Stability-Memory-UndefinedBehaviorSanitizer