Integer-overflow in silk_decode_core |
|||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5185880712544256 Fuzzer: libfuzzer_audio_decoder_opus_redundant_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: silk_decode_core silk_decode_frame silk_Decode Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94nP_vb6xbbIo9Pjb280Lo6qptl216m0swOTxS5ZwpxHvI3B3nN6K4BGkmD3_ucWEiP5RL4w8UT1Kb5AiL7U4atx3QBcIFk7DxGiIvh6d5YLjqv2MSLbDoz7JhVZiCNNz7R-qboMiMaFQKr4M6oqNrwK5DXJg Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 6 2016
,
Apr 6 2016
,
Apr 6 2016
flim@, Can you take a look at this? Consult kwiberg@ to get started on how to set up the repro. I'm not sure we should spend too much time on root-causing this. If it isn't trivial to fix (and the problem is within the Opus code) I think we should pass this on to the Opus guys. Please, consult me on how to communicate this with them; stability issues are always a bit iffy w.r.t. third-party involvement.
,
Apr 6 2016
I checked with kwiberg but had trouble reproducing it locally using the testcase in the crash report
,
Apr 8 2016
,
Apr 11 2016
kwiberg, flim: did you notice that this was a UBSan-fuzzer issue? I guess it would require different tools to be used.
,
Apr 11 2016
Aha! No, we didn't! Felicia, I suspect my repro instructions may work out of the box if you just ask for ubsan instead of asan when compiling (but I haven't checked).
,
Apr 11 2016
Great, I can reproduce it now using the ubsan option.
,
Apr 11 2016
Cool! Sorry for missing instruction, will add it soon.
,
Apr 14 2016
I've discussed this with the Opus authors and have submitted a patch upstream for review.
,
Apr 14 2016
Thanks for updating.
,
Jun 27 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5185880712544256 Fuzzer: libfuzzer_audio_decoder_opus_redundant_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: silk_decode_core silk_decode_frame silk_Decode Minimized Testcase (0.14 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95YZh3sCzaa-06t8ja7fNLP-4y1Ax-lHME32PV-Kk-aq8_9RiI3K_6NskHvhja9rrr6hsyH94iS81EJ5PUPmegAMEUcKa8JqlRnvTuWEVwfmKtfFXnT7VKkQCtzqXCeSeEXC-E3SqME9szGoqDqVqRmV_cK9Q?testcase_id=5185880712544256 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 28 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4818400132202496 Fuzzer: libfuzzer_audio_decoder_opus_redundant_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: silk_decode_core silk_decode_frame silk_Decode Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746 Minimized Testcase (0.13 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96YDFnT8MM89JTOo1z21O6NXb9yNbwOOrvqpNqVroJiyNSPGjEkqMm612_5YW7J85M2oKyrseytjGPEGDITWqwvHFm93S7Zpf_XgB0LPmlVJ5KY4IcipS1zntP4Q2AHgsQ8PioI0LGC59C7FsMUKbU4bAsIwA?testcase_id=4818400132202496 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 27 2016
ClusterFuzz has detected this issue as fixed in range 407796:407929. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4818400132202496 Fuzzer: libfuzzer_audio_decoder_opus_redundant_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: silk_decode_core silk_decode_frame silk_Decode Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=407796:407929 Minimized Testcase (0.13 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96YDFnT8MM89JTOo1z21O6NXb9yNbwOOrvqpNqVroJiyNSPGjEkqMm612_5YW7J85M2oKyrseytjGPEGDITWqwvHFm93S7Zpf_XgB0LPmlVJ5KY4IcipS1zntP4Q2AHgsQ8PioI0LGC59C7FsMUKbU4bAsIwA?testcase_id=4818400132202496 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 27 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by mmoroz@chromium.org
, Apr 6 2016Labels: Stability-UndefinedBehaviorSanitizer
Owner: pbos@chromium.org