Integer-overflow in WebRtcSpl_CrossCorrelationC |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6110544423026688 Fuzzer: libfuzzer_audio_decoder_ilbc_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: WebRtcSpl_CrossCorrelationC WebRtcIlbcfix_MyCorr WebRtcIlbcfix_Refiner Minimized Testcase (0.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95XWP1MaYSFJMef1LRG6y7j7iC3Usa0zlUcMcOPtFjTVKaj3-1xnP7xIi1NexRTVtPGBUsMIdqoGNAV0xar5kMrNMsjh-V17fVgYYvaOp2PZjoduvCocH5DnSVFN6VsBPXGZOfjiQvneKf5afQREYoA-VpAYQ Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 11 2016
,
May 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/external/webrtc.git/+/4f6c2b6eff60d31873365d59710906c59d2937c9 commit 4f6c2b6eff60d31873365d59710906c59d2937c9 Author: kwiberg <kwiberg@webrtc.org> Date: Thu May 26 10:40:51 2016 Fix UBSan errors (left shift of negative value) BUG= chromium:601787 Review-Url: https://codereview.webrtc.org/2000403006 Cr-Commit-Position: refs/heads/master@{#12911} [modify] https://crrev.com/4f6c2b6eff60d31873365d59710906c59d2937c9/webrtc/modules/audio_coding/codecs/ilbc/enhancer_interface.c [modify] https://crrev.com/4f6c2b6eff60d31873365d59710906c59d2937c9/webrtc/modules/audio_coding/codecs/ilbc/smooth.c
,
Jun 2 2016
The following revision refers to this bug: https://chromium.googlesource.com/external/webrtc.git/+/729b21f97f3d849b1ef2bd61114e4b39d073884d commit 729b21f97f3d849b1ef2bd61114e4b39d073884d Author: kwiberg <kwiberg@webrtc.org> Date: Thu Jun 02 11:02:12 2016 Add clz functions (Count number of Leading Zero bits), 32-and 64-bit variants Using __builtin_clz on gcc/clang, and a fallback implementation otherwise. Also redefine WebRtcSpl_GetSizeInBits(x) as simply 32 - clz32(x). BUG= chromium:601787 Review-Url: https://codereview.webrtc.org/2014023002 Cr-Commit-Position: refs/heads/master@{#13014} [modify] https://crrev.com/729b21f97f3d849b1ef2bd61114e4b39d073884d/webrtc/common_audio/BUILD.gn [modify] https://crrev.com/729b21f97f3d849b1ef2bd61114e4b39d073884d/webrtc/common_audio/common_audio.gyp [modify] https://crrev.com/729b21f97f3d849b1ef2bd61114e4b39d073884d/webrtc/common_audio/real_fourier.cc [modify] https://crrev.com/729b21f97f3d849b1ef2bd61114e4b39d073884d/webrtc/common_audio/signal_processing/include/spl_inl.h [modify] https://crrev.com/729b21f97f3d849b1ef2bd61114e4b39d073884d/webrtc/common_audio/signal_processing/signal_processing_unittest.cc [add] https://crrev.com/729b21f97f3d849b1ef2bd61114e4b39d073884d/webrtc/common_audio/signal_processing/spl_inl.c [modify] https://crrev.com/729b21f97f3d849b1ef2bd61114e4b39d073884d/webrtc/system_wrappers/include/compile_assert_c.h
,
Jun 8 2016
The following revision refers to this bug: https://chromium.googlesource.com/external/webrtc.git/+/a10740239dd0f40f54d65288055e128496e2da3f commit a10740239dd0f40f54d65288055e128496e2da3f Author: kwiberg <kwiberg@webrtc.org> Date: Wed Jun 08 12:24:40 2016 Fix UBSan errors (signed integer overflow) WebRtcSpl_CrossCorrelation and WebRtcSpl_DotProductWithScale compute the int32 sum of pairwise products from two int16 arrays. So as to avoid overflow (which could otherwise happen when as little as two products were summed), the products are right-shifted by an amount specified by the caller. This CL changes WebRtcIlbcfix_MyCorr and WebRtcIlbcfix_Smooth to give sufficient right-shift amounts, instead of ones that may be too small and cause overflow. BUG= chromium:601787 Review-Url: https://codereview.webrtc.org/2014033002 Cr-Commit-Position: refs/heads/master@{#13066} [modify] https://crrev.com/a10740239dd0f40f54d65288055e128496e2da3f/webrtc/modules/audio_coding/codecs/ilbc/my_corr.c [modify] https://crrev.com/a10740239dd0f40f54d65288055e128496e2da3f/webrtc/modules/audio_coding/codecs/ilbc/smooth.c
,
Jun 9 2016
The CLs in comment 3 and comment 5 fix the problem for me when I test locally.
,
Jun 11 2016
ClusterFuzz has detected this issue as fixed in range 398351:399229. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6110544423026688 Fuzzer: libfuzzer_audio_decoder_ilbc_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: WebRtcSpl_CrossCorrelationC WebRtcIlbcfix_MyCorr WebRtcIlbcfix_Refiner Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=398351:399229 Minimized Testcase (0.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97SXeFIrqqU6F6_IMQfgvjDpQJ9fDIUdpNY956afCZEumACDOv6MFNZSdV_9cUkeK02QzD7zzNU5bbcqzgWBOC5S3TRoW-WErgHFL1An2d6HpOkqep8p6VczTx_bG0btWCBHS__8R9kwfy9xhn8_9FBYVB2OQ See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by mmoroz@chromium.org
, Apr 8 2016Components: Blink>WebRTC>Audio
Owner: pbos@chromium.org