Undefined-shift in media::H264BitReader::UpdateCurrByte |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5175362350219264 Fuzzer: libfuzzer_media_h264_parser_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: media::H264BitReader::UpdateCurrByte media::H264BitReader::ReadBits media::H264Parser::ParseSEI Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=386932:386961 Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95jVMvvghf5EHN5ukEMysKAAusINFsQcMs7fTUqXAWKwweQtfhId4Vl4FDyhRD2DneLMehMWuJaK10brhr8GB0fJfq_P_GU9VcwzBygB_6-nP76BBRllBmrcAs5LbNDuAeRU8m9Vj1d4SB5LoTqiLiev1fkkw Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 14 2016
Using the 6 bytes from the clusterfuzz crash with just "GYP_DEFINES='ubsan=1'" does not crash, but with logging I see the same value (shift of negative value -55553 in UpdateCurrByte).
,
Apr 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2112e70060f2f7f51fe594d02884703e74f1a582 commit 2112e70060f2f7f51fe594d02884703e74f1a582 Author: jrummell <jrummell@chromium.org> Date: Fri Apr 15 01:06:07 2016 Avoid left shift of negative values when parsing H264 stream Emulation prevention three-byte detection only needs the previous two bytes, so limit |prev_two_bytes_| to be just two bytes. BUG= 603485 TEST=test locally with clusterfuzz data Review URL: https://codereview.chromium.org/1886423002 Cr-Commit-Position: refs/heads/master@{#387505} [modify] https://crrev.com/2112e70060f2f7f51fe594d02884703e74f1a582/media/filters/h264_bit_reader.cc
,
Apr 15 2016
Sorry for confusion, correct flag is not 'ubsan', but 'is_ubsan_security'. I'll update documentation on this soon. Also I'm not sure if it works with GYP, since we build fuzzers with GN.
,
Apr 15 2016
,
Apr 20 2016
ClusterFuzz has detected this issue as fixed in range 387029:388415. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5175362350219264 Fuzzer: libfuzzer_media_h264_parser_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: media::H264BitReader::UpdateCurrByte media::H264BitReader::ReadBits media::H264Parser::ParseSEI Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=386932:386961 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=387029:388415 Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95jVMvvghf5EHN5ukEMysKAAusINFsQcMs7fTUqXAWKwweQtfhId4Vl4FDyhRD2DneLMehMWuJaK10brhr8GB0fJfq_P_GU9VcwzBygB_6-nP76BBRllBmrcAs5LbNDuAeRU8m9Vj1d4SB5LoTqiLiev1fkkw See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 20 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by mmoroz@chromium.org
, Apr 14 2016Owner: jrumm...@chromium.org