Undefined-shift in ff_get_pcm_codec_id |
||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4798839747248128 Fuzzer: libfuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: ff_get_pcm_codec_id ff_wav_codec_get_id ff_get_wav_header Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=386932:386961 Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95pd33-zlETWG7M-mJs3lnJlT9eq4lskh2nkrn3SccnK29nogDQHG544Wt16XMci2cZYtvdjUNGrVXe1WFlNxiPDRtBU2xjjHmbANQgTdewqp38foEJnVufYCF7P_2b-wLEkFPSvJcLT9SS_q4EjxMsiBbTpA Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 14 2016
Assign to wolenetz@ who is working on the FFmpeg roll. The fix probably should be upstreamed.
,
Apr 14 2016
,
Apr 28 2016
,
Apr 29 2016
Sharding this one to tguilbert@. Thanks Thomas! This one is probably also in M-50. Please check as part of fixing this.
,
May 5 2016
This repros in a UBSan build (using ./configure --toolchain=clang-usan ...) using the latest ffplay. It seems like this line might be the culprit: https://code.google.com/p/chromium/codesearch#chromium/src/third_party/ffmpeg/libavformat/riffdec.c&sq=package:chromium&type=cs&l=66&rcl=1462461499 I do not know if there is a valid "reasonable" maximum bits per sample for the WAVE RIFF format. I will send an email to Michael Niedermayer once I am done investigating 600959.
,
May 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/77fdc79ab48570f5018cb4d4086909e8b7297743 commit 77fdc79ab48570f5018cb4d4086909e8b7297743 Author: Michael Niedermayer <michael@niedermayer.cc> Date: Tue May 10 22:00:52 2016 avformat/utils: Check bps before using it in a shift in ff_get_pcm_codec_id() We did not check that the bits per seconds received was a reasonable number (64 bps or less). This caused undefined behavior when we later attempted to left shift by "bits per second" (which ended up shifting by more than 64 bits). Fixes undefined shift Fixes: usan_shift Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit ea791c080dd5494b3bee0c618a3f52e371b5f320) BUG= 603495 Change-Id: Ice2b7a9b5c3dbd15d0d9806bf456885a25cbe190 [modify] https://crrev.com/77fdc79ab48570f5018cb4d4086909e8b7297743/libavformat/utils.c [modify] https://crrev.com/77fdc79ab48570f5018cb4d4086909e8b7297743/chromium/patches/README
,
May 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/79fb282a377bd92f2a679babae5c627a4f4f118a commit 79fb282a377bd92f2a679babae5c627a4f4f118a Author: tguilbert <tguilbert@chromium.org> Date: Thu May 12 03:21:23 2016 Roll src/third_party/ffmpeg/ 20d74768d..77fdc79ab (3 commits). https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/20d74768dcd9..77fdc79ab485 $ git log 20d74768d..77fdc79ab --date=short --no-merges --format='%ad %ae %s' 2016-05-11 michael avformat/utils: Check bps before using it in a shift in ff_get_pcm_codec_id() 2016-05-09 chcunningham libavformat/oggdec: Free stream private when header parsing fails. 2016-05-10 michael avformat/oggparseopus: Check that granule pos is within the supported range BUG= 600959 , 602185 , 603495 R=wolenetz Review-Url: https://codereview.chromium.org/1969993003 Cr-Commit-Position: refs/heads/master@{#393167} [modify] https://crrev.com/79fb282a377bd92f2a679babae5c627a4f4f118a/DEPS
,
May 13 2016
,
May 13 2016
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
,
May 13 2016
Er, hold off on approving this one. The fix updates utils.c but not autorename_libavformat_utils.c, which is the file we generate and actually include to hack around mac toolchain badness. See Issue 495833 . I'll land a fix and re-add the request label.
,
May 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/0ba7f6830534bc2afbbe24200cc51602272fc706 commit 0ba7f6830534bc2afbbe24200cc51602272fc706 Author: Chris Cunningham <chcunningham@chromium.org> Date: Fri May 13 21:06:15 2016 Update autorename_libavformat_utils.c to match utils.c In a follow up cl I will update our generate_gyp.py to #include the original file (pre-rename), avoiding this in the future. BUG= 603495 , 495833 Change-Id: Id0a531e39a7940d0ec69c3056cdf7a4846757188 [modify] https://crrev.com/0ba7f6830534bc2afbbe24200cc51602272fc706/libavformat/autorename_libavformat_utils.c
,
May 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/daf0b69488f463afc5dade7c391bb0beb9ff5776 commit daf0b69488f463afc5dade7c391bb0beb9ff5776 Author: chcunningham <chcunningham@chromium.org> Date: Sat May 14 00:37:29 2016 Roll src/third_party/ffmpeg 77fdc79:0ba7f68 Brings in change to (autorename_libavformat_)utils.c to fix bug. Summary of changes available at: https://chromium.googlesource.com/chromium/third_party/ffmpeg/+log/77fdc79..0ba7f68 BUG= 603495 Review-Url: https://codereview.chromium.org/1974293003 Cr-Commit-Position: refs/heads/master@{#393707} [modify] https://crrev.com/daf0b69488f463afc5dade7c391bb0beb9ff5776/DEPS
,
May 14 2016
ClusterFuzz has detected this issue as fixed in range 393601:393724. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4798839747248128 Fuzzer: libfuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: ff_get_pcm_codec_id ff_wav_codec_get_id ff_get_wav_header Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=386932:386961 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=393601:393724 Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95pd33-zlETWG7M-mJs3lnJlT9eq4lskh2nkrn3SccnK29nogDQHG544Wt16XMci2cZYtvdjUNGrVXe1WFlNxiPDRtBU2xjjHmbANQgTdewqp38foEJnVufYCF7P_2b-wLEkFPSvJcLT9SS_q4EjxMsiBbTpA See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 15 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5865324007653376 Fuzzer: libfuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: ff_get_pcm_codec_id ff_wav_codec_get_id ff_get_wav_header Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=386932:386961 Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97KYcf0nYt8PEf6yAga4KFWSQDfBSGq5Ep9oztf8EtTgC_nfq76ouu_lmC9q24zeeGY0oRvfVwRjGqnEbh1IslZo79l3h0nyh8yRliKzdHChusFy5asP6v2vuabeAUC9YDY-WeJDXp3mBp9ThU3B_0XyOCzLQ Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
May 16 2016
It seems the original undefined shift (too large) is fixed, but now we're hitting new undefined behavior with a shift that is negative. Will have a fix for this soon.
,
May 20 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1648fd90bce53f8a16514d6053d08289c2b50f9d commit 1648fd90bce53f8a16514d6053d08289c2b50f9d Author: chcunningham <chcunningham@chromium.org> Date: Fri May 20 02:34:41 2016 Roll src/third_party/ffmpeg fa382f2:7f03319 Summary of changes available at: https://chromium.googlesource.com/chromium/third_party/ffmpeg/+log/fa382f2..7f03319 Brings in security fix and basename collision fixes. 7f03319 avformat/utils: Check negative bps before shifting in ff_get_pcm_codec_id() 33e5416 Merge "Improve strategy for autorename_* basename collision hack." 1e4e65d Improve strategy for autorename_* basename collision hack. BUG= 603495 TBR=wolenetz@chromium.org Review-Url: https://codereview.chromium.org/1994313002 Cr-Commit-Position: refs/heads/master@{#394962} [modify] https://crrev.com/1648fd90bce53f8a16514d6053d08289c2b50f9d/DEPS
,
May 20 2016
ClusterFuzz has detected this issue as fixed in range 394859:395005. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5865324007653376 Fuzzer: libfuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: ff_get_pcm_codec_id ff_wav_codec_get_id ff_get_wav_header Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=386932:386961 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=394859:395005 Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97KYcf0nYt8PEf6yAga4KFWSQDfBSGq5Ep9oztf8EtTgC_nfq76ouu_lmC9q24zeeGY0oRvfVwRjGqnEbh1IslZo79l3h0nyh8yRliKzdHChusFy5asP6v2vuabeAUC9YDY-WeJDXp3mBp9ThU3B_0XyOCzLQ See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 20 2016
I had a chat to mbarbella@ about this. There's not a strong security argument to merge this into M51, so from a security standpoint this can go with M52.
,
May 24 2016
,
May 24 2016
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
,
Jun 1 2016
Hi Tina, ping for merge review.
,
Jun 1 2016
(sorry, didn't mean to remove cc)
,
Jun 1 2016
Before we approve merge to M52, Could you please confirm whether this change is baked/verified in Canary and safe to merge?
,
Jun 2 2016
Yes, this change has been in Canary for over a week. Its a very low risk change.
,
Jun 6 2016
Approving merge to M52 branch 2743 based on comment #25. Please merge ASAP. Thank you.
,
Jun 7 2016
The following revision refers to this bug: http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=88663 ------------------------------------------------------------------ r88663 | chcunningham@google.com | 2016-06-07T23:45:31.695277Z -----------------------------------------------------------------
,
Jun 10 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Apr 14 2016Owner: xhw...@chromium.org