Undefined-shift in VP8GetBit |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6389931454234624 Fuzzer: libfuzzer_vp8_qp_parser_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: VP8GetBit webrtc::vp8::VP8GetValue ParseFilterHeader Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=386932:386961 Minimized Testcase (0.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97dv0gy0oZj-fcuWbxZIPOn_6M8eZVvKq7z1n_C02W6Dq3Ko7mCRvHVGazdAkeuezb4VF6HX2r7ViKV7S5Gx4RwjZC5IQOhFpQZB7FVR19Vglpq4fvzxOzOUMmht6NPW5TCOKTWQy8MM-HIxITqCrGjKucX_g Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 14 2016
jackychen@: I think you wrote this parser, can you take a look? ../../third_party/webrtc/modules/video_coding/utility/vp8_header_parser.cc:81:57: runtime error: shift exponent -1 is negative
,
Apr 14 2016
,
Apr 14 2016
,
Apr 14 2016
pbos@: generally speaking, -1 should not appear here (it's meaningless), but it does happen in the test, so I think I'd better add a check here: when -1 appear, just return 0 for the qp which will not be used in quality_scaler.
,
Apr 15 2016
I think it should error out when the error appears, not when we happen to detect it later. Either the vp8 payload is too short and we should abort based on that, or the bitstream is incorrect, and then we should abort when reading -1.
,
Apr 15 2016
pbos@: br->bits_ is initialed to -8 and should become non-negative after VP8LoadNewBytes, so I think adding an assert after VP8LoadNewBytes is proper. Update the patch: https://codereview.webrtc.org/1888313002/
,
Apr 20 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6409094642008064 Fuzzer: libfuzzer_vp8_qp_parser_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: VP8GetBit webrtc::vp8::VP8GetValue VP8Get Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=386932:386961 Minimized Testcase (0.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96iKPkXLk_7lCpQk9AaRqytQbAX5zE93HeS3ftDzG9CGfQK1eWgbjDf3VG_VL4CIk6XIvhgQedm-66mMd9LWLfCrf9JrtJf34AEtjjDGdlyzmOdVhgCU-J-dZ9rdsPyEAf9rhZ63oU5cKKBk8xGZZz24MOFyw Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 20 2016
The following revision refers to this bug: https://chromium.googlesource.com/external/webrtc.git/+/0a2c054f426104ed5364424d3ec88d6cffe203eb commit 0a2c054f426104ed5364424d3ec88d6cffe203eb Author: jackychen <jackychen@google.com> Date: Wed Apr 20 20:24:15 2016 Fix the issue of undefined-shift in VP8GetBit. BUG= chromium:603497 Review URL: https://codereview.webrtc.org/1888313002 Cr-Commit-Position: refs/heads/master@{#12450} [modify] https://crrev.com/0a2c054f426104ed5364424d3ec88d6cffe203eb/webrtc/modules/video_coding/utility/vp8_header_parser.cc
,
Apr 20 2016
,
Apr 25 2016
ClusterFuzz has detected this issue as fixed in range 389420:389436. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6389931454234624 Fuzzer: libfuzzer_vp8_qp_parser_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: VP8GetBit webrtc::vp8::VP8GetValue ParseFilterHeader Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=386932:386961 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=389420:389436 Minimized Testcase (0.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97dv0gy0oZj-fcuWbxZIPOn_6M8eZVvKq7z1n_C02W6Dq3Ko7mCRvHVGazdAkeuezb4VF6HX2r7ViKV7S5Gx4RwjZC5IQOhFpQZB7FVR19Vglpq4fvzxOzOUMmht6NPW5TCOKTWQy8MM-HIxITqCrGjKucX_g See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 26 2016
ClusterFuzz has detected this issue as fixed in range 389420:389436. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6409094642008064 Fuzzer: libfuzzer_vp8_qp_parser_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: VP8GetBit webrtc::vp8::VP8GetValue VP8Get Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=386932:386961 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=389420:389436 Minimized Testcase (0.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96iKPkXLk_7lCpQk9AaRqytQbAX5zE93HeS3ftDzG9CGfQK1eWgbjDf3VG_VL4CIk6XIvhgQedm-66mMd9LWLfCrf9JrtJf34AEtjjDGdlyzmOdVhgCU-J-dZ9rdsPyEAf9rhZ63oU5cKKBk8xGZZz24MOFyw See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mmoroz@chromium.org
, Apr 14 2016Owner: pbos@chromium.org