New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 609152 link

Starred by 1 user
Status: Fixed
Owner:
toyoshim@chromium.org
Closed: May 2016
Cc:
kcc@chromium.org
mmoroz@chromium.org
rsheeter@google.com
aizatsky@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Blocked on:
issue 609042


Sign in to add a comment

Timeout and memory leaks in woff2::ConvertWOFF2ToTTF()

Project Member Reported by mmoroz@chromium.org, May 4 2016 
convert_woff2ttf_fuzzer hits timeout in woff2::ConvertWOFF2ToTTF(), also it looks like an infinite (or very long) looping with leaking memory.

Reproduction steps:
1) Build 'convert_woff2ttf_fuzzer' target using this instruction https://sites.google.com/a/chromium.org/dev/developers/testing/libfuzzer
2) Run it with the following parameter (file is attached):
./convert_woff2ttf_fuzzer ./15746eb767d56faf4396fd5f5e6c8f3ddb605a5f -print_final_stats=1 -timeout=10

The output will be like:
ALARM: working on the last Unit for 11 seconds
       and the timeout value is 10 (use -timeout=N to change)
==16693== ERROR: libFuzzer: timeout after 11 seconds
<...>
    #7 0x4ef64d in std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >::vector(unsigned long) buildtools/third_party/libc++/trunk/include/vector:1073
    #8 0x4e1a9b in woff2::ConvertWOFF2ToTTF(unsigned char const*, unsigned long, woff2::WOFF2Out*) third_party/woff2/src/woff2_dec.cc:1274:24
    #9 0x4dbc66 in LLVMFuzzerTestOneInput testing/libfuzzer/fuzzers/convert_woff2ttf_fuzzer.cc:15:3
<...>
SUMMARY: libFuzzer: timeout
stat::number_of_executed_units: 0
stat::average_exec_per_sec:     0
stat::new_units_added:          0
stat::slowest_unit_time_sec:    0
stat::peak_rss_mb:              809


Using bigger timeout arguments gives the same result, but amount of memory used raises:

20 sec:
stat::peak_rss_mb:              1119

60 sec:
stat::peak_rss_mb:              2404

etc. Testcase attached.
15746eb767d56faf4396fd5f5e6c8f3ddb605a5f
1.6 KB View Download

Comment 1 by mmoroz@chromium.org, May 8 2016 

Looks like this has been fixed upstream: https://github.com/google/woff2/commit/a15a8ab

Comment 2 by toyoshim@chromium.org, May 11 2016

Blockedon: 609042
Status: Started (was: Untriaged)
The new revision was rolled.
I'd try running with the latest version.

Comment 3 by toyoshim@chromium.org, May 11 2016

Status: Fixed (was: Started)
I followed this instruction, https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/getting_started.md, and used 'is_asan=true' configuration.

With old revision, it hits timeout, but with new revision, it passes.

./out/libfuzzer/convert_woff2ttf_fuzzer ./15746eb767d56faf4396fd5f5e6c8f3ddb605a5f -print_final_stats=1 -timeout=10
INFO: Seed: 1536084472
./out/libfuzzer/convert_woff2ttf_fuzzer: Running 1 inputs 1 time(s) each.
./15746eb767d56faf4396fd5f5e6c8f3ddb605a5f: 1 ms
stat::number_of_executed_units: 1
stat::average_exec_per_sec:     0
stat::new_units_added:          0
stat::slowest_unit_time_sec:    0
stat::peak_rss_mb:              33

Comment 4 by mmoroz@chromium.org, May 11 2016 

Awesome! Thanks a lot for quick reaction.

Comment 5 by toyoshim@chromium.org, May 11 2016 

NP. It's me who should say thanks to people who helped to fix the issues while I'm OOO!

Comment 6 by mmoroz@chromium.org, Nov 20 2016

Labels: -Restrict-View-EditIssue allpublic
Removing view restrictions.

Sign in to add a comment