Issue metadata
Sign in to add a comment
|
Undefined-shift in vp9_parse_superframe_index |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5409135532703744 Fuzzer: libfuzzer_media_vpx_video_decoder_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: vp9_parse_superframe_index decoder_decode vpx_codec_decode Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=392658:393412 Minimized Testcase (0.56 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97aIkFfPf421rSRkk_VGG3gYnIgmm93n_4MfWnE_E8HlWL28EvGd3wJ0JVikWiZIzwS95dvRlQpSiO3CsknO4aFUjeqDAt9JxiKQqyyDjZ1ZAMC0FqgwqpWJn4Jx231kCos8WAd-ie8L4xWiPjKIJJcpVBVIg Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
May 15 2016
,
May 15 2016
tomfinegan@, as an OWNER for libvpx, could you please take a look or suggest another owner to assign this to?
,
May 15 2016
,
May 15 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6099068022947840 Fuzzer: libfuzzer_media_vpx_video_decoder_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: vp9_parse_superframe_index decoder_decode vpx_codec_decode Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=392658:393412 Minimized Testcase (0.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96MlakXDt7pL2IxZKyAGqJ1ZlYqH45Ce-9HwiOYLyO4zt6vy7NQzGpvvWpR-m1jQYPWpwhnKPzcteSPsGCdjYErYMA2F8ryrX7EUQY4ScZ3702feV8sFQAa_Vy89ghdbFCxjuylbpgSuonS8aMu5lhltBJkrg Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
May 16 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5409135532703744 Fuzzer: libfuzzer_media_vpx_video_decoder_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: vp9_parse_superframe_index decoder_decode vpx_codec_decode Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=392658:393412 Minimized Testcase (0.56 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97aIkFfPf421rSRkk_VGG3gYnIgmm93n_4MfWnE_E8HlWL28EvGd3wJ0JVikWiZIzwS95dvRlQpSiO3CsknO4aFUjeqDAt9JxiKQqyyDjZ1ZAMC0FqgwqpWJn4Jx231kCos8WAd-ie8L4xWiPjKIJJcpVBVIg See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 16 2016
,
May 16 2016
Jim: This is code you wrote (Minghai is the blamed author in vp9_decoder.c, but the origin code in vp9_dx_iface.c shows you as the author). Mind looking at this, or reassigning to someone else?
,
May 16 2016
,
May 16 2016
,
May 17 2016
Proposing a fix upstream here: https://chromium-review.googlesource.com/#/c/345470/ Also, numbers in sizes[i] are validated before they are used, so they will not cause OOB read. OOB write is not possible either since there is no write ever involved in using these numbers.
,
May 17 2016
The following revision refers to this bug: https://chromium.googlesource.com/webm/libvpx/+/2240d83d7882ce2d5d0826b9ce33b86321d7a724 commit 2240d83d7882ce2d5d0826b9ce33b86321d7a724 Author: Yaowu Xu <yaowu@google.com> Date: Tue May 17 18:39:57 2016 Promote to uint32_t before left shift This commit change to promote uint8_t explicitly to uint32_t before left shift operation. BUG=https://bugs.chromium.org/p/chromium/issues/detail?id=612021 Change-Id: Id7059154efb5bdfa45889dabe72aaafd46d79f23 [modify] https://crrev.com/2240d83d7882ce2d5d0826b9ce33b86321d7a724/vp9/decoder/vp9_decoder.c
,
May 18 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 23 2016
Marco, could you please update this one as well after libvpx roll is done? thanks
,
May 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9 commit 7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9 Author: marpan <marpan@chromium.org> Date: Mon May 23 18:09:06 2016 Roll src/third_party/libvpx/source/libvpx/ 57566ff24..4f774ac50 (29 commits). https://chromium.googlesource.com/webm/libvpx.git/+log/57566ff24adb..4f774ac50e4d $ git log 57566ff24..4f774ac50 --date=short --no-merges --format='%ad %ae %s' 2016-05-19 jzern Revert "Code clean of sub_pixel_variance4xh" 2016-05-19 jzern Revert "Extend the external fb interface to allocate individual planes." 2016-05-19 jzern vp8/error_concealment: remove shift of negative value 2016-05-16 jackychen vp9: Refactor some denoiser logic in vp9_pick_inter_mode. 2016-04-13 dcastagna Extend the external fb interface to allocate individual planes. 2016-05-18 yaowu Clarify integer value ranges 2016-05-17 aconverse Move, rename, and inline high_inter_predictor. 2016-05-17 yaowu Prevent invalid read 2016-05-18 slavarnway Code clean of sub_pixel_variance4xh 2016-05-17 slavarnway VP9: _get_pred_context_switchable_interp() 2016-05-17 yaowu Promote to uint32_t before left shift 2016-05-11 johannkoenig neon hadamard 8x8 2016-05-10 huisu Add level test for VP9 2016-05-13 jackychen Move non-zero mv bias on large block out of vp9_pick_inter_mode. 2016-05-13 marpan vp9: Update to rc-metric for keeping track of average frame size. 2016-05-13 tomfinegan convolve_test: Fix high bit depth IOC runtime errors. 2016-05-02 bvibber Add --enable-shared option to iosbuild.sh to build dynamic framework 2016-05-11 huisu Fix typos in control function for VP9E_SET_TARGET_LEVEL 2016-05-09 tomfinegan simple_encoder: Add a frame limit argument. 2016-05-11 tomfinegan twopass_encoder: Add frame limit argument. (...) R=johannkoenig@google.com BUG= 612021 , 612023 Review-Url: https://codereview.chromium.org/2005893002 Cr-Commit-Position: refs/heads/master@{#395363} [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/DEPS [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/README.chromium [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/libvpx_srcs.gni [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/libvpx_srcs_arm64.gypi [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/libvpx_srcs_arm_neon.gypi [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/libvpx_srcs_arm_neon_cpu_detect_intrinsics.gypi [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/libvpx_srcs_x86.gypi [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/libvpx_srcs_x86_64.gypi [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/linux/arm-neon-cpu-detect/vpx_dsp_rtcd.h [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/linux/arm-neon/vpx_dsp_rtcd.h [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/linux/arm64/vpx_dsp_rtcd.h [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/linux/ia32/vpx_dsp_rtcd.h [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/linux/x64/vpx_dsp_rtcd.h [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/mac/ia32/vpx_dsp_rtcd.h [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/mac/x64/vpx_dsp_rtcd.h [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/vpx_version.h [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/win/ia32/vpx_dsp_rtcd.h [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/win/x64/vpx_dsp_rtcd.h
,
May 23 2016
Fix rolled into chromium, marking as fixed.
,
May 23 2016
Adding Merge-Triage label for tracking purposes. Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone. When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com. - Your friendly ClusterFuzz
,
May 24 2016
,
May 24 2016
ClusterFuzz has detected this issue as fixed in range 395342:395514. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6099068022947840 Fuzzer: libfuzzer_media_vpx_video_decoder_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: vp9_parse_superframe_index decoder_decode vpx_codec_decode Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=392658:393412 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395342:395514 Minimized Testcase (0.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96MlakXDt7pL2IxZKyAGqJ1ZlYqH45Ce-9HwiOYLyO4zt6vy7NQzGpvvWpR-m1jQYPWpwhnKPzcteSPsGCdjYErYMA2F8ryrX7EUQY4ScZ3702feV8sFQAa_Vy89ghdbFCxjuylbpgSuonS8aMu5lhltBJkrg See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 29 2016
,
Jun 29 2016
Regressed in 392658, initially in 52.0.2733.0 Fixed in 395363, initially in 53.0.2747.0
,
Jul 11 2016
approving merge to M52
,
Jul 12 2016
Hello! Please merge to M52 by 5pm PDT Today (Tuesday 12th) if at all possible. Cheers!
,
Jul 12 2016
Please merge this before 5pm today for tomorrow's M52 release.
,
Jul 12 2016
,
Jul 14 2016
Please merge your change to M52 branch 2743 before 5:00 PM PST Friday (07/15/16) as we are very close to M52 stable candidate cut.
,
Jul 15 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 18 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/webm/libvpx/+/62a57630cc38c2e7bca8acde50d31f2182a571d3 commit 62a57630cc38c2e7bca8acde50d31f2182a571d3 Author: Johann <johannkoenig@google.com> Date: Mon Jul 18 17:58:00 2016 Promote to uint32_t before left shift This commit change to promote uint8_t explicitly to uint32_t before left shift operation. BUG=https://bugs.chromium.org/p/chromium/issues/detail?id=612021 Change-Id: Id7059154efb5bdfa45889dabe72aaafd46d79f23 (cherry picked from commit 2240d83d7882ce2d5d0826b9ce33b86321d7a724) Change-Id: I392d25c38353f071cf0e8ab242d32098a7d68ecb [modify] https://crrev.com/62a57630cc38c2e7bca8acde50d31f2182a571d3/vp9/decoder/vp9_decoder.c
,
Jul 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/webm/libvpx/+/62a57630cc38c2e7bca8acde50d31f2182a571d3 commit 62a57630cc38c2e7bca8acde50d31f2182a571d3 Author: Johann <johannkoenig@google.com> Date: Mon Jul 18 17:58:00 2016 Promote to uint32_t before left shift This commit change to promote uint8_t explicitly to uint32_t before left shift operation. BUG=https://bugs.chromium.org/p/chromium/issues/detail?id=612021 Change-Id: Id7059154efb5bdfa45889dabe72aaafd46d79f23 (cherry picked from commit 2240d83d7882ce2d5d0826b9ce33b86321d7a724) Change-Id: I392d25c38353f071cf0e8ab242d32098a7d68ecb [modify] https://crrev.com/62a57630cc38c2e7bca8acde50d31f2182a571d3/vp9/decoder/vp9_decoder.c
,
Jul 18 2016
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/b6f8a6198c7e91642449eda05234f799bdeec72c commit b6f8a6198c7e91642449eda05234f799bdeec72c Author: Johann <johannkoenig@google.com> Date: Mon Jul 18 18:03:08 2016
,
Jul 18 2016
Changing the labels, I think correctly?
,
Jul 18 2016
,
Jul 18 2016
,
Aug 30 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, May 15 2016I speculatively marked this as a Security because affected value is a "size" variable: <...> for (j = 0; j < mag; ++j) this_sz |= (*x++) << (j * 8); sizes[i] = this_sz; <...> May be it can cause OOB read or write since it's value becomes undefined due to incorrect shift. Thought I'm not familiar with the target, so that may be a wrong assumption.