Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in setup_frame_size_with_refs |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5391103330615296 Fuzzer: libfuzzer_media_vpx_video_decoder_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 8 Crash Address: 0x61f00000ee38 Crash State: setup_frame_size_with_refs read_uncompressed_header vp9_decode_frame Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=392685:393435 Minimized Testcase (158.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv952qMbYjknC44QGURmUwSdbdQgfVyI2DlHqUo2Pu5wbnXKmB4afm4aQAGXO9HGjMzfin1LjN4340YjrGtXUAAMGt1FiGoceWaktt0i7gt3xw3h4GU5Q7KYh2dpX6ltnEAKp_i5xEeE--hTBVQXNVNLccvmOBNvAWRAiwgY1WSZNKVm8vs0 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
May 15 2016
,
May 16 2016
,
May 16 2016
,
May 16 2016
,
May 16 2016
yaowu: ptal
,
May 18 2016
,
May 18 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/webm/libvpx/+/4f0e4d6cef827bc452848e126a6bedc47424da88 commit 4f0e4d6cef827bc452848e126a6bedc47424da88 Author: Yaowu Xu <yaowu@google.com> Date: Wed May 18 00:18:26 2016 Prevent invalid read This commit adds a check before reading into RefBuffer to prevent OOB read. BUG=https://bugs.chromium.org/p/chromium/issues/detail?id=612023 Change-Id: I5b02951932e7f457cfbe6b2e650790496b8577ae [modify] https://crrev.com/4f0e4d6cef827bc452848e126a6bedc47424da88/vp9/decoder/vp9_decodeframe.c
,
May 23 2016
yaowu@, can you roll libvpx forward in chromium and then close this as fixed.
,
May 23 2016
Marco, could you please update this bug after you are done with the roll? thanks
,
May 23 2016
,
May 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9 commit 7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9 Author: marpan <marpan@chromium.org> Date: Mon May 23 18:09:06 2016 Roll src/third_party/libvpx/source/libvpx/ 57566ff24..4f774ac50 (29 commits). https://chromium.googlesource.com/webm/libvpx.git/+log/57566ff24adb..4f774ac50e4d $ git log 57566ff24..4f774ac50 --date=short --no-merges --format='%ad %ae %s' 2016-05-19 jzern Revert "Code clean of sub_pixel_variance4xh" 2016-05-19 jzern Revert "Extend the external fb interface to allocate individual planes." 2016-05-19 jzern vp8/error_concealment: remove shift of negative value 2016-05-16 jackychen vp9: Refactor some denoiser logic in vp9_pick_inter_mode. 2016-04-13 dcastagna Extend the external fb interface to allocate individual planes. 2016-05-18 yaowu Clarify integer value ranges 2016-05-17 aconverse Move, rename, and inline high_inter_predictor. 2016-05-17 yaowu Prevent invalid read 2016-05-18 slavarnway Code clean of sub_pixel_variance4xh 2016-05-17 slavarnway VP9: _get_pred_context_switchable_interp() 2016-05-17 yaowu Promote to uint32_t before left shift 2016-05-11 johannkoenig neon hadamard 8x8 2016-05-10 huisu Add level test for VP9 2016-05-13 jackychen Move non-zero mv bias on large block out of vp9_pick_inter_mode. 2016-05-13 marpan vp9: Update to rc-metric for keeping track of average frame size. 2016-05-13 tomfinegan convolve_test: Fix high bit depth IOC runtime errors. 2016-05-02 bvibber Add --enable-shared option to iosbuild.sh to build dynamic framework 2016-05-11 huisu Fix typos in control function for VP9E_SET_TARGET_LEVEL 2016-05-09 tomfinegan simple_encoder: Add a frame limit argument. 2016-05-11 tomfinegan twopass_encoder: Add frame limit argument. (...) R=johannkoenig@google.com BUG= 612021 , 612023 Review-Url: https://codereview.chromium.org/2005893002 Cr-Commit-Position: refs/heads/master@{#395363} [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/DEPS [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/README.chromium [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/libvpx_srcs.gni [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/libvpx_srcs_arm64.gypi [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/libvpx_srcs_arm_neon.gypi [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/libvpx_srcs_arm_neon_cpu_detect_intrinsics.gypi [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/libvpx_srcs_x86.gypi [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/libvpx_srcs_x86_64.gypi [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/linux/arm-neon-cpu-detect/vpx_dsp_rtcd.h [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/linux/arm-neon/vpx_dsp_rtcd.h [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/linux/arm64/vpx_dsp_rtcd.h [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/linux/ia32/vpx_dsp_rtcd.h [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/linux/x64/vpx_dsp_rtcd.h [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/mac/ia32/vpx_dsp_rtcd.h [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/mac/x64/vpx_dsp_rtcd.h [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/vpx_version.h [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/win/ia32/vpx_dsp_rtcd.h [modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/win/x64/vpx_dsp_rtcd.h
,
May 23 2016
Marking this as fixed, thanks!
,
May 25 2016
ClusterFuzz has detected this issue as fixed in range 395301:395401. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5391103330615296 Fuzzer: libfuzzer_media_vpx_video_decoder_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 8 Crash Address: 0x61f00000ee38 Crash State: setup_frame_size_with_refs read_uncompressed_header vp9_decode_frame Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=392685:393435 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=395301:395401 Minimized Testcase (158.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv952qMbYjknC44QGURmUwSdbdQgfVyI2DlHqUo2Pu5wbnXKmB4afm4aQAGXO9HGjMzfin1LjN4340YjrGtXUAAMGt1FiGoceWaktt0i7gt3xw3h4GU5Q7KYh2dpX6ltnEAKp_i5xEeE--hTBVQXNVNLccvmOBNvAWRAiwgY1WSZNKVm8vs0 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 25 2016
,
May 25 2016
,
May 25 2016
Adding Merge-Triage label for tracking purposes. Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone. When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com. - Your friendly ClusterFuzz
,
Jun 29 2016
,
Jun 29 2016
Regressed in 392685, initially in 52.0.2733.0 Fixed in 395363, initially in 53.0.2747.0
,
Jul 11 2016
Approving merge to M52.
,
Jul 12 2016
Hello! Please merge to M52 by 5pm PDT Today (Tuesday 12th) if at all possible. Cheers!
,
Jul 12 2016
Johann can you merge this in?
,
Jul 14 2016
Please merge your change to M52 branch 2743 before 5:00 PM PST Friday (07/15/16) as we are very close to M52 stable candidate cut.
,
Jul 15 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 18 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/webm/libvpx/+/669e7b7454ccb4088e300965a5e8ff2586f0d0db commit 669e7b7454ccb4088e300965a5e8ff2586f0d0db Author: Yaowu Xu <yaowu@google.com> Date: Wed May 18 00:18:26 2016 Prevent invalid read This commit adds a check before reading into RefBuffer to prevent OOB read. BUG=https://bugs.chromium.org/p/chromium/issues/detail?id=612023 (cherry picked from commit 4f0e4d6cef827bc452848e126a6bedc47424da88) Change-Id: I4f0732d4ca92f79b57103bffcff15499073e79a4 [modify] https://crrev.com/669e7b7454ccb4088e300965a5e8ff2586f0d0db/vp9/decoder/vp9_decodeframe.c
,
Jul 18 2016
If this is already merged to M52, please apply "merge-merged-2743" label and remove "merge-merged-m52-2743" & "Merge-Approved-52" labels. Thank you.
,
Jul 18 2016
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/a754de3405d0fb192dc25e7de4f072cdfd064edd commit a754de3405d0fb192dc25e7de4f072cdfd064edd Author: Johann <johannkoenig@google.com> Date: Mon Jul 18 18:51:01 2016
,
Jul 18 2016
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/a754de3405d0fb192dc25e7de4f072cdfd064edd commit a754de3405d0fb192dc25e7de4f072cdfd064edd Author: Johann <johannkoenig@google.com> Date: Mon Jul 18 18:51:01 2016
,
Jul 18 2016
,
Jul 18 2016
,
Aug 31 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, May 15 2016Components: Internals>Media>Codecs
Labels: Pri-2
Owner: tomfinegan@chromium.org