Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in setup_frame_size_with_refs |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4694284498632704 Fuzzer: libfuzzer_media_vpx_video_decoder_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: setup_frame_size_with_refs read_uncompressed_header vp9_decode_frame Recommended Security Severity: Medium Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94kqwMi0kpUgx9OzfmAk7ZkLvzXwwo1WEFhvIIEqoizwci9iZ6N8Kkg5O3aQKEHSelIQZa9mW3phXJBIYncyKiAAbf7Gn7IQldE7oRb_YQbOYuyPdw8tNabZwZhW7uqLNO9ZCTcCBDYt9pTR6ZKbRvHGQstR0PlmSQUbK0Fb8l2EIcaDkQ Filer: inferno See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
May 23 2016
Jrummell@, can you take a look. These two testcase look related, but are unreliable testcases. Wonder if stack, line number help in root cause. Max, Kostya, Mike - looks like libfuzzer+msan is giving some unreproducible testcases. Is msan+libfuzzer supposed to be flaky ?
,
May 23 2016
yaowu@chromium.org, does this look like https://bugs.chromium.org/p/chromium/issues/detail?id=612023 ?
,
May 23 2016
Interesting, the testcase looks unreproducible with the given input, but when trying to reproduce whole fuzzing session it crashes in the same way: https://paste.googleplex.com/5049757349183488
,
May 23 2016
Looks like one or more of VP9_COMMON->frame_refs[i].buf [1] is not always updated for a new frame. Investigating. [1] https://code.google.com/p/chromium/codesearch#chromium/src/third_party/libvpx/source/libvpx/vp9/common/vp9_blockd.h&l=143
,
May 23 2016
regarding #3, yes, looks very similar. We are doing a libvpx roll with fix: https://chromium-review.googlesource.com/#/c/345572/ The roll commit is here: https://chromium.googlesource.com/chromium/src.git/+/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9
,
May 23 2016
Answering #2: given that we now think this is an OOB, it explains why msan is flaky. Msan does not have redzones and thus when hitting OOB it may or may not hit uninitialized memory. Fun!
,
May 23 2016
I can't see issue 612023 , but after looking at the fix I'm marking this issue as a duplicate.
,
May 23 2016
It would be great if CF tried any crashing test case with other sanitizers and attached their reports (if any) to the same bug.
,
Sep 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, May 23 2016