Integer-overflow in update_stream_timings |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5022426576715776 Fuzzer: libfuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: update_stream_timings fill_all_stream_timings estimate_timings Minimized Testcase (0.11 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96wtNnn2K4Xs9yRy8P_mNPctVZRJt8E7LBOIWAtaPGFj-Jxu2sdG9Rh4hnlvDGkEkIvHpVgCP-Fi7XMzOrR0ADF0EM9CUiB46wY6FTmOLouLK9r8FMsLq7C79NcJ6XIl6gWx2OWrqEqDhhV1kFUip9jTA_yFA Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
May 24 2016
Seems a legit issue in third_party/ffmpeg/libavformat/utils.c. +wolenetz@chromium.org to triage.
,
May 26 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5022426576715776 Fuzzer: libfuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: update_stream_timings fill_all_stream_timings estimate_timings Minimized Testcase (0.11 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96wtNnn2K4Xs9yRy8P_mNPctVZRJt8E7LBOIWAtaPGFj-Jxu2sdG9Rh4hnlvDGkEkIvHpVgCP-Fi7XMzOrR0ADF0EM9CUiB46wY6FTmOLouLK9r8FMsLq7C79NcJ6XIl6gWx2OWrqEqDhhV1kFUip9jTA_yFA See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 27 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4596997130813440 Fuzzer: libfuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: update_stream_timings fill_all_stream_timings estimate_timings Minimized Testcase (0.11 Kb): https://cluster-fuzz.appspot.com/download/AMIfv959jlQbQj-gLt3ii1eqDY2MNLokalimcg13UneHzQvODtBxqdrRcfiUJoobmeup8k6YTCPeOrQ_Xvf42JuMXlNWH8j7uRJbna5IKDEUCuBst1hi2YBVyyhHnz2qj0-bKHL8SU7TBxRymVomM1H5aF0z9-gJWA Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
May 27 2016
Over to tguilbert@ to take a look. Thank you, Thomas, for taking this one.
,
May 27 2016
,
May 27 2016
It seems like this is the same root cause as 600959. The huge granule size (of 5476377146884620288) gets set in os->start_time, which then percolates to start_time1 and end_time1 and causes the overflow. I am sending an email to Michael to introduce a more aggressive size check.
,
May 27 2016
,
Jun 1 2016
CL for cherry-picked fix: https://chromium-review.googlesource.com/#/c/348770/
,
Jun 8 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a0e0b9b39c330087560210405783ea5acf12e958 commit a0e0b9b39c330087560210405783ea5acf12e958 Author: tguilbert <tguilbert@chromium.org> Date: Wed Jun 08 16:32:49 2016 Roll src/third_party/ffmpeg/ 7f03319b9..bcb8b67b8 (1 commit). https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/7f03319b9d5a..bcb8b67b8b97 $ git log 7f03319b9..bcb8b67b8 --date=short --no-merges --format='%ad %ae %s' 2016-05-28 michael Cherry-picking overflow related security fixes/undefined behaviors BUG= 614034 Review-Url: https://codereview.chromium.org/2047893002 Cr-Commit-Position: refs/heads/master@{#398591} [modify] https://crrev.com/a0e0b9b39c330087560210405783ea5acf12e958/DEPS
,
Jun 11 2016
ClusterFuzz has detected this issue as fixed in range 398351:399229. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4596997130813440 Fuzzer: libfuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: update_stream_timings fill_all_stream_timings estimate_timings Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=398351:399229 Minimized Testcase (0.11 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96TPg1yq7xWUT-WULG5te-cXxhHKuBXC8MVfm8sFe_ACPi-xMmu6SWhDTL2gHj0KiJ0F0myEl_TSLQ8eJDhkXXnUTgvNtDcTs9MwKV7DvenemLOJOveDV0KXvW0H5dIXbMsQphvLD0jYXQDGE3PJM4bz2PxTA See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 11 2016
ClusterFuzz has detected this issue as fixed in range 398351:399229. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5022426576715776 Fuzzer: libfuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: update_stream_timings fill_all_stream_timings estimate_timings Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=398351:399229 Minimized Testcase (0.11 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96wtNnn2K4Xs9yRy8P_mNPctVZRJt8E7LBOIWAtaPGFj-Jxu2sdG9Rh4hnlvDGkEkIvHpVgCP-Fi7XMzOrR0ADF0EM9CUiB46wY6FTmOLouLK9r8FMsLq7C79NcJ6XIl6gWx2OWrqEqDhhV1kFUip9jTA_yFA See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 16 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6281753643974656 Fuzzer: libfuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: update_stream_timings fill_all_stream_timings estimate_timings Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=398351:399229 Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94V4jaLhclbzabZbPncXTapA56GkqrAjYsPcf0HNf_HRp2b-vYHI-IY-pt4hVEQFKS09gMM0hrAVG1NmPUdnup7xlf_Y-9jZUXSNaKWGHdEgO306S4AQVGb9OZmU6hPKQNr-AJ67h0d6pisE3KEguO4FD58tg Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 29 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5546108915023872 Fuzzer: libfuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: update_stream_timings fill_all_stream_timings estimate_timings Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=398351:399229 Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97p76zo0Ie8o_hcwDXkT5lLMs2aCumb1R1WITUbxVMQJ6VAKH0i5NqBHISRUyqnYei3v3FBtZ6Wkw_W1xO13CfHOWWUcTZlBKg-rQG5q1WZk1MSszz9-gESWZ4ZYN8aGxzQ32V0Gu-njwPVw2PJlPhCFmc9cA?testcase_id=5546108915023872 Filer: rnimmagadda See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 29 2016
Gentle Ping. @tguilbert: Could you please provide some update on this issue. Thank you.
,
Aug 2 2016
When I cherry picked the fix for the original bug, I also cherry picked additional fixes that were made at the same time to fix similar issues. There was a new undefined behavior introduced in one of the extra fixes. I don't think the issue is big in of itself however. I will email the original author of the fixes tomorrow and cherry-pick the new fixes whenever they are pushed to ffmpeg. I would also argue that this is not a P1 bug, but is closer to a P2.
,
Aug 2 2016
I sent the email, and I will keep this bug updated with any progress.
,
Aug 3 2016
,
Aug 3 2016
Due to https://bugs.chromium.org/p/chromium/issues/detail?id=633740, chcunningham will be pushing the patch on my behalf. Thanks!
,
Aug 9 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1e3b04894bfb9c8934a797d9fe22dacd18456391 commit 1e3b04894bfb9c8934a797d9fe22dacd18456391 Author: tguilbert <tguilbert@chromium.org> Date: Tue Aug 09 19:48:10 2016 Roll src/third_party/ffmpeg/ 4e878f7f6..75976ae02 (1 commit). https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/4e878f7f64d7..75976ae026fd $ git log 4e878f7f6..75976ae02 --date=short --no-merges --format='%ad %ae %s' 2016-08-03 michael avformat/oggdec: Fix integer overflow with invalid pts BUG= 614034 Review-Url: https://codereview.chromium.org/2224123002 Cr-Commit-Position: refs/heads/master@{#410773} [modify] https://crrev.com/1e3b04894bfb9c8934a797d9fe22dacd18456391/DEPS
,
Aug 10 2016
ClusterFuzz has detected this issue as fixed in range 410676:410915. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5546108915023872 Fuzzer: libfuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: update_stream_timings fill_all_stream_timings estimate_timings Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=398351:399229 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=410676:410915 Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97p76zo0Ie8o_hcwDXkT5lLMs2aCumb1R1WITUbxVMQJ6VAKH0i5NqBHISRUyqnYei3v3FBtZ6Wkw_W1xO13CfHOWWUcTZlBKg-rQG5q1WZk1MSszz9-gESWZ4ZYN8aGxzQ32V0Gu-njwPVw2PJlPhCFmc9cA?testcase_id=5546108915023872 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 10 2016
ClusterFuzz has detected this issue as fixed in range 410676:410915. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6281753643974656 Fuzzer: libfuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: update_stream_timings fill_all_stream_timings estimate_timings Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=398351:399229 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=410676:410915 Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94V4jaLhclbzabZbPncXTapA56GkqrAjYsPcf0HNf_HRp2b-vYHI-IY-pt4hVEQFKS09gMM0hrAVG1NmPUdnup7xlf_Y-9jZUXSNaKWGHdEgO306S4AQVGb9OZmU6hPKQNr-AJ67h0d6pisE3KEguO4FD58tg?testcase_id=6281753643974656 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 10 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 26 2016
FYI - when resolving cherry-picks during FFmpeg roll for M56 ( bug 591845 ), it looks like an incorrect upstream hash was listed in the gerrit patch cherry pick description (and in chromium/patches/README): Upstream ffmpeg has no a867b948ed35b3f5b72ee714232c21d5f591e7aa Downstream commit resulting from that cherry pick was 75976ae026fdbedb14f006eec6cd9119c543aa7f Upstream ffmpeg *does have* a change with matching content as that cherry-picked into 7596ae02 in upstream c5cc3b08e56fc95665977544486bd9f06e4b7a72 I suspect this reference to a867b948 was a typo referencing some ephemeral commit when the gerrit patch to cherry pick upstream c5cc3b08 was generated. Just a note to be careful in future :)
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by mmoroz@chromium.org
, May 23 2016Owner: xhw...@chromium.org