New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 628521 link

Starred by 1 user
Status: WontFix
Owner:
chcunningham@chromium.org
Closed: Dec 2016
Cc:
nyerramilli@chromium.org
servolk@chromium.org
dalecur...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

buffer->timestamp() >= base::TimeDelta() in ffmpeg_demuxer.cc

Project Member Reported by ClusterFuzz, Jul 15 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6565168716972032

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  buffer->timestamp() >= base::TimeDelta() in ffmpeg_demuxer.cc
  media::FFmpegDemuxerStream::EnqueuePacket
  media::FFmpegDemuxer::OnReadFrameDone
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=287002:287043

Minimized Testcase (0.06 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97G-6ewbDYJW0quOSw6oIU2aV0sWdkKjJvftpVSF6R_B7QKIars2wzbwWSJTzH_51Z22QzVUxD1SmjpU6erjCMLOkJmNu_LM_VNboPQdmSkakqmlnD-knrIcQ12phm5ViAWFAgfeQuJUQnCvGiAjOUZTNqKug?testcase_id=6565168716972032
<video><source src='flicker-graytone0.vp91400840449.51.webm'>


Filer: nyerramilli

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by nyerramilli@chromium.org, Jul 15 2016

Cc: nyerramilli@chromium.org
Components: Tools>Test>FindIt>NoResult
Labels: findit-wrong Te-Logged M-52
Owner: servolk@chromium.org
Status: Assigned (was: Available)
providing findit results for internal purpose:
Suspected CLs	Findit could not determine the memory tool from the stacktrace. Is it in a new format?

seeing some changes to ffmpeg_demuxer.cc in https://chromium.googlesource.com/chromium/src/+/f25ceedfcb1e403c96eb80702cd29aa1dc370619

servolk @, Could you please check the above issue & help us in finding an owner it its not yours.

Comment 2 by servolk@chromium.org, Jul 19 2016

Cc: servolk@chromium.org
Owner: dalecur...@chromium.org
Hmm, my change shouldn't have any effect on how we handle buffer timestamps in the FFmpegDemuxer. I think Dale might know more about this, since he added the fixup_negative_timestamps_ in FFmpegDemuxer (https://chromium.googlesource.com/chromium/src/+/aa958fd3a80afdfdc2f747a819a1c67605c637e6).
Dale, any ideas why fuzzing crashes/CHECKs on negative timestamps in FFmpegDemuxer? Do we need to handle negative timestamps in webm in addition to ogg containers?

Comment 3 by dalecur...@chromium.org, Jul 19 2016

Cc: dalecur...@chromium.org
Labels: -Pri-1 Pri-3
Owner: chcunningham@chromium.org
There should not be negative timestamps in non-ogg containers, so this seems like a bug; though aside from glitchy rendering there is no impact of this behavior beyond the check failure.
Project Member

Comment 4 by ClusterFuzz, Jul 29 2016

Labels: Stability-LibFuzzer Stability-Memory-AddressSanitizer
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6684308601569280

Fuzzer: media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x03e90000745f
Crash State:
  media::FFmpegDemuxerStream::EnqueuePacket
  media::FFmpegDemuxer::OnReadFrameDone
  void base::internal::FunctorTraits<void
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=408389:408457

Minimized Testcase (2.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95UoK5qCplbg5CW8yxh0ZT7VG9qsLVyRGPkOrzNSq4qMp7kY_2t_BoNWqPVuDDaGW0Tvc6WLL2Z7ic91iSlMvc0uB3fCm9fDEjWQnH1DNYYgEsZvB38O636uD0HoNQQ_pe8sGq9Cf_-T-lmxE0okCWfDcloGQ?testcase_id=6684308601569280

Filer: rnimmagadda

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 5 by ClusterFuzz, Aug 1 2016 

ClusterFuzz has detected this issue as fixed in range 408588:408608.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6684308601569280

Fuzzer: media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x03e90000745f
Crash State:
  media::FFmpegDemuxerStream::EnqueuePacket
  media::FFmpegDemuxer::OnReadFrameDone
  void base::internal::FunctorTraits<void
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=408389:408457
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=408588:408608

Minimized Testcase (2.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95UoK5qCplbg5CW8yxh0ZT7VG9qsLVyRGPkOrzNSq4qMp7kY_2t_BoNWqPVuDDaGW0Tvc6WLL2Z7ic91iSlMvc0uB3fCm9fDEjWQnH1DNYYgEsZvB38O636uD0HoNQQ_pe8sGq9Cf_-T-lmxE0okCWfDcloGQ?testcase_id=6684308601569280

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 6 by kateso...@chromium.org, Oct 18 2016

Components: -Tools>Test>FindIt>NoResult
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by ClusterFuzz, Dec 22 2016

Status: WontFix (was: Assigned)
ClusterFuzz testcase 6565168716972032 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment