New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 634187 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Closed: Dec 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in media::MovingAverage::AddSample

Project Member Reported by ClusterFuzz, Aug 3 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5405795896524800

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  media::MovingAverage::AddSample
  media::DecoderStream<
  media::DecoderStream<
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (129.53 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96g88H1FzIdX6D-KDZwxPEbhSfqGmX7pjAmWDxYMTW_MLMrYyjv3-BCAcMWuTxU_PKPYrgmxwBxPGUJupEC9Vuq7XVDa4iP6aotcRZzuMtGOiMu10ST-hD_Xp0QMSzUw6EiTRm_eRhO6gXBGqLJkYFGSCxZIHK5bRWxbVN_AsM1l5YOD3M?testcase_id=5405795896524800

Additional requirements: Requires HTTP

Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Labels: Te-Logged M-53
Owner: tzik@chromium.org
Status: Assigned (was: Untriaged)
No CL in the regression range changes the crashed files. The result is the blame information.

Author: qiangchen
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/501ce040bbd2a213d62b41750dee0749c1f1149c
Time: Wed Dec 02 17:16:03 2015
The CL last changed line 22 of file moving_average.cc, which is stack frame 0.

Author: dalecurtis
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/ddbabe0c4daeedd7c784ebd1c3ea1b5c6b429366
Time: Tue Dec 15 21:36:49 2015
The CL last changed line 379 of file decoder_stream.cc, which is stack frame 1.

Author: xhwang@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/57b44c9239e672bbc6cb698b66a7809383222c04
Time: Sat Jul 13 09:45:25 2013
The CL last changed line 678 of file decoder_stream.cc, which is stack frame 2.

Author: tzik
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/77d41139d261342a429d2775c59d8e8a386d4c81
Time: Wed Mar 09 09:47:03 2016
The CL last changed line 389 of file callback.h, which is stack frame 3.

Author: skyostil@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/ad8fb459e07068582588d72fd5dabdb72e70b689
Time: Thu Aug 14 14:26:09 2014
The CL last changed line 51 of file task_annotator.cc, which is stack frame 4.

Author: caseq
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/596ad0cca35be6b20afba297d3e8c26ae52e3ec2
Time: Thu Jul 16 19:13:21 2015
The CL last changed line 496 of file message_loop.cc, which is stack frame 5.

Author: ajwong@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/b224f79da757434cee55b721806ff8553fc80b0a
Time: Wed Apr 20 16:02:23 2011
The CL last changed line 505 of file message_loop.cc, which is stack frame 6.

Suspected Project: chromium

Comment 2 by tzik@chromium.org, Aug 4 2016

Cc: qiangchen@chromium.org dalecur...@chromium.org tzik@chromium.org
Labels: findit-wrong
Owner: qiangchen@chromium.org
Rerouting to the author.
Can we just factor x*x - y*y to (x + y) * (x - y) to avoid the overflow?
I do not think the way in #2 could work. It is intrinsic overflow.

It means that the square sum of the durations overflows 2^64, which means the total duration is at least 4000s.

dalecurtis@, do you think it is normal?

I think a solution has to be lowering deviation calculation precision to millisecond level.
Doesn't matter if it's normal right? This can be triggered by user generated data, so it's something we should fix. That said, I don't know of any practical implications other than video rendering being bad; this information is only used for choosing frames.
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 5 2016

Labels: -M-53 M-54 MovedFrom-53
Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
 Issue 636039  has been merged into this issue.
Labels: -Pri-1 Pri-2
As not breaking normal workflow. 
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by ClusterFuzz, Dec 22 2016

Status: WontFix (was: Assigned)
ClusterFuzz testcase 5405795896524800 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by ClusterFuzz, Jul 14 2017

Labels: Needs-Feedback
ClusterFuzz testcase 6743100435464192 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.

Sign in to add a comment