New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 634187 link

Starred by 1 user
Status: WontFix
Owner:
qiangchen@chromium.org
Closed: Dec 2016
Cc:
qiangchen@chromium.org
tzik@chromium.org
mummare...@chromium.org
dalecur...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in media::MovingAverage::AddSample

Project Member Reported by ClusterFuzz, Aug 3 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5405795896524800

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  media::MovingAverage::AddSample
  media::DecoderStream<
  media::DecoderStream<
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (129.53 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96g88H1FzIdX6D-KDZwxPEbhSfqGmX7pjAmWDxYMTW_MLMrYyjv3-BCAcMWuTxU_PKPYrgmxwBxPGUJupEC9Vuq7XVDa4iP6aotcRZzuMtGOiMu10ST-hD_Xp0QMSzUw6EiTRm_eRhO6gXBGqLJkYFGSCxZIHK5bRWxbVN_AsM1l5YOD3M?testcase_id=5405795896524800

Additional requirements: Requires HTTP

Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Aug 3 2016

Labels: Te-Logged M-53
Owner: tzik@chromium.org
Status: Assigned (was: Untriaged)
No CL in the regression range changes the crashed files. The result is the blame information.

Author: qiangchen
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/501ce040bbd2a213d62b41750dee0749c1f1149c
Time: Wed Dec 02 17:16:03 2015
The CL last changed line 22 of file moving_average.cc, which is stack frame 0.

Author: dalecurtis
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/ddbabe0c4daeedd7c784ebd1c3ea1b5c6b429366
Time: Tue Dec 15 21:36:49 2015
The CL last changed line 379 of file decoder_stream.cc, which is stack frame 1.

Author: xhwang@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/57b44c9239e672bbc6cb698b66a7809383222c04
Time: Sat Jul 13 09:45:25 2013
The CL last changed line 678 of file decoder_stream.cc, which is stack frame 2.

Author: tzik
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/77d41139d261342a429d2775c59d8e8a386d4c81
Time: Wed Mar 09 09:47:03 2016
The CL last changed line 389 of file callback.h, which is stack frame 3.

Author: skyostil@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/ad8fb459e07068582588d72fd5dabdb72e70b689
Time: Thu Aug 14 14:26:09 2014
The CL last changed line 51 of file task_annotator.cc, which is stack frame 4.

Author: caseq
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/596ad0cca35be6b20afba297d3e8c26ae52e3ec2
Time: Thu Jul 16 19:13:21 2015
The CL last changed line 496 of file message_loop.cc, which is stack frame 5.

Author: ajwong@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/b224f79da757434cee55b721806ff8553fc80b0a
Time: Wed Apr 20 16:02:23 2011
The CL last changed line 505 of file message_loop.cc, which is stack frame 6.

Suspected Project: chromium

Comment 2 by tzik@chromium.org, Aug 4 2016

Cc: qiangchen@chromium.org dalecur...@chromium.org tzik@chromium.org
Labels: findit-wrong
Owner: qiangchen@chromium.org
Rerouting to the author.
Can we just factor x*x - y*y to (x + y) * (x - y) to avoid the overflow?

Comment 3 by qiangchen@chromium.org, Aug 4 2016 

I do not think the way in #2 could work. It is intrinsic overflow.

It means that the square sum of the durations overflows 2^64, which means the total duration is at least 4000s.

dalecurtis@, do you think it is normal?

I think a solution has to be lowering deviation calculation precision to millisecond level.

Comment 4 by dalecur...@chromium.org, Aug 4 2016 

Doesn't matter if it's normal right? This can be triggered by user generated data, so it's something we should fix. That said, I don't know of any practical implications other than video rendering being bad; this information is only used for choosing frames.
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 5 2016

Labels: -M-53 M-54 MovedFrom-53
Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by dalecur...@chromium.org, Aug 9 2016 

 Issue 636039  has been merged into this issue.

Comment 7 by qiangchen@chromium.org, Sep 19 2016

Labels: -Pri-1 Pri-2
As not breaking normal workflow.
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by ClusterFuzz, Dec 22 2016

Status: WontFix (was: Assigned)
ClusterFuzz testcase 5405795896524800 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by ClusterFuzz, Jul 14 2017

Labels: Needs-Feedback
ClusterFuzz testcase 6743100435464192 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.

Sign in to add a comment