Undefined-shift in ogm_packet |
|||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5341060371054592 Fuzzer: ochang_search_index_mutator Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: ogm_packet ogg_packet ogg_read_packet Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (15359.74 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94ca27F9KviMx66NxTj-6qtC5MxtTeuM8nV_PSZxhS5eUqIHkBhRds-56Y2YEy_gC9jv8B9_mUqSLEtNIuAnPC6BrLoGHAUR7Djcsd6vAc-czKRxGAe6zbdNR7tn8PWAyhDEsfBhV1qM_Kyo4ni3Cwrdc36fO8kKpA6UHBxOaQVrkvhM7Y?testcase_id=5341060371054592 Issue manually filed by: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 12 2016
,
Aug 12 2016
can anybody take a look?
,
Aug 13 2016
This is in the ffmpeg code, but looks like somebody that knows the ogg format will need to look at it. https://cs.chromium.org/chromium/src/third_party/ffmpeg/libavformat/oggparseogm.c?l=174 174: lb = ((*p & 2) << 1) | ((*p >> 6) & 3); 178: while (lb--) 179: os->pduration += p[lb+1] << (lb*8); So lb can be 0-7, and it will shift bytes by 8/16/24/32/40/48. But pduration is a 32-bit int, so shifts of 32/40/48 don't make sense. Not sure what should happen to pduration when lb is large. It appears that this field represents the duration represented as 0-7 bytes. So if the top few bytes are not 0, then the duration exceeds 32-bit int. So maybe the code needs to become: lb = ((*p & 2) << 1) | ((*p >> 6) & 3); while (lb-- >= 4) if (p[lb+1] != 0) return <some-sort-of-error>; while (lb--) os->pduration += p[lb+1] << (lb*8); I checked the latest ffmpeg source (https://github.com/FFmpeg/FFmpeg/blob/master/libavformat/oggparseogm.c) and this code is unchanged, so upgrading to the current ffmpeg won't fix this.
,
Aug 15 2016
,
Oct 11 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 4 2017
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/7d9f5804e4cc4bb6cc55133137a6e2060aa106b7 (roll clang 255169:257953). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Oct 4 2017
This bug predates that CL by months.
,
Oct 4 2017
=>Chris for ffmpeg roll.
,
Nov 7 2017
,
Nov 19 2017
ClusterFuzz has detected this issue as fixed in range 517698:517712. Detailed report: https://clusterfuzz.com/testcase?key=5341060371054592 Fuzzer: ochang_search_index_mutator Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: ogm_packet ogg_packet ogg_read_packet Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=517698:517712 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5341060371054592 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 19 2017
ClusterFuzz testcase 5341060371054592 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by ssamanoori@chromium.org
, Aug 11 2016