Integer-overflow in media::mp2t::EsParserH264::UpdateVideoDecoderConfig |
||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5483280269049856 Fuzzer: libfuzzer_es_parser_h264_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: media::mp2t::EsParserH264::UpdateVideoDecoderConfig media::mp2t::EsParserH264::EmitFrame media::mp2t::EsParserH264::ParseFromEsQueue Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=398351:399229 Minimized Testcase (0.54 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94szq6XhuTYRuAgyG2R2m7tUA_W7kWjVDnHggpMIP6tRa0Nk_26japgI2SWrzSVMTWifv7xpPTDpPQrkH48vdKTyWQsxs6ut3CigGNYt9lLA7oA5-yADNyYPe2fu4AyouVyzS7GDIFmj3SZVAjUyKpIOOgmcg?testcase_id=5483280269049856 Issue manually filed by: mummareddy See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 19 2016
=>wolenetz for triage.
,
Aug 25 2016
ClusterFuzz has detected this issue as fixed in range 413961:414068. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5483280269049856 Fuzzer: libfuzzer_es_parser_h264_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: media::mp2t::EsParserH264::UpdateVideoDecoderConfig media::mp2t::EsParserH264::EmitFrame media::mp2t::EsParserH264::ParseFromEsQueue Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=398351:399229 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=413961:414068 Minimized Testcase (0.54 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94szq6XhuTYRuAgyG2R2m7tUA_W7kWjVDnHggpMIP6tRa0Nk_26japgI2SWrzSVMTWifv7xpPTDpPQrkH48vdKTyWQsxs6ut3CigGNYt9lLA7oA5-yADNyYPe2fu4AyouVyzS7GDIFmj3SZVAjUyKpIOOgmcg?testcase_id=5483280269049856 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 25 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 25 2016
I don't see a related change that fixed this. I'll try a local repro to see what's up.
,
Aug 25 2016
From code inspection, over to servolk@, who looked at similar as part of fixing bug 541669 (https://codereview.chromium.org/1896533002/). The problem is that H264SPS int fields like "pic_*_in_*_minus1" are never verified to be less than std::numeric_limits<int>::max() before adding 1 to them. Please add further checks around this to prevent overflow.
,
Aug 25 2016
CC+= watk@ and sandersd@ in case they want to take a stab at fixing this. Please coordinate, folks. The fix should be simple. I didn't actually confirm local repro, but looking at code, we read bits into an int, then add 1 without ever checking that the addition won't overflow. This is both es_parser_264.cc and likely also in h264_decoder.cc (see the CL referenced in c#6).
,
Aug 25 2016
Taking over fix. I'm planning to eventually move all of these into H264SPS, but for now I'm just going to change all of the implementations that do it this way (there are three).
,
Aug 25 2016
Per #4 and #6, marking ClusterFuzz-Wrong.
,
Aug 30 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d49079c5e9d04760afb4ffb433d11e8006c3e81a commit d49079c5e9d04760afb4ffb433d11e8006c3e81a Author: sandersd <sandersd@chromium.org> Date: Tue Aug 30 23:20:15 2016 H264SPS: Centralize computation of coded size and visible rect. These new methods are paranoid about undefined behavior, and they replace similar code in H264Decoder and EsParserH264. BUG= 639128 Review-Url: https://codereview.chromium.org/2268183009 Cr-Commit-Position: refs/heads/master@{#415488} [modify] https://crrev.com/d49079c5e9d04760afb4ffb433d11e8006c3e81a/media/BUILD.gn [modify] https://crrev.com/d49079c5e9d04760afb4ffb433d11e8006c3e81a/media/filters/h264_parser.cc [modify] https://crrev.com/d49079c5e9d04760afb4ffb433d11e8006c3e81a/media/filters/h264_parser.h [modify] https://crrev.com/d49079c5e9d04760afb4ffb433d11e8006c3e81a/media/filters/h264_parser_fuzzertest.cc [modify] https://crrev.com/d49079c5e9d04760afb4ffb433d11e8006c3e81a/media/filters/h264_parser_unittest.cc [modify] https://crrev.com/d49079c5e9d04760afb4ffb433d11e8006c3e81a/media/formats/mp2t/es_parser_h264.cc [modify] https://crrev.com/d49079c5e9d04760afb4ffb433d11e8006c3e81a/media/gpu/h264_decoder.cc
,
Sep 23 2016
I guess ClusterFuzz isn't going to chime in on these changes anymore, but this should have been fixed some time ago.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label. |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by mummare...@chromium.org
, Aug 18 2016Owner: dalecur...@chromium.org
Status: Assigned (was: Untriaged)