New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 639142 link

Starred by 1 user
Status: Fixed
Owner:
sande...@chromium.org
Closed: Sep 2016
Cc:
kcc@chromium.org
mmoroz@chromium.org
mummare...@chromium.org
aizatsky@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Integer-overflow in media::H264Parser::ParseSPS

Project Member Reported by ClusterFuzz, Aug 18 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6217321989537792

Fuzzer: libfuzzer_es_parser_h264_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  media::H264Parser::ParseSPS
  media::mp2t::EsParserH264::ParseFromEsQueue
  _start
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=398351:399229

Minimized Testcase (0.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94nRgUtxz59sNHahXuN5uUniNHSfudPBj44Sp_-hF5rVZZ3uAfXF9QDBeaYRtO6uAdxwj1lLv-AfiRq_GtpKTbnuvv1Uivus2q6grWkcOc7N4IOG13dEiYog2YeweSejeDQIxIJlMU3_rneGLQ9h33IZTK-uQ?testcase_id=6217321989537792

Issue manually filed by: mummareddy

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by mummare...@chromium.org, Aug 18 2016

Labels: Findit-for-crash Te-Logged M-53
Owner: aizatsky@chromium.org
Status: Assigned (was: Untriaged)
From findit tool:

Author: aizatsky
Project: chromium-libfuzzer
Changelist: https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer.git/+/c028617f67a20cb5abf3ae798232e9fd188cbdd1
Time: Tue Jun 07 18:16:32 2016
Files FuzzerLoop.cpp, FuzzerDriver.cpp are changed in this cl (and is part of stack frame #3, "fuzzer::Fuzzer::ExecuteCallback"; frame #4, "fuzzer::Fuzzer::RunOne")
Minimum distance from crash line to modified line: 38. (file: FuzzerDriver.cpp, crashed on: 377, modified: 339).

Suspected Project: chromium-libfuzzer
Project Member

Comment 2 by ClusterFuzz, Aug 25 2016 

ClusterFuzz has detected this issue as fixed in range 413961:414068.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6217321989537792

Fuzzer: libfuzzer_es_parser_h264_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  media::H264Parser::ParseSPS
  media::mp2t::EsParserH264::ParseFromEsQueue
  _start
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=398351:399229
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=413961:414068

Minimized Testcase (0.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94nRgUtxz59sNHahXuN5uUniNHSfudPBj44Sp_-hF5rVZZ3uAfXF9QDBeaYRtO6uAdxwj1lLv-AfiRq_GtpKTbnuvv1Uivus2q6grWkcOc7N4IOG13dEiYog2YeweSejeDQIxIJlMU3_rneGLQ9h33IZTK-uQ?testcase_id=6217321989537792

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 3 by ClusterFuzz, Aug 25 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 4 by mmohammad@chromium.org, Aug 25 2016

Labels: ClusterFuzz-Wrong
Status: Assigned (was: Verified)
Re-Opening the issue as Clusterfuzz has detected the crash again, Clusterfuzz update in the next comment.Thank you
Project Member

Comment 5 by ClusterFuzz, Aug 25 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6661887897108480

Fuzzer: libfuzzer_es_parser_h264_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  media::H264Parser::ParseSPS
  media::mp2t::EsParserH264::ParseFromEsQueue
  _start
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414214:414310

Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv948z54bG-5N4MFhsKkuj39EiX_fqNzMToWynoRhf7s63EAJn-hJVQaaSijQRvikp_GNNH7yHKVBChLXaRrxEFQFlyCYe-mcFA57SG64exfrFEL_hn4cAeY7vjMTWG1D2Iw7-ZmExlQkgskBZIdjO9A85Y8r4Q?testcase_id=6661887897108480

Issue manually filed by: mmohammad

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 6 by ClusterFuzz, Aug 26 2016 

ClusterFuzz has detected this issue as fixed in range 414399:414444.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6661887897108480

Fuzzer: libfuzzer_es_parser_h264_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  media::H264Parser::ParseSPS
  media::mp2t::EsParserH264::ParseFromEsQueue
  _start
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414214:414310
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414399:414444

Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv948z54bG-5N4MFhsKkuj39EiX_fqNzMToWynoRhf7s63EAJn-hJVQaaSijQRvikp_GNNH7yHKVBChLXaRrxEFQFlyCYe-mcFA57SG64exfrFEL_hn4cAeY7vjMTWG1D2Iw7-ZmExlQkgskBZIdjO9A85Y8r4Q?testcase_id=6661887897108480

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 7 by mummare...@chromium.org, Aug 26 2016

Status: Verified (was: Assigned)
As per per update#6, closing the issue. thank you.

Comment 8 by mmoroz@chromium.org, Aug 26 2016

Status: Available (was: Verified)
Project Member

Comment 9 by ClusterFuzz, Aug 26 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6133713085923328

Fuzzer: libfuzzer_es_parser_h264_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  media::H264Parser::ParseSPS
  media::mp2t::EsParserH264::ParseFromEsQueue
  _start
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414663:414681

Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97_Gis53El7EOk0MEtYfPGI9AjQ8dOFQ2l0-Qwx_mnafDYJKssRphlTNjKjJqunw0nCr8sTDK3O1H2Z2BYxTmjpuT9lxr5CWPP7MrZm4xGBb5a5EDDnfjyWlF5VE5rMhb_7k2Amw3T750DrbBOph19567L5ig?testcase_id=6133713085923328

Issue manually filed by: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 10 by mmoroz@chromium.org, Aug 26 2016

Cc: mmoroz@chromium.org kcc@chromium.org aizatsky@chromium.org
Components: Internals>Media>Codecs
Owner: jrumm...@chromium.org
Project Member

Comment 11 by ClusterFuzz, Aug 27 2016 

ClusterFuzz has detected this issue as fixed in range 414779:414830.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6133713085923328

Fuzzer: libfuzzer_es_parser_h264_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  media::H264Parser::ParseSPS
  media::mp2t::EsParserH264::ParseFromEsQueue
  _start
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414663:414681
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414779:414830

Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97_Gis53El7EOk0MEtYfPGI9AjQ8dOFQ2l0-Qwx_mnafDYJKssRphlTNjKjJqunw0nCr8sTDK3O1H2Z2BYxTmjpuT9lxr5CWPP7MrZm4xGBb5a5EDDnfjyWlF5VE5rMhb_7k2Amw3T750DrbBOph19567L5ig?testcase_id=6133713085923328

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 12 by ClusterFuzz, Aug 30 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5105818427195392

Fuzzer: libfuzzer_es_parser_h264_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  media::H264Parser::ParseSPS
  media::mp2t::EsParserH264::ParseFromEsQueue
  _start
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414977:414989

Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Ed2S14gWokU-LCBna_xIsk-sq1PsMbpgH1CAisLqjaJk617vS5ieslrRB-Mz85nglHwcIVcAS1w7Gavk54lVbcL1Ikzxptk2gvaP-z-SLSrld37d_tB53UcNT1EWTPvZV3-6T5dnY2A1Pq305AvAYYKkscg?testcase_id=5105818427195392

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 13 by mummare...@chromium.org, Aug 30 2016

Labels: M-55


Author: dalecurtis
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/39a7f93d67f79d6afadb0f74254eef19b5ff9318
Time: Tue Jul 19 18:34:59 2016
The CL last changed line 18 of file es_parser_h264_fuzzer.cc, which is stack frame 2.
Project Member

Comment 14 by ClusterFuzz, Aug 30 2016 

ClusterFuzz has detected this issue as fixed in range 415035:415043.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5105818427195392

Fuzzer: libfuzzer_es_parser_h264_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  media::H264Parser::ParseSPS
  media::mp2t::EsParserH264::ParseFromEsQueue
  _start
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414977:414989
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=415035:415043

Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Ed2S14gWokU-LCBna_xIsk-sq1PsMbpgH1CAisLqjaJk617vS5ieslrRB-Mz85nglHwcIVcAS1w7Gavk54lVbcL1Ikzxptk2gvaP-z-SLSrld37d_tB53UcNT1EWTPvZV3-6T5dnY2A1Pq305AvAYYKkscg?testcase_id=5105818427195392

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 15 by ClusterFuzz, Sep 1 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4826492846735360

Fuzzer: libfuzzer_es_parser_h264_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  media::H264Parser::ParseSPS
  media::mp2t::EsParserH264::ParseFromEsQueue
  _start
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=415587:415619

Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956lmxX0LYhVB9mvyKTPcyfn1BHW2in38NpAcUG4s4EKXO3QSCLjzqeRKlOdl7r-9r3bOlXAYmTyX8x7fsgtcSGDosYWWG09R36T-uDRWI49zWAezEarmvNRcSfbM7NlFUy593UP5qE7MQNdXtiAvkxaxEBQw?testcase_id=4826492846735360

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 16 by sande...@chromium.org, Sep 1 2016

Owner: sande...@chromium.org
Status: Started (was: Available)
Project Member

Comment 17 by bugdroid1@chromium.org, Sep 2 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/419ed06d526505e3d0b938b1a72cc2e8092a96c3

commit 419ed06d526505e3d0b938b1a72cc2e8092a96c3
Author: sandersd <sandersd@chromium.org>
Date: Fri Sep 02 21:00:02 2016

H264Parser: Check bounds for |expected_delta_per_pic_order_cnt_cycle|

BUG= 639142 

Review-Url: https://codereview.chromium.org/2300253002
Cr-Commit-Position: refs/heads/master@{#416338}

[modify] https://crrev.com/419ed06d526505e3d0b938b1a72cc2e8092a96c3/media/filters/h264_parser.cc
Project Member

Comment 18 by ClusterFuzz, Sep 3 2016 

ClusterFuzz has detected this issue as fixed in range 416303:416379.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4826492846735360

Fuzzer: libfuzzer_es_parser_h264_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  media::H264Parser::ParseSPS
  media::mp2t::EsParserH264::ParseFromEsQueue
  _start
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=415587:415619
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=416303:416379

Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956lmxX0LYhVB9mvyKTPcyfn1BHW2in38NpAcUG4s4EKXO3QSCLjzqeRKlOdl7r-9r3bOlXAYmTyX8x7fsgtcSGDosYWWG09R36T-uDRWI49zWAezEarmvNRcSfbM7NlFUy593UP5qE7MQNdXtiAvkxaxEBQw?testcase_id=4826492846735360

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 19 by sande...@chromium.org, Sep 6 2016

Status: Fixed (was: Started)
Project Member

Comment 20 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 21 by infe...@chromium.org, Sep 18 2017

Labels: -ClusterFuzz-Wrong
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

Sign in to add a comment