Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in webrtc::PlayoutDelayLimits::Parse |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4552843011031040 Fuzzer: libfuzzer_rtp_packet_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: webrtc::PlayoutDelayLimits::Parse GetExtension<webrtc::PlayoutDelayLimits, webrtc::FuzzOneInput Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=417039:417277 Minimized Testcase (0.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96_UUBUC3li5w3-dUTKHZRmPxEZNBCGWQaahgHt3Kv6XgmFYIfClFcyvMTHPMbIN4kjoxIgRqP3KueHjS9_XV313NotFmDWsGQczxz9OJHU4Y3COwUBoh8L9OkjDzvZG9Zo378CmhRUzAHl0GlTqMpXcwwA0Q?testcase_id=4552843011031040 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 8 2016
,
Sep 9 2016
This code not in use in yet, so changing security impact to none. Will look into it and fix the issue.
,
Sep 12 2016
,
Sep 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/external/webrtc.git/+/a64a2fbf6d92d18e77f813212905bb5eb89799b5 commit a64a2fbf6d92d18e77f813212905bb5eb89799b5 Author: Danil Chapovalov <danilchap@webrtc.org> Date: Mon Sep 12 09:41:35 2016 Fix oversized rtp extension parsing. When size of individual one-byte extension span beyound extension block BUG= chromium:645201 R=brandtr@webrtc.org Review URL: https://codereview.webrtc.org/2327743003 . Cr-Commit-Position: refs/heads/master@{#14183} [modify] https://crrev.com/a64a2fbf6d92d18e77f813212905bb5eb89799b5/webrtc/modules/rtp_rtcp/source/rtp_packet.cc [modify] https://crrev.com/a64a2fbf6d92d18e77f813212905bb5eb89799b5/webrtc/modules/rtp_rtcp/source/rtp_packet_unittest.cc
,
Sep 12 2016
Though it was triggered by PlayoutDelayLimits extension, the actual bug was in the ::webrtc::rtp::Packet::ParseBuffer and not specific to one extension. That function is used in production code, but only on manually created packets for now, so it still shouldn't trigger any real issue. Patch above (comment#5) should fix the bug once rolled into chromium codebase.
,
Sep 12 2016
,
Sep 14 2016
ClusterFuzz has detected this issue as fixed in range 418168:418204. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4552843011031040 Fuzzer: libfuzzer_rtp_packet_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: webrtc::PlayoutDelayLimits::Parse GetExtension<webrtc::PlayoutDelayLimits, webrtc::FuzzOneInput Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=417039:417277 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=418168:418204 Minimized Testcase (0.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96_UUBUC3li5w3-dUTKHZRmPxEZNBCGWQaahgHt3Kv6XgmFYIfClFcyvMTHPMbIN4kjoxIgRqP3KueHjS9_XV313NotFmDWsGQczxz9OJHU4Y3COwUBoh8L9OkjDzvZG9Zo378CmhRUzAHl0GlTqMpXcwwA0Q?testcase_id=4552843011031040 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 19 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mbarbe...@chromium.org
, Sep 8 2016Status: Assigned (was: Untriaged)