Issue metadata
Sign in to add a comment
|
Container-overflow in HasCodec |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6228480729808896 Fuzzer: libfuzzer_sdp_parser_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Container-overflow READ 4 Crash Address: 0x6140000001c8 Crash State: HasCodec webrtc::AddSctpDataCodec webrtc::ParseContent Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=419157:419245 Minimized Testcase (3.76 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96HI_4ALxzls5KA09b8zBmXW5NXVs9PNYDK95VN4A3WA0C3f4yQc0mcx25MWK2F6Jyf5U7D_-pcGK9h56LI8ykMCJD00Mtw8C-k-VIxyPCgnP8fXea7y45zP-qbvnK_Xz9eRdXS2nY0Vo4-RZoH6v7OLZ_JEw?testcase_id=6228480729808896 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 18 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 18 2016
,
Sep 19 2016
Might be related to https://bugs.chromium.org/p/chromium/issues/detail?id=647904 as there are similarities in the stack: #0 0x64dfc2 in HasCodec third_party/webrtc/pc/mediasession.h:345:17 #1 0x64dfc2 in webrtc::AddSctpDataCodec(cricket::DataContentDescription*, int) third_party/webrtc/api/webrtcsdp.cc:1654 #2 0x66fb64 in webrtc::ParseContent(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, cricket::MediaType, int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<int, std::__1::allocator<int> > const&, unsigned long*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*, cricket::MediaContentDescription*, cricket::TransportDescription*, std::__1::vector<webrtc::JsepIceCandidate*, std::__1::allocator<webrtc::JsepIceCandidate*> >*, webrtc::SdpParseError*) third_party/webrtc/api/webrtcsdp.cc:2658:12 #3 0x63cdab in ParseContentDescription<cricket::AudioContentDescription> third_party/webrtc/api/webrtcsdp.cc:2230:8 #4 0x63cdab in ParseMediaDescription third_party/webrtc/api/webrtcsdp.cc:2321 #5 0x63cdab in webrtc::SdpDeserialize(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, webrtc::JsepSessionDescription*, webrtc::SdpParseError*) third_party/webrtc/api/webrtcsdp.cc:915 #6 0x5126e3 in Initialize third_party/webrtc/api/jsepsessiondescription.cc:99:10 #7 0x5126e3 in webrtc::CreateSessionDescription(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, webrtc::SdpParseError*) third_party/webrtc/api/jsepsessiondescription.cc:70 #8 0x4f0701 in webrtc::FuzzOneInput(unsigned char const*, unsigned long) third_party/webrtc/test/fuzzers/sdp_parser_fuzzer.cc:22:7 #9 0x12e6b19 in LLVMFuzzerTestOneInput third_party/webrtc/test/fuzzers/webrtc_fuzzer_main.cc:39:3 #10 0x707657 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:481:13 #11 0x706533 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:437:3 #12 0x6f47e2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) third_party/libFuzzer/src/FuzzerDriver.cpp:268:6 #13 0x6f8d02 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:475:9 #14 0x716a88 in main third_party/libFuzzer/src/FuzzerMain.cpp:21:10 #15 0x7ff61763cf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
,
Sep 28 2016
Issue 651155 has been merged into this issue.
,
Sep 28 2016
Issue 651155 looks really similar, please dedupe if it turns out to be a different problem.
,
Sep 28 2016
,
Oct 5 2016
ClusterFuzz has detected this issue as fixed in range 422769:422805. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6228480729808896 Fuzzer: libfuzzer_sdp_parser_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Container-overflow READ 4 Crash Address: 0x6140000001c8 Crash State: HasCodec webrtc::AddSctpDataCodec webrtc::ParseContent Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=419157:419245 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=422769:422805 Minimized Testcase (3.76 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96HI_4ALxzls5KA09b8zBmXW5NXVs9PNYDK95VN4A3WA0C3f4yQc0mcx25MWK2F6Jyf5U7D_-pcGK9h56LI8ykMCJD00Mtw8C-k-VIxyPCgnP8fXea7y45zP-qbvnK_Xz9eRdXS2nY0Vo4-RZoH6v7OLZ_JEw?testcase_id=6228480729808896 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 11 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Sep 18 2016