New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 648372 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 648062
Owner:
Last visit > 30 days ago
Closed: Sep 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in cricket::MediaContentDescriptionImpl<cricket::AudioCodec>::~MediaContentDescript

Project Member Reported by ClusterFuzz, Sep 19 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5857065144942592

Fuzzer: libfuzzer_sdp_parser_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x608000002110
Crash State:
  cricket::MediaContentDescriptionImpl<cricket::AudioCodec>::~MediaContentDescript
  cricket::AudioContentDescription::~AudioContentDescription
  cricket::AudioContentDescription::~AudioContentDescription
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=419151:419211

Minimized Testcase (0.14 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97kKi1NvC5_7j5a3c9KVaS8IP-Husehb67PqgkX0-ONTvZy6vEB9P5SCXWPb4lpwUj6FzSfB-qhZ7byNAUr75fY5Ioff7uF1gVufZIDg370Q00w_hg_QiWHZm0EV-xL55QZE4gGSEDSv8US05x8xzHCSXhO6Q?testcase_id=5857065144942592
v=0
o=- 4320 1840 IN IP4 12�.1
s=-
t=1 0 0
a=a
a=icemantic* WMS
m=audiocationo-n 9 DTLS/SCTP 5 0
a=a
a=0.-
t=1 0 0
a=a
a=sctp-porto=- 4320 1840
o=


Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Cc: kjellander@chromium.org pthatcher@chromium.org
Components: Blink>WebRTC
Labels: Pri-2
Owner: deadbeef@chromium.org
Status: Assigned (was: Untriaged)
Related to
https://bugs.chromium.org/p/chromium/issues/detail?id=647904
and
https://bugs.chromium.org/p/chromium/issues/detail?id=647948


Project Member

Comment 2 by sheriffbot@chromium.org, Sep 20 2016

Labels: M-55
Project Member

Comment 3 by sheriffbot@chromium.org, Sep 20 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Sep 20 2016

Labels: -Pri-2 Pri-1
Cc: honghaiz@chromium.org
Mergedinto: 648062
Status: Duplicate (was: Assigned)
Same root cause as another issue: parsing "sctp-port" in a non-data description.
Project Member

Comment 7 by ClusterFuzz, Oct 5 2016

ClusterFuzz has detected this issue as fixed in range 422768:422805.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5857065144942592

Fuzzer: libfuzzer_sdp_parser_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x608000002110
Crash State:
  cricket::MediaContentDescriptionImpl<cricket::AudioCodec>::~MediaContentDescript
  cricket::AudioContentDescription::~AudioContentDescription
  cricket::AudioContentDescription::~AudioContentDescription
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=419151:419211
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=422768:422805

Minimized Testcase (0.14 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97kKi1NvC5_7j5a3c9KVaS8IP-Husehb67PqgkX0-ONTvZy6vEB9P5SCXWPb4lpwUj6FzSfB-qhZ7byNAUr75fY5Ioff7uF1gVufZIDg370Q00w_hg_QiWHZm0EV-xL55QZE4gGSEDSv8US05x8xzHCSXhO6Q?testcase_id=5857065144942592
v=0
o=- 4320 1840 IN IP4 12�.1
s=-
t=1 0 0
a=a
a=icemantic* WMS
m=audiocationo-n 9 DTLS/SCTP 5 0
a=a
a=0.-
t=1 0 0
a=a
a=sctp-porto=- 4320 1840
o=


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by sheriffbot@chromium.org, Jan 12 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment