New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 657446 link

Starred by 1 user
Status: Fixed
Owner:
dalecur...@chromium.org
Closed: Nov 2016
Cc:
kcc@chromium.org
nyerramilli@chromium.org
mmoroz@chromium.org
infe...@chromium.org
aizatsky@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in media::VpxVideoDecoder::DecodeBuffer

Project Member Reported by ClusterFuzz, Oct 19 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5069470420959232

Fuzzer: libfuzzer_media_vpx_video_decoder_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x03e900005bdb
Crash State:
  media::VpxVideoDecoder::DecodeBuffer
  media::VpxVideoDecoder::Decode
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=395717:395804

Minimized Testcase (0.01 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97jCw7PTTMGSxxyDBLFvtDUcIZGkbThyM-2_LdzKjmQHeZduLQjrGkukceH5kvfpVwnLhyl6xKnrQvj5JN3_4yHFC2HQb2ONvjIYzkpYYXAdkswuNdcOqUtrppxfkHh4TAV7amEKUZ5eaZt1yYEIbn-3PSWeg?testcase_id=5069470420959232
0123456789


Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by nyerramilli@chromium.org, Oct 21 2016

Cc: nyerramilli@chromium.org aizatsky@chromium.org
Labels: M-56
Owner: kcc@chromium.org
Status: Assigned (was: Untriaged)
Find it results:
----------------
Suspected CLs	The result is a list of CLs that change the crashed files.

Author: kcc
Project: chromium-libfuzzer
Changelist: https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer.git/+/c85bd4c851bf8228f7bfaf0ddd41b8f3dd0fdf32
Time: Fri May 13 22:11:23 2016
File FuzzerLoop.cpp is changed in this cl (and is part of stack frame #6, "fuzzer::Fuzzer::ExecuteCallback")
Minimum distance from crash line to modified line: 27. (file: FuzzerLoop.cpp, crashed on: 525, modified: 552).

Author: aizatsky
Project: chromium-libfuzzer
Changelist: https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer.git/+/c4c9c92de750da86352135c39120f2df9c0cfbb3
Time: Tue May 10 23:43:15 2016
File FuzzerLoop.cpp is changed in this cl (and is part of stack frame #6, "fuzzer::Fuzzer::ExecuteCallback")
Minimum distance from crash line to modified line: 34. (file: FuzzerLoop.cpp, crashed on: 509, modified: 475).

Suspected Project: chromium-libfuzzer

based on findit results, assigning to kcc@, could you please check the issue.

Comment 2 by kcc@chromium.org, Oct 21 2016

Cc: kcc@chromium.org mmoroz@chromium.org infe...@chromium.org
Owner: ----
Status: Available (was: Assigned)
nyerramilli@, libFuzzer is a bug finding tool and it has found a bug in media::VpxVideoDecoder::DecodeBuffer. 
Please find the appropriate owner there. 

[0831/231618:FATAL:vpx_video_decoder.cc(381)] Check failed: state_ != kUninitialized (0 vs. 0)Called Decode() before successful Initialize()

Comment 3 by mmoroz@chromium.org, Oct 27 2016

Owner: dalecur...@chromium.org
dalecurtis@, could you please help us to find an owner?

Comment 4 by mmoroz@chromium.org, Oct 27 2016

Components: Internals>Media>Codecs

Comment 5 by dalecur...@chromium.org, Oct 27 2016 

Issue is that the fuzzer never verifies initialize succeeded. It just assumes it does.
Project Member

Comment 6 by bugdroid1@chromium.org, Oct 31 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/417f6041baad6fa9607a0e96aeab950c7be3f5f5

commit 417f6041baad6fa9607a0e96aeab950c7be3f5f5
Author: dalecurtis <dalecurtis@chromium.org>
Date: Mon Oct 31 19:03:03 2016

Fix VpxVideoDecoder fuzzer: check initialize and wait for decode.

Decode() can't be called if initialize fails and just because the
RunLoop is idle it does not mean the decode has finished.

BUG= 657446 
TEST=fuzzer test

Review-Url: https://codereview.chromium.org/2453013005
Cr-Commit-Position: refs/heads/master@{#428763}

[modify] https://crrev.com/417f6041baad6fa9607a0e96aeab950c7be3f5f5/media/filters/vpx_video_decoder_fuzzertest.cc

Comment 7 by dalecur...@chromium.org, Nov 3 2016

Status: Fixed (was: Available)
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment