New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 666794 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Nov 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security

Blocked on:
issue 591845



Sign in to add a comment

Global-buffer-overflow in libopus_decode_init

Project Member Reported by ClusterFuzz, Nov 18 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5062275200450560

Fuzzer: inferno_flicker
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Global-buffer-overflow READ 8
Crash Address: 0x7faea11f9a78
Crash State:
  libopus_decode_init
  avcodec_open2
  avformat_find_stream_info
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=433020:433162

Minimized Testcase (10350.83 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97on8wBy7qqZfNKuL_XqHrgNl36dnq6nvwdUftFuw8_EB71aS7-Il4vRcdtkjcCJe9XpGO6YPGJeFwybrYCHPEB_U3VZanmsZ3r3Y178ElwDynxhnbzVB7dM2D1P85a02glCaeJCfpP8lS1VkkEzcDRYypODkjy2NAn2-ujnBFiYSY0wJs?testcase_id=5062275200450560

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Labels: Pri-1
Owner: xhw...@chromium.org
Status: Assigned (was: Untriaged)
xhwang@, can you take a look at this please (as it is in ffmpeg) or send the bug to someone who can?

Comment 2 by xhw...@chromium.org, Nov 18 2016

Cc: hubbe@chromium.org xhw...@chromium.org dalecur...@chromium.org
Components: Internals>Media>FFmpeg
Owner: wolenetz@chromium.org
wolenetz@chromium.org: Is there any chance this is fixed in the M56 FFmpeg roll? If not, feel free to assign to hubbe@ who will do the next roll (I believe).
I think this is caused by the roll :)
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 19 2016

Labels: M-56
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 19 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
I'll take a look along with several others - I suspect too that it's caused by the M56 ffmpeg roll.
Blockedon: 591845
Status: Started (was: Assigned)
I have a confirmed local linux regression, and this feature area was new in the FFmpeg roll ( issue 591845 ). Working on a fix...
In #7: s/regression/repro/
I have a fix out for review @ https://chromium-review.googlesource.com/#/c/413334/
Project Member

Comment 10 by bugdroid1@chromium.org, Nov 22 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/141e56ccf7fc56646424484d357b6c74a486d2e2

commit 141e56ccf7fc56646424484d357b6c74a486d2e2
Author: Matt Wolenetz <wolenetz@chromium.org>
Date: Tue Nov 22 01:30:50 2016

lavc/libopusdec.c Fix ff_vorbis_channel_layouts OOB

Similar to existing lavc/vorbisdec.c code which first checks that
avc->channels is valid for accessing ff_vorbis_channel_layouts, this
change adds protection to libopusdec.c to prevent accessing that
array with a negative index.

R=dalecurtis@chromium.org
BUG= 666794 

Change-Id: Id301bd783cb9b826117d41b20b1b05f28d35827c
Reviewed-on: https://chromium-review.googlesource.com/413334
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>

[modify] https://crrev.com/141e56ccf7fc56646424484d357b6c74a486d2e2/libavcodec/libopusdec.c
[modify] https://crrev.com/141e56ccf7fc56646424484d357b6c74a486d2e2/chromium/patches/README

Project Member

Comment 11 by bugdroid1@chromium.org, Nov 22 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3431ae5ea798e4ce3b7da6b44bf4dab426114bba

commit 3431ae5ea798e4ce3b7da6b44bf4dab426114bba
Author: wolenetz <wolenetz@chromium.org>
Date: Tue Nov 22 03:12:20 2016

Roll src/third_party/ffmpeg/ e91355afa..141e56ccf (1 commit).

https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/e91355afac54..141e56ccf7fc

$ git log e91355afa..141e56ccf --date=short --no-merges --format='%ad %ae %s'
2016-11-21 wolenetz lavc/libopusdec.c Fix ff_vorbis_channel_layouts OOB

TBR=dalecurtis@chromium.org
BUG= 666794 ,  591845 

Review-Url: https://codereview.chromium.org/2518063003
Cr-Commit-Position: refs/heads/master@{#433766}

[modify] https://crrev.com/3431ae5ea798e4ce3b7da6b44bf4dab426114bba/DEPS

Project Member

Comment 12 by ClusterFuzz, Nov 22 2016

ClusterFuzz has detected this issue as fixed in range 433756:433807.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5062275200450560

Fuzzer: inferno_flicker
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Global-buffer-overflow READ 8
Crash Address: 0x7faea11f9a78
Crash State:
  libopus_decode_init
  avcodec_open2
  avformat_find_stream_info
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=433020:433162
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=433756:433807

Minimized Testcase (10350.83 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97on8wBy7qqZfNKuL_XqHrgNl36dnq6nvwdUftFuw8_EB71aS7-Il4vRcdtkjcCJe9XpGO6YPGJeFwybrYCHPEB_U3VZanmsZ3r3Y178ElwDynxhnbzVB7dM2D1P85a02glCaeJCfpP8lS1VkkEzcDRYypODkjy2NAn2-ujnBFiYSY0wJs?testcase_id=5062275200450560

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 13 by ClusterFuzz, Nov 22 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Labels: -M-56 M-57 Merge-Request-56
CF verified this is fixed. It fixes a regression introduced in the FFmpeg roll, which is requested to merge to M56, so requesting merge to M56 of the fix (#11).

Comment 15 by dimu@chromium.org, Nov 22 2016

Labels: -Merge-Request-56 Merge-Review-56 Hotlist-Merge-Review
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
Project Member

Comment 16 by sheriffbot@chromium.org, Nov 23 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -Merge-Review-56 Merge-Approved-56
This change meets the bar and is approved for merge into M56
Project Member

Comment 18 by bugdroid1@chromium.org, Nov 30 2016

Labels: -merge-approved-56 merge-merged-2924
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/000d02613613f11a197c124fc22ef9cd797b06ff

commit 000d02613613f11a197c124fc22ef9cd797b06ff
Author: Matt Wolenetz <wolenetz@chromium.org>
Date: Wed Nov 30 00:00:47 2016

To M56: Roll src/third_party/ffmpeg/ e91355afa..141e56ccf (1 commit).

https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/e91355afac54..141e56ccf7fc

$ git log e91355afa..141e56ccf --date=short --no-merges --format='%ad %ae %s'
2016-11-21 wolenetz lavc/libopusdec.c Fix ff_vorbis_channel_layouts OOB

TBR=dalecurtis@chromium.org
BUG= 666794 ,  591845 

Review-Url: https://codereview.chromium.org/2518063003
Cr-Commit-Position: refs/heads/master@{#433766}
(cherry picked from commit 3431ae5ea798e4ce3b7da6b44bf4dab426114bba)

Review URL: https://codereview.chromium.org/2537973002 .

Cr-Commit-Position: refs/branch-heads/2924@{#175}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[modify] https://crrev.com/000d02613613f11a197c124fc22ef9cd797b06ff/DEPS

Project Member

Comment 19 by bugdroid1@chromium.org, Nov 30 2016

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/f4e4b1ff5dbdf3701bed5a709344372780af24d6

commit f4e4b1ff5dbdf3701bed5a709344372780af24d6
Author: Alex Mineer <amineer@google.com>
Date: Wed Nov 30 00:20:17 2016

Labels: M-56
Project Member

Comment 21 by bugdroid1@chromium.org, Dec 8 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0bf26e16060899a224a208cfbc40549fc924f1c0

commit 0bf26e16060899a224a208cfbc40549fc924f1c0
Author: wolenetz <wolenetz@chromium.org>
Date: Thu Dec 08 20:45:39 2016

Add ffmpeg regression tests for multiple issues from M56 roll

Note: Neither I nor chcunningham@ were able to reproduce 666874 with
current msan tooling, though both CF and chcunningham@ confirmed the
fix previously. Perhaps toolchain or sanitizer changes in the interim
have impacted ability to repro this case.

Excepting above, all new tests repro prior to their fix, and no longer
repro on trunk.

For  issue 666770 , a seek to GetStartTime() was insufficient for repro,
so a _SEEKING version of the test macro was added to obtain
repro.

Added 8b80a219364dd4c4baaa9297005218f43dc5c49f to internal repo.

BUG= 666794 , 666874 ,667063, 666770 
R=dalecurtis@chromium.org,chcunningham@chromium.org

Review-Url: https://codereview.chromium.org/2556343002
Cr-Commit-Position: refs/heads/master@{#437331}

[modify] https://crrev.com/0bf26e16060899a224a208cfbc40549fc924f1c0/media/ffmpeg/ffmpeg_regression_tests.cc

Labels: -Hotlist-Merge-Review -ReleaseBlock-Beta
Project Member

Comment 23 by bugdroid1@chromium.org, Dec 15 2016

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/2db39ae520c90db0db865a6b5d15017f1f9f4d09

commit 2db39ae520c90db0db865a6b5d15017f1f9f4d09
Author: Alex Mineer <amineer@google.com>
Date: Thu Dec 15 22:13:56 2016

Project Member

Comment 24 by bugdroid1@chromium.org, Dec 15 2016

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/f2b039af93bf22b422b46af2fb6f7aed10ff4f3e

commit f2b039af93bf22b422b46af2fb6f7aed10ff4f3e
Author: Alex Mineer <amineer@google.com>
Date: Thu Dec 15 23:22:05 2016

Project Member

Comment 25 by sheriffbot@chromium.org, Mar 1 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment