Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in dec_build_inter_predictors |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4773307787509760 Fuzzer: libfuzzer_media_vpx_video_decoder_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: dec_build_inter_predictors dec_build_inter_predictors_sb decode_block Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=430917:430934 Minimized Testcase (1.36 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94jRSAHCrILmvXjUXShu_iFLBjab5jb7CTkuFKNZkzpzPONTpzSlhT9bSJDKEwJ6k9qzIGwnvJ-0jQXbfKEERKiQC2OiZiQU17BC7EGFT8qNhsmu9khf1MqYHXcVLyXw0gNZviLMbyYHJxagAxAnWmkN5i77Q?testcase_id=4773307787509760 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Nov 19 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 19 2016
,
Nov 20 2016
,
Nov 21 2016
Can you please take a look at this or send it to someone who can? Thanks.
,
Nov 22 2016
This one looks fairly harmless. Meaningful use of the uninitialized value (index 1 of an array of size 2) is controlled by a conditional (is_compound) which in this case is false. The report stems from the array being copied, then the values both being clamped, but afterward this value will be ignored. The simplest fix should be to initialize this element.
,
Nov 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/webm/libvpx/+/cb22359d027bc44cf84fa53a3ffd81c098816cc8 commit cb22359d027bc44cf84fa53a3ffd81c098816cc8 Author: James Zern <jzern@google.com> Date: Tue Nov 22 02:20:33 2016 vp9,read_inter_block_mode_info: quiet msan warning best_sub8x8[1] won't be used meaningfully when is_compound is false, but may trigger an msan warning as the value is copied around and later clamped. BUG= 667044 Change-Id: Icc24c3b72cdb550bebea44d4aaa4ff8bf3fbab56 [modify] https://crrev.com/cb22359d027bc44cf84fa53a3ffd81c098816cc8/test/test-data.mk [modify] https://crrev.com/cb22359d027bc44cf84fa53a3ffd81c098816cc8/test/invalid_file_test.cc [modify] https://crrev.com/cb22359d027bc44cf84fa53a3ffd81c098816cc8/test/test-data.sha1 [modify] https://crrev.com/cb22359d027bc44cf84fa53a3ffd81c098816cc8/vp9/decoder/vp9_decodemv.c
,
Nov 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2d322b4d68ea1878fbe9c443275a76180f215c23 commit 2d322b4d68ea1878fbe9c443275a76180f215c23 Author: jzern <jzern@chromium.org> Date: Wed Nov 23 23:01:05 2016 Roll src/third_party/libvpx/source/libvpx/ 5c64c01c7..d7f1d60c5 (36 commits). https://chromium.googlesource.com/webm/libvpx.git/+log/5c64c01c7ca3..d7f1d60c51b4 $ git log 5c64c01c7..d7f1d60c5 --date=short --no-merges --format='%ad %ae %s' 2016-11-21 jzern vp9,read_inter_block_mode_info: quiet msan warning 2016-11-22 jzern avoid redefining WIN32_LEAN_AND_MEAN 2016-11-22 jianj Cosmetic changes to post proc unit tests. 2016-11-22 jimbankoski vp9-tests : split VpxEncoderThreadTest into two tests. 2016-11-22 kaustubh.raste Fix mips dspr2 build warning 2016-11-21 yaowu Add validation of frame_parallel_decoding_mode 2016-11-18 jzern vpx_temporal_svc_encoder.sh: fix comment (// -> #) 2016-11-18 jzern build/make/Android.mk: use -fPIC w/ENABLE_SHARED=1 2016-11-17 jianj Change *_xmm to *_sse2 in deblocker assembly functions. 2016-11-17 jzern partial_idct_test: s/SingleLargeCoef/SingleExtremeCoeff/ 2016-11-17 kaustubh.raste Fix SingleLargeCoeff idct test 2016-11-02 jianj Change C and msa to match results from sse2. 2016-11-16 marpan vpx_temporal_svc_encoder.sh: Run all tests for 1-4 threads for vp8/vp9. 2016-11-14 jimbankoski stress.sh: Runs multiple libvpx encodes and decodes in parallel 2016-10-28 linfengz Add high bitdepth intra prediction NEON optimization (mode tm) 2016-11-15 jianj vp9: Speed 8: More aggresive golden skip for low res. 2016-11-12 jzern partial_idct_test: use <limits> for int16_min/max 2016-11-15 jzern vpx_timer.h,x86.h: define NOMINMAX for windows.h 2016-11-14 jzern build/make/Android.mk: fix cpufeatures import 2016-11-14 jianj vp9: Speed 8: Turn off 4x4avg for low-res non-key frames. (...) R=tomfinegan@chromium.org BUG= 667044 Review-Url: https://codereview.chromium.org/2528543002 Cr-Commit-Position: refs/heads/master@{#434275} [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/DEPS [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/BUILD.gn [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/README.chromium [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/libvpx_srcs.gni [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/ios/arm-neon/vpx_dsp_rtcd.h [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/ios/arm64/vpx_config.c [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/ios/arm64/vpx_dsp_rtcd.h [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/linux/arm-neon-cpu-detect/vpx_dsp_rtcd.h [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/linux/arm-neon/vpx_dsp_rtcd.h [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/linux/arm64/vpx_dsp_rtcd.h [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/linux/ia32/vp8_rtcd.h [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/linux/ia32/vpx_dsp_rtcd.h [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/linux/x64/vp8_rtcd.h [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/linux/x64/vpx_dsp_rtcd.h [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/mac/ia32/vp8_rtcd.h [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/mac/ia32/vpx_dsp_rtcd.h [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/mac/x64/vp8_rtcd.h [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/mac/x64/vpx_dsp_rtcd.h [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/vpx_version.h [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/win/ia32/vp8_rtcd.h [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/win/ia32/vpx_dsp_rtcd.h [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/win/x64/vp8_rtcd.h [modify] https://crrev.com/2d322b4d68ea1878fbe9c443275a76180f215c23/third_party/libvpx/source/config/win/x64/vpx_dsp_rtcd.h
,
Nov 25 2016
ClusterFuzz has detected this issue as fixed in range 434183:434379. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4773307787509760 Fuzzer: libfuzzer_media_vpx_video_decoder_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: dec_build_inter_predictors dec_build_inter_predictors_sb decode_block Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=430917:430934 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=434183:434379 Minimized Testcase (1.36 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94jRSAHCrILmvXjUXShu_iFLBjab5jb7CTkuFKNZkzpzPONTpzSlhT9bSJDKEwJ6k9qzIGwnvJ-0jQXbfKEERKiQC2OiZiQU17BC7EGFT8qNhsmu9khf1MqYHXcVLyXw0gNZviLMbyYHJxagAxAnWmkN5i77Q?testcase_id=4773307787509760 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 25 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 25 2016
,
Dec 15 2016
,
Dec 15 2016
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
,
Dec 21 2016
Approving for merge into M56
,
Dec 26 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 29 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/webm/libvpx/+/3219aac9dfb0a087c9e79c02ebe4704b97769c8c commit 3219aac9dfb0a087c9e79c02ebe4704b97769c8c Author: James Zern <jzern@google.com> Date: Tue Nov 22 02:20:33 2016 vp9,read_inter_block_mode_info: quiet msan warning best_sub8x8[1] won't be used meaningfully when is_compound is false, but may trigger an msan warning as the value is copied around and later clamped. BUG= 667044 Change-Id: Icc24c3b72cdb550bebea44d4aaa4ff8bf3fbab56 (cherry picked from commit cb22359d027bc44cf84fa53a3ffd81c098816cc8) [modify] https://crrev.com/3219aac9dfb0a087c9e79c02ebe4704b97769c8c/test/test-data.mk [modify] https://crrev.com/3219aac9dfb0a087c9e79c02ebe4704b97769c8c/test/invalid_file_test.cc [modify] https://crrev.com/3219aac9dfb0a087c9e79c02ebe4704b97769c8c/test/test-data.sha1 [modify] https://crrev.com/3219aac9dfb0a087c9e79c02ebe4704b97769c8c/vp9/decoder/vp9_decodemv.c
,
Jan 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/webm/libvpx/+/3219aac9dfb0a087c9e79c02ebe4704b97769c8c commit 3219aac9dfb0a087c9e79c02ebe4704b97769c8c Author: James Zern <jzern@google.com> Date: Tue Nov 22 02:20:33 2016 vp9,read_inter_block_mode_info: quiet msan warning best_sub8x8[1] won't be used meaningfully when is_compound is false, but may trigger an msan warning as the value is copied around and later clamped. BUG= 667044 Change-Id: Icc24c3b72cdb550bebea44d4aaa4ff8bf3fbab56 (cherry picked from commit cb22359d027bc44cf84fa53a3ffd81c098816cc8) [modify] https://crrev.com/3219aac9dfb0a087c9e79c02ebe4704b97769c8c/test/test-data.mk [modify] https://crrev.com/3219aac9dfb0a087c9e79c02ebe4704b97769c8c/test/invalid_file_test.cc [modify] https://crrev.com/3219aac9dfb0a087c9e79c02ebe4704b97769c8c/test/test-data.sha1 [modify] https://crrev.com/3219aac9dfb0a087c9e79c02ebe4704b97769c8c/vp9/decoder/vp9_decodemv.c
,
Jan 10 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/d39c8ecfa741ba98102e90924157e047ab14c0cf commit d39c8ecfa741ba98102e90924157e047ab14c0cf Author: James Zern <jzern@google.com> Date: Tue Jan 10 00:02:43 2017
,
Jan 10 2017
,
Jan 24 2017
,
Mar 3 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Nov 19 2016