New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 668834 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

packet_list->empty() || *decoded_length < 0 || (packet_list->size() == 1 && deco

Project Member Reported by ClusterFuzz, Nov 26 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6740356193583104

Fuzzer: libfuzzer_neteq_rtp_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  packet_list->empty() || *decoded_length < 0 || (packet_list->size() == 1 && deco
  webrtc::NetEqImpl::DecodeLoop
  webrtc::NetEqImpl::Decode
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=423119:423135

Minimized Testcase (1.39 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9414LAVkhujhlJlCth-wASZDjYt6vAt8bZn5eFKeW844N2ZBMPF1f-qAYHCukmfECHY4Z3W928M4CmDcsi_2OnksbGJ5lvNeT0DPyUv0VYGu9ZNFSwRltWa-VDpoI4xfw1qtSZk2EsC-vDFZ750P-689ffXPA?testcase_id=6740356193583104

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 

Comment 1 by ajha@chromium.org, Nov 27 2016

Labels: M-55
Cc: msrchandra@chromium.org
Components: Infra>Git
Labels: Test-Predator-Wrong-CLs
Owner: guidou@chromium.org
Status: Assigned (was: Untriaged)
Find it did not provide any possible suspects.
Assigning to the concern owner related to webrtc from the regressed range,
https://chromium.googlesource.com/chromium/src/+log/44d0ad676eaecca9bfdf134d01c0f66582b2d30b..6f4e9e720389853f875c00f31c29062a9cfb9633?pretty=fuller

Suspecting CL --
https://chromium.googlesource.com/chromium/src/+/5cabc7c08b054153479bdacb46cc9aa73531343e

@guidou -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 3 by guidou@chromium.org, Nov 29 2016

Cc: pthatcher@chromium.org
Components: Blink>WebRTC>Network
Owner: hlundin@chromium.org
hlundin@: This looks related to a recent change by you in WebRTC (I think your fuzzer detected this). Can you take a look and reassign if necessary?

Cc: tlegrand@chromium.org
Components: -Blink>WebRTC>Network Blink>WebRTC>Audio
Labels: -M-55 M-57
This is likely an age-old issue, uncovered by my fairly new fuzzer. I'll take a look.

Comment 5 by ossu@chromium.org, Jan 2 2017

Cc: hlundin@chromium.org
Owner: ossu@chromium.org
I'm stealing this one, since I've touched that code quite recently. It looks like the case we're getting is multiple CNG packets in packet_list.

Comment 6 by ossu@chromium.org, Jan 2 2017

I added some trace printouts and it turns out NetEqImpl::ExtractPackets can return more than one CNG packet, if decoder_frame_length_ is shorter than the number of samples required from it. I'm not sure exactly why neteq believes the packets to be 3 samples long in this case, but it does seem right if looking at their timestamps. The packets have the same sequence number, which is weird in a real-world scenario. Clearly it can happen when fuzzing packets.

I've created a CL here: https://codereview.webrtc.org/2609043002
It simply limits the number of extracted packets to one, if that packet is CN. I think that's the correct way to go about it.

Logs follow:
-- This is from ExtractPackets, hitting the if (packet_duration == 0) check --
Guessed at a packet duration of 3
Extracted 3 of 80 required samples
Guessed at a packet duration of 3
Extracted 6 of 80 required samples

-- This is later in DecodeLoop --
packet_list.size() = 2 at ../../webrtc/modules/audio_coding/neteq/neteq_impl.cc:904
packet_list->size() = 2 at ../../webrtc/modules/audio_coding/neteq/neteq_impl.cc:1433
packet_list->size() = 2; decoded_length=0x7fffb751283c; *decoded_length=0; payload_type=99; CNG?=yes
  payload_type=99; payload size=1280; timestamp=3823363043; sequence_number=58339; priority=(0, 0); frame?=no
  payload_type=99; payload size=1280; timestamp=3823363046; sequence_number=58339; priority=(0, 0); frame?=no

Project Member

Comment 7 by bugdroid1@chromium.org, Jan 2 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/cafb497cc14e0f6d1933b8b8814d886081eb8788

commit cafb497cc14e0f6d1933b8b8814d886081eb8788
Author: ossu <ossu@webrtc.org>
Date: Mon Jan 02 15:00:50 2017

Limit NetEqImpl::ExtractPackets to returning one CNG packet

BUG= chromium:668834 

Review-Url: https://codereview.webrtc.org/2609043002
Cr-Commit-Position: refs/heads/master@{#15868}

[modify] https://crrev.com/cafb497cc14e0f6d1933b8b8814d886081eb8788/webrtc/modules/audio_coding/neteq/neteq_impl.cc

Project Member

Comment 8 by ClusterFuzz, Jan 4 2017

ClusterFuzz has detected this issue as fixed in range 441106:441113.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6740356193583104

Fuzzer: libfuzzer_neteq_rtp_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  packet_list->empty() || *decoded_length < 0 || (packet_list->size() == 1 && deco
  webrtc::NetEqImpl::DecodeLoop
  webrtc::NetEqImpl::Decode
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=423119:423135
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=441106:441113

Minimized Testcase (1.39 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9414LAVkhujhlJlCth-wASZDjYt6vAt8bZn5eFKeW844N2ZBMPF1f-qAYHCukmfECHY4Z3W928M4CmDcsi_2OnksbGJ5lvNeT0DPyUv0VYGu9ZNFSwRltWa-VDpoI4xfw1qtSZk2EsC-vDFZ750P-689ffXPA?testcase_id=6740356193583104

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Jan 4 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6740356193583104 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment