Integer-overflow in webrtc::ParseContent |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6735302376030208 Fuzzer: libfuzzer_sdp_parser_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: webrtc::ParseContent cricket::DataContentDescription* webrtc::ParseContentDescription<cricket::DataCo webrtc::ParseMediaDescription Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=419163:419248 Minimized Testcase (1.69 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97_vXSNV0PuVgJn65jrlr2_Cs1_BzXcNwBUM07qV_zFaddXTixJlDek_-fZfmdlCwJ_23jTFgdZ2ZfIRGioavwf4uroJvP4T_0ekRZi7-8Mar9k1DGtsxIJnuhRrCcu84N_IXVfuHpp-_rc_VS-w7vZ2FF9Bg?testcase_id=6735302376030208 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Mar 3 2017
,
Jul 30 2017
Detailed report: https://clusterfuzz.com/testcase?key=5338687864045568 Fuzzer: sdp_parser_fuzzer Job Type: libfuzzer_chrome_ubsan Crash Type: Integer-overflow Crash Address: Crash State: webrtc::ParseContent cricket::DataContentDescription* webrtc::ParseContentDescription<cricket::DataCo webrtc::ParseMediaDescription Sanitizer: undefined (UBSAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5338687864045568 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 31 2017
Detailed report: https://clusterfuzz.com/testcase?key=5338687864045568 Fuzzer: sdp_parser_fuzzer Job Type: libfuzzer_chrome_ubsan Crash Type: Integer-overflow Crash Address: Crash State: webrtc::ParseContent cricket::DataContentDescription* webrtc::ParseContentDescription<cricket::DataCo webrtc::ParseMediaDescription Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=423338:423416 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5338687864045568 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 2 2017
The SDP that produces the issue: v=0 o=1 s=- t=0 m=application 9 b=AS:-5778057 The issue is that "b=AS" is in units of kbps, which we multiply by 1000 to convert to bps, which could result in integer overflow. We thought we fixed this by adding: b = std::min(b, INT_MAX / 1000); But we didn't consider that there's nothing checking for negative values. :)
,
Aug 2 2017
The following revision refers to this bug: https://chromium.googlesource.com/external/webrtc.git/+/bc88c6ba98806b629d64c832f8cebeafd75e93e4 commit bc88c6ba98806b629d64c832f8cebeafd75e93e4 Author: deadbeef <deadbeef@webrtc.org> Date: Wed Aug 02 18:26:34 2017 Reject negative values for "b=AS". It doesn't make sense to have a negative RTP session bandwidth; RFC3550 doesn't define any meaning for this. So just treat it as invalid SDP. BUG= chromium:675361 Review-Url: https://codereview.webrtc.org/2989243002 Cr-Commit-Position: refs/heads/master@{#19221} [modify] https://crrev.com/bc88c6ba98806b629d64c832f8cebeafd75e93e4/webrtc/pc/webrtcsdp.cc [modify] https://crrev.com/bc88c6ba98806b629d64c832f8cebeafd75e93e4/webrtc/pc/webrtcsdp_unittest.cc
,
Aug 2 2017
Will be fixed in next webrtc->chromium roll.
,
Aug 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/external/webrtc.git/+/3e8016e1d51e6db21a51b7fcf308b8904aee2f66 commit 3e8016e1d51e6db21a51b7fcf308b8904aee2f66 Author: deadbeef <deadbeef@webrtc.org> Date: Fri Aug 04 00:49:30 2017 Ignore "b=AS:-1" instead of treating as a hard error. Follow up to https://codereview.webrtc.org/2989243002/. It turns out that "b=AS:-1" was being used to mean "no bandwidth limit", even though just omitting "b=AS" completely will do that. So we should treat this as a soft error for now, and give applications time to transition to doing the standard thing. BUG= chromium:675361 Review-Url: https://codereview.webrtc.org/2995463002 Cr-Commit-Position: refs/heads/master@{#19244} [modify] https://crrev.com/3e8016e1d51e6db21a51b7fcf308b8904aee2f66/webrtc/pc/webrtcsdp.cc [modify] https://crrev.com/3e8016e1d51e6db21a51b7fcf308b8904aee2f66/webrtc/pc/webrtcsdp_unittest.cc
,
Aug 4 2017
ClusterFuzz has detected this issue as fixed in range 491697:491738. Detailed report: https://clusterfuzz.com/testcase?key=5338687864045568 Fuzzer: sdp_parser_fuzzer Job Type: libfuzzer_chrome_ubsan Crash Type: Integer-overflow Crash Address: Crash State: webrtc::ParseContent cricket::DataContentDescription* webrtc::ParseContentDescription<cricket::DataCo webrtc::ParseMediaDescription Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=423338:423416 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=491697:491738 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5338687864045568 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 4 2017
ClusterFuzz testcase 5338687864045568 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mmohammad@chromium.org
, Jan 18 2017Owner: pthatcher@chromium.org
Status: Assigned (was: Untriaged)