Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users
Status: Fixed
Owner:
Email to this user bounced
Closed: Jan 2011
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 0
Type: Bug-Security
M-8

Blocking:
issue 67777

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Memory corruption with bad Vorbis streams (from CERT)
Reported by scarybea...@gmail.com, Dec 27 2010 Back to list
VULNERABILITY DETAILS
CERT sent us a large number of WEBM files that cause trouble / crash / etc. Chrome. The worst of the problem seems to be a couple of memory corruptions in the ffmpeg Vorbis codec.
This bug will track the problems in the Vorbis codec. Additional bugs will be filed for any remaining issues.

VERSION
Chrome Version: all -- including trunk, M8 stable, M9 beta, etc.
Operating System: All; I can reproduce various crashes on Linux.

REPRODUCTION CASE
Attaching two test cases for the two different fixes I have that apply to the Vorbis code.

out.webm.68798.1929 - memory corruption rendering the channel floor buffer
out.webm.139771.2965 - memory corruption rendering the channel residue buffer

 
out.webm.139771.2965
578 KB Download
out.webm.68798.1929
578 KB Download
Project Member Comment 1 by bugdroid1@chromium.org, Dec 27 2010
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=70202

------------------------------------------------------------------------
r70202 | cevans@chromium.org | Mon Dec 27 15:40:24 PST 2010

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/DEPS?r1=70202&r2=70201&pathrev=70202

Pick up Vorbis fix.

BUG= 68115 
TEST=See bug

Review URL: http://codereview.chromium.org/6069005
------------------------------------------------------------------------
Status: WillMerge
Fixed in the ffmpeg trunks/deps (r70200) and DEPS rolled on trunk (r70202)
scarybeasts@ are you planning to merge this to m8?
This merge is complicated. It needs a source code merge + maybe DEPS fiddle (for Linux / Mac). For Windows, it needs Frank to do a custom ffmpeg binary build and check that in.
Project Member Comment 6 by bugdroid1@chromium.org, Jan 6 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=70412

------------------------------------------------------------------------
r70412 | fbarchard@chromium.org | Tue Jan 04 01:52:27 PST 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/media/tools/media_bench/media_bench.cc?r1=70412&r2=70411&pathrev=70412

check for codec null pointer when printing error message
BUG= 68115 
TEST=media_bench.exe --verbose=48 --stream=audio out.webm.68798.1929 should print Error: Could not open codec (NULL) for c:\work\out.webm.68798.1929

Review URL: http://codereview.chromium.org/6044008
------------------------------------------------------------------------
mini-update: ffmpeg branches have been created but we're holding off until next week
merged into m8:
http://src.chromium.org/viewvc/chrome?view=rev&revision=70585

needs windows binaries

m9 will get merged next week
@scherkus: awesome!! I build on Linux with a sync to latest on the buildspec: svn://chrome-svn/chrome-internal/trunk/tools/buildspec/branches/552

Confirmed that the new vorbis_dec.c file was picked up, and the two test case files no longer cause sad tabs in the resultant Release build.

Comment 10 by dwar...@cert.org, Jan 6 2011
When Windows binaries are available, I will rerun my ffmpeg relevant test cases (including hopefully redundant ones) to confirm.
Project Member Comment 11 by bugdroid1@chromium.org, Jan 6 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=70625

------------------------------------------------------------------------
r70625 | scherkus@chromium.org | Thu Jan 06 10:48:49 PST 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/ffmpeg/552/binaries/win/avformat-52.dll?r1=70625&r2=70624&pathrev=70625
 M http://src.chromium.org/viewvc/chrome/branches/ffmpeg/552/binaries/win/avutil-50.dll?r1=70625&r2=70624&pathrev=70625
 M http://src.chromium.org/viewvc/chrome/branches/ffmpeg/552/binaries/win/avcodec-52.dll?r1=70625&r2=70624&pathrev=70625

Checking in updated Chromium FFmpeg Windows DLLs for 552 as a result of r70585.

BUG= 68115 
TEST=files in bug report don't crash

------------------------------------------------------------------------
Windows binaries committed for Chromium m8 as r70625
Project Member Comment 13 by bugdroid1@chromium.org, Jan 6 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=70632

------------------------------------------------------------------------
r70632 | scherkus@chromium.org | Thu Jan 06 12:06:30 PST 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/binaries/win/avformat-52.dll?r1=70632&r2=70631&pathrev=70632
 M http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/binaries/win/avcodec-52.dll?r1=70632&r2=70631&pathrev=70632
 M http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/binaries/win/avutil-50.dll?r1=70632&r2=70631&pathrev=70632

Checking in updated Chromium FFmpeg binaries due to r70200.

BUG= 68115 
TEST=bug report files don't crash
TBR=cevans
Review URL: http://codereview.chromium.org/6130002
------------------------------------------------------------------------
Chromium m10 binaries committed as r70632

Will update DEPS as soon as everything looks good to go!
http://codereview.chromium.org/6059011/
Project Member Comment 15 by bugdroid1@chromium.org, Jan 6 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=70664

------------------------------------------------------------------------
r70664 | scherkus@chromium.org | Thu Jan 06 14:13:42 PST 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/binaries/win/avformat-52.dll?r1=70664&r2=70663&pathrev=70664
 M http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/binaries/win/avcodec-52.dll?r1=70664&r2=70663&pathrev=70664
 M http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/binaries/win/avutil-50.dll?r1=70664&r2=70663&pathrev=70664

Another attempt at updated Chromium FFmpeg binaries due to r70200.

This time they include the libvpx encoder for remoting.

BUG= 68115 
TEST=bug report files don't crash
TBR=cevans

------------------------------------------------------------------------
Project Member Comment 16 by bugdroid1@chromium.org, Jan 6 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=70684

------------------------------------------------------------------------
r70684 | scherkus@chromium.org | Thu Jan 06 15:44:19 PST 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/DEPS?r1=70684&r2=70683&pathrev=70684

Rolling FFmpeg DEPS to 70632 to pick up new binaries.

BUG= 68115 
TEST=files in bug report don't crash

Review URL: http://codereview.chromium.org/6059011
------------------------------------------------------------------------
Alright I think we're done with M8, M9 and M10!!
Project Member Comment 18 by bugdroid1@chromium.org, Jan 7 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=70709

------------------------------------------------------------------------
r70709 | scherkus@chromium.org | Thu Jan 06 18:27:16 PST 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/ffmpeg/597/binaries/win/avformat-52.dll?r1=70709&r2=70708&pathrev=70709
 M http://src.chromium.org/viewvc/chrome/branches/ffmpeg/597/binaries/win/avutil-50.dll?r1=70709&r2=70708&pathrev=70709
 M http://src.chromium.org/viewvc/chrome/branches/ffmpeg/597/binaries/win/avcodec-52.dll?r1=70709&r2=70708&pathrev=70709

Checking in updated Chromium FFmpeg Windows DLLs for 597 as a result of r70707.

BUG= 68115 
TEST=files in bug report don't crash

------------------------------------------------------------------------
I think we're good to update the status on this one -- pass off to QA for verification?
Has the ffmpeg source code change also been merged to M9? If so, we can put the bug to FixUnreleased.
The ffmpeg source change didn't make it to M9 branch yet. I'll take care of that for you when the branch re-opens.
Labels: reward-decline reward-unpaid reward-1000
The rewards panel discussed this case, and the reward came out at 2 x $500 -- two relatively distinct Vorbis bugs, rewarded each at the lower $500 level due to the large number of duplicates, etc.

In instances where an individual is unable to accept the reward or nominate a charity, the reward money will go to our default charity of Red Cross.
Status: FixUnreleased
ffmpeg source change already merged to M9 by Andrew.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -reward-unpaid
Labels: -Restrict-View-SecurityNotify
Status: Fixed
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update.
Project Member Comment 30 by bugdroid1@chromium.org, Oct 13 2012
Blocking: -chromium:67777 chromium:67777
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 31 by bugdroid1@chromium.org, Mar 10 2013
Labels: -SecSeverity-High -Mstone-8 -Type-Security -SecImpacts-Stable M-8 Security-Impact-Stable Security-Severity-High Type-Bug-Security
Project Member Comment 32 by bugdroid1@chromium.org, Mar 11 2013
Labels: -Area-Undefined
Project Member Comment 33 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 34 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 35 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 36 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 37 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment