New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 686387 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use-of-uninitialized-value in avio_seek

Project Member Reported by ClusterFuzz, Jan 28 2017

Issue description

Comment 1 by est...@chromium.org, Jan 28 2017

Components: Internals>Media
Owner: dalecur...@chromium.org
Status: Assigned (was: Untriaged)
dalecurtis, can you please take a look? Thanks.
Project Member

Comment 2 by sheriffbot@chromium.org, Jan 28 2017

Labels: M-57
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 28 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Jan 28 2017

Labels: Pri-1
Project Member

Comment 5 by sheriffbot@chromium.org, Jan 29 2017

Labels: -Security_Impact-Head Security_Impact-Beta
Labels: -ReleaseBlock-Beta ReleaseBlock-Stable
Cc: liber...@chromium.org
Owner: hubbe@chromium.org
Project Member

Comment 8 by bugdroid1@chromium.org, Jan 30 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/bc2eb1987e956f5d2747e8c9c61ac346a2c91c92

commit bc2eb1987e956f5d2747e8c9c61ac346a2c91c92
Author: Fredrik Hubinette <hubbe@google.com>
Date: Mon Jan 30 19:58:11 2017

cerry-pick fix for uninitialized memory in flac

BUG= 686387 

Original description:
avformat/flacdec: Check avio_read result when reading flac block header.

Return AVERROR_INVALIDDATA if all four bytes aren't present.

Change-Id: I049dc485d3ebf9bcfd12fa3494659e9737325d76
Reviewed-on: https://chromium-review.googlesource.com/434760
Reviewed-by: Frank Liberato <liberato@chromium.org>

[modify] https://crrev.com/bc2eb1987e956f5d2747e8c9c61ac346a2c91c92/libavformat/flacdec.c
[modify] https://crrev.com/bc2eb1987e956f5d2747e8c9c61ac346a2c91c92/chromium/patches/README

Project Member

Comment 9 by bugdroid1@chromium.org, Jan 30 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4f79aee08df8f4521a9d5e39144b822739ea3888

commit 4f79aee08df8f4521a9d5e39144b822739ea3888
Author: hubbe <hubbe@chromium.org>
Date: Mon Jan 30 23:07:53 2017

Roll src/third_party/ffmpeg/ a628732d0..bc2eb1987 (1 commit).

https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/a628732d02fe..bc2eb1987e95

$ git log a628732d0..bc2eb1987 --date=short --no-merges --format='%ad %ae %s'
2017-01-30 hubbe cerry-pick fix for uninitialized memory in flac

BUG= 686387 

Review-Url: https://codereview.chromium.org/2664953002
Cr-Commit-Position: refs/heads/master@{#447105}

[modify] https://crrev.com/4f79aee08df8f4521a9d5e39144b822739ea3888/DEPS

Project Member

Comment 10 by ClusterFuzz, Jan 31 2017

ClusterFuzz has detected this issue as fixed in range 447059:447171.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5664180796653568

Fuzzer: libfuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  avio_seek
  flac_read_header
  avformat_open_input
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=413228:413328
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=447059:447171

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95ojFvJVdHYdvcryc3OQRKgfIislerDM1M74ln1lAptvcWIwTupxmQ20fdbJBAu7lRyCvUQJMX93vrcs9ggXsGB0VSaUn1-yqg5qTYICU1oo993Zuu1BEkT2y-qBx9QdiOccBlptsLLih8InqS8QRioI5QKjj0tZcAdVaAgE4TQ3a90QLJmfRreP2pNDdVoNg_s5CrJBvNNWZ-09pRoZWFGda3daebHKzY0iXuJBFB4etK7ucdRUXsHFA7WLsdq9TsYlnGmYoAfno5IOYIl3OSn58tnhbl4dfEdnq4OIA4yyeUBgkQtGzXDVJKdoG0dditp6ajZMO6CVrQRzYZeCyiKIOcTsYozuGz1GWk7f2JQ28K7iNQ?testcase_id=5664180796653568


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 11 by ClusterFuzz, Jan 31 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5664180796653568 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 12 by sheriffbot@chromium.org, Jan 31 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: Merge-Request-57
Project Member

Comment 14 by sheriffbot@chromium.org, Feb 13 2017

Labels: -Merge-Request-57 Hotlist-Merge-Review Merge-Review-57
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: awhalley@chromium.org
+awhalley@, is this good for M57 merge?
govind@ - yep, good for 57
Labels: -Merge-Review-57 Merge-Aprpoved-57
Approving merge to M57 branch 2987 based on comment #16. 
Please merge your change to M57 branch 2987 by 4:00 PM PT tomorrow, Tuesday (02/14) so we can pick it up for this week beta release. Thank you.
Labels: -Merge-Aprpoved-57 Merge-Approved-57
Please merge your change to M57 branch 2987 before 5:00 PM PT Friday (02/17), so we can pick it up for next week Beta release. Thank you.

Comment 20 by hubbe@chromium.org, Feb 16 2017

An ffmpeg DEP roll would roll in a whole lot of ffmpeg changes, that seems like a bad idea to me.


hubbe@ - would it be possible to cherry pick the change into the 57 branch in ffmpeg? 

Comment 22 by hubbe@chromium.org, Feb 16 2017

I think so, but I'm not sure. Either way, I don't think I have time to do it by 4pm tomorrow as I'm not going to be in the office tomorrow.

re #22, if merge happens before 4:00 PM PT Tuesday (02/21)is also fine. Thank you.
Project Member

Comment 24 by sheriffbot@chromium.org, Feb 17 2017

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Please merge your change to M57 branch 2987 before 5:00 PM PT Monday (02/20), so we can pick it up for next week Beta release. Thank you.
Project Member

Comment 26 by sheriffbot@chromium.org, Feb 20 2017

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Please merge your change to M57 branch 2987 by 5:00 PM PT Tuesday (02/21) so we can pick it up for this week beta release. Thank you.
Labels: -Hotlist-Merge-Review -Security_Impact-Beta -ReleaseBlock-Stable -M-57 -Merge-Approved-57 Security_Impact-Stable M-58
Per email, we're not going to take this in 57
Labels: Release-0-M58
Project Member

Comment 30 by sheriffbot@chromium.org, May 9 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment