Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5899178355195904 Fuzzer: libfuzzer_audio_decoder_isacfix_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: CalcInvArSpec WebRtcIsacfix_DecodeSpec WebRtcIsacfix_DecodeImpl Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=423338:423416 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96jmU0jkYsHm_DLmwc98gTcHeDnPBeaDR_udkythEz2pFZ2E0b8xgQoiTqSFMlMXiZtyi2X3ZkUSi4RF4vBwO3tB0dEdfiNOEIyQZ3ftg5nGZI6vbP6X8wnPDrkH1pdR3EcvZHqjfiaDimK8aTg6ray5K8kn4cM6Ope4O_vsyF7F3y5KjaMp0vP97b390oC1nIm11hLYwfLDSEBRScR9l1bGLMMIWFwy3jBMbKabCfalxGP65j3LoIw35EJJ5NE1Dn4lcc-s5lEva4Lt73eZapw18mgPq1cHgxEYeyo7pwOjMXOFsOnuEU8ufAxJ1VLpOSGFRTtKN8GaKDFTUBuG2W9IZWAe565nd_tn-Sm_kIBnYFVUK3WQD77LiXXgiiLJXutQusU0SCZ6ED6LpLeb9LHAZjB0g?testcase_id=5899178355195904 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Predator and CL did not provide any possible suspects. Using Code Search for the file, "WebRtcIsacfix_DecodeImpl" assigning to the concern owner. Suspecting Commit# https://chromium.googlesource.com/external/webrtc/trunk/webrtc.git/+/aeadeccda87cab07676143722ed95547c8c8d229 @kwiberg -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Thank You.
The following revision refers to this bug: https://chromium.googlesource.com/external/webrtc.git/+/3a2c803dc341a2bc266effb07df9863c14a7aeaa commit 3a2c803dc341a2bc266effb07df9863c14a7aeaa Author: kwiberg <kwiberg@webrtc.org> Date: Fri Mar 03 13:44:49 2017 Multiply in 64 bits to avoid overflow A fuzzer run caused the operands of this multiplication to be 512 and 5000000, resulting in a product about 20% too large for int32_t. So change this from a 16x32->32 to a 16x32->64 multiplication. Since we right shift by 2 at the end, the end result will still fit in int32_t. I also had to fix a few follow-on add/sub overflows found by the same fuzzer input once the multiplication was fixed. I chose to saturate these, since it wasn't just an intermediate value that overflowed. BUG= chromium:693868 Review-Url: https://codereview.webrtc.org/2729573002 Cr-Commit-Position: refs/heads/master@{#17003} [modify] https://crrev.com/3a2c803dc341a2bc266effb07df9863c14a7aeaa/webrtc/modules/audio_coding/codecs/isac/fix/source/entropy_coding.c
ClusterFuzz has detected this issue as fixed in range 454769:454770. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5899178355195904 Fuzzer: libfuzzer_audio_decoder_isacfix_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: CalcInvArSpec WebRtcIsacfix_DecodeSpec WebRtcIsacfix_DecodeImpl Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=423338:423416 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=454769:454770 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96jmU0jkYsHm_DLmwc98gTcHeDnPBeaDR_udkythEz2pFZ2E0b8xgQoiTqSFMlMXiZtyi2X3ZkUSi4RF4vBwO3tB0dEdfiNOEIyQZ3ftg5nGZI6vbP6X8wnPDrkH1pdR3EcvZHqjfiaDimK8aTg6ray5K8kn4cM6Ope4O_vsyF7F3y5KjaMp0vP97b390oC1nIm11hLYwfLDSEBRScR9l1bGLMMIWFwy3jBMbKabCfalxGP65j3LoIw35EJJ5NE1Dn4lcc-s5lEva4Lt73eZapw18mgPq1cHgxEYeyo7pwOjMXOFsOnuEU8ufAxJ1VLpOSGFRTtKN8GaKDFTUBuG2W9IZWAe565nd_tn-Sm_kIBnYFVUK3WQD77LiXXgiiLJXutQusU0SCZ6ED6LpLeb9LHAZjB0g?testcase_id=5899178355195904 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
ClusterFuzz testcase 5899178355195904 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
The following revision refers to this bug: https://chromium.googlesource.com/external/webrtc.git/+/a1896a649c9238af281a0e73dacbf981d0bc8e64 commit a1896a649c9238af281a0e73dacbf981d0bc8e64 Author: kwiberg <kwiberg@webrtc.org> Date: Mon Mar 13 12:28:47 2017 iSAC fix entropy coder: Recently added DCHECK could in fact trigger A DCHECK added in a recent bugfix, which asserted that a signed 64->32 bit cast did not overflow, has been found to not always pass. We fix this by saturating. BUG= chromium:693868 Review-Url: https://codereview.webrtc.org/2746903002 Cr-Commit-Position: refs/heads/master@{#17209} [modify] https://crrev.com/a1896a649c9238af281a0e73dacbf981d0bc8e64/webrtc/common_audio/signal_processing/include/spl_inl.h [modify] https://crrev.com/a1896a649c9238af281a0e73dacbf981d0bc8e64/webrtc/modules/audio_coding/codecs/isac/fix/source/entropy_coding.c
The following revision refers to this bug: https://chromium.googlesource.com/external/webrtc.git/+/49cad02cf38dc54f8ba0bdab28c3dbd21f1d4e81 commit 49cad02cf38dc54f8ba0bdab28c3dbd21f1d4e81 Author: kwiberg <kwiberg@webrtc.org> Date: Mon Apr 10 09:29:33 2017 Ignore some UBSan errors They proved to be too difficult to fix properly, so we revert the saturation fixes that were done in https://codereview.webrtc.org/2729573002 and https://codereview.webrtc.org/2746903002, and ignore them instead. BUG= webrtc:7307 , chromium:709364 , chromium:693868 Review-Url: https://codereview.webrtc.org/2809483002 Cr-Commit-Position: refs/heads/master@{#17612} [modify] https://crrev.com/49cad02cf38dc54f8ba0bdab28c3dbd21f1d4e81/webrtc/common_audio/signal_processing/include/spl_inl.h [modify] https://crrev.com/49cad02cf38dc54f8ba0bdab28c3dbd21f1d4e81/webrtc/modules/audio_coding/codecs/isac/fix/source/entropy_coding.c
Comment 1 by msrchandra@chromium.org
, Feb 23 2017Components: Blink>WebRTC
Labels: Test-Predator-Wrong-CLs M-57
Owner: kwiberg@chromium.org
Status: Assigned (was: Untriaged)