New issue
Advanced search Search tips

Issue 700242 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Apr 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug

Blocking:
issue 698865



Sign in to add a comment

Integer-overflow in daala_packet

Project Member Reported by ClusterFuzz, Mar 10 2017

Issue description

Components: Internals>Media>FFmpeg
Labels: Test-Predator-Wrong-CLs M-57
Owner: wolenetz@chromium.org
Status: Assigned (was: Untriaged)
This is currently impacting Stable (57.0.2987.98) & Beta (57.0.2987.98).

Based on latest changes made to the file "oggdec.c" suspecting the below.
https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+/f309edd7828e3ea500c2891187d15926690ddd27
wolenetz@: Could you please take a look into this.
Cc: dalecur...@chromium.org wolenetz@chromium.org
Owner: tguilbert@chromium.org
Blocking: 698865
Project Member

Comment 4 by bugdroid1@chromium.org, Apr 12 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/afe71350257c999a623d66d7f56e926552dc3737

commit afe71350257c999a623d66d7f56e926552dc3737
Author: Thomas Guilbert <tguilbert@chromium.org>
Date: Wed Apr 12 00:45:11 2017

Cherry-pick upstream USAN fixes

avformat/mov: Check creation_time for overflow

Fixes integer overflow

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 39ee3ddff87a12e108fc4e0d36f756d0ca080472)

---

avformat/oggparsedaala: Do not leave an invalid value in gpshift

Fixes: undefined behavior

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 23ae3cc822915ede2bb4e85047ab46cc5bc71268)

---

avformat/oggparsedaala: Check duration for AV_NOPTS_VALUE

This avoids an integer overflow
the solution matches oggparsevorbis.c and
45581ed15d2ad5955e24d809820c1675da68f500

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 679a315424e6ffaafd21ebf7a86108bd4e743793)

Bug:  701640 ,  700242 ,  702974 
Change-Id: Ibcff00b7e137f2b07b062468ad42152dfd428a18
Reviewed-on: https://chromium-review.googlesource.com/475204
Reviewed-by: Matthew Wolenetz <wolenetz@chromium.org>

[modify] https://crrev.com/afe71350257c999a623d66d7f56e926552dc3737/libavformat/mov.c
[modify] https://crrev.com/afe71350257c999a623d66d7f56e926552dc3737/libavformat/oggparsedaala.c

Project Member

Comment 5 by ClusterFuzz, Apr 12 2017

ClusterFuzz has detected this issue as fixed in range 463875:463909.

Detailed report: https://clusterfuzz.com/testcase?key=6265286241288192

Fuzzer: libfuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  daala_packet
  ogg_packet
  ogg_get_length
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=410676:410915
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=463875:463909

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97BbNuW_rCtnS1HqiSWGqTeANCQP8mz7ftQYsBwtpWh7Icg0bVwHDJO5ii-f_ASnMMZmJ7oKzmPyYyRmDhh8vvDaGD4Rh1kuEKBjtjvAsLz67Ui7tpICoBDNUgtqOmMeyqrPU66Y72CQMmX6wyhd6nALzFo9G9p3hqEv5ZEp-OAzvwhNolHJMPLGZge4_uyD9s8jLaNU5vBsIwIsTMwWABhl1rry_fXTfbUrZeUzdGSQUntRX_EiW6uxhjXVRi7UQb73eQjEO0rMnL2kM9mFV-tZzyHti1oZ_rjeQyb1Mm6tTX4NV8Q8R0vhJYDTex8JN5QtXqNtmQ_LpKMhe6wRemD4gV7tOKpL2Y-HBl2xTVcD9qwWUI?testcase_id=6265286241288192


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Apr 12 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6265286241288192 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment