New issue
Advanced search Search tips

Issue 701640 link

Starred by 3 users
Status: Verified
Owner:
tguilbert@chromium.org
Closed: Apr 2017
Cc:
wolenetz@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug

Blocking:
issue 698865



Sign in to add a comment

Integer-overflow in mov_metadata_creation_time

Project Member Reported by ClusterFuzz, Mar 15 2017

Comment 1 by mummare...@chromium.org, Mar 16 2017

Cc: wolenetz@chromium.org
Components: Internals>Media
Labels: Test-Predator-Wrong M-57

Comment 2 by dalecur...@chromium.org, Mar 16 2017

Owner: tguilbert@chromium.org
Status: Assigned (was: Untriaged)

Comment 3 by tguilbert@chromium.org, Mar 20 2017

Blocking: 698865
Project Member

Comment 4 by bugdroid1@chromium.org, Apr 12 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/afe71350257c999a623d66d7f56e926552dc3737

commit afe71350257c999a623d66d7f56e926552dc3737
Author: Thomas Guilbert <tguilbert@chromium.org>
Date: Wed Apr 12 00:45:11 2017

Cherry-pick upstream USAN fixes

avformat/mov: Check creation_time for overflow

Fixes integer overflow

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 39ee3ddff87a12e108fc4e0d36f756d0ca080472)

---

avformat/oggparsedaala: Do not leave an invalid value in gpshift

Fixes: undefined behavior

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 23ae3cc822915ede2bb4e85047ab46cc5bc71268)

---

avformat/oggparsedaala: Check duration for AV_NOPTS_VALUE

This avoids an integer overflow
the solution matches oggparsevorbis.c and
45581ed15d2ad5955e24d809820c1675da68f500

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 679a315424e6ffaafd21ebf7a86108bd4e743793)

Bug:  701640 ,  700242 ,  702974 
Change-Id: Ibcff00b7e137f2b07b062468ad42152dfd428a18
Reviewed-on: https://chromium-review.googlesource.com/475204
Reviewed-by: Matthew Wolenetz <wolenetz@chromium.org>

[modify] https://crrev.com/afe71350257c999a623d66d7f56e926552dc3737/libavformat/mov.c
[modify] https://crrev.com/afe71350257c999a623d66d7f56e926552dc3737/libavformat/oggparsedaala.c
Project Member

Comment 5 by ClusterFuzz, Apr 12 2017 

ClusterFuzz has detected this issue as fixed in range 463875:463909.

Detailed report: https://clusterfuzz.com/testcase?key=4649784087674880

Fuzzer: libfuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  mov_metadata_creation_time
  mov_read_mvhd
  mov_read_default
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=433019:433116
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=463875:463909

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96UXz1gZ_1-0lLe5TsrE4XrXD4rxm-MTxYbyxj84kEJbj_wM9WV0iX81uZLZZhd8cLoVuhAoRxF3VBJXr8hN0sbWXCicCLzGkexbVbYS2SqJb5DiOIFErPNJLJZaJax5o7bcXC13Ui5soTBIwnGSWSdx5ABSHmUtG7OPM0sEHrFaVcejeOk6TLavyrquiddmnCP05oByhJCQaE01F5SX9keHRhDC-jlTtvHeXcTp9PZJzs19ktI1YMG2GMQ03onbCg3iy8OHoyMA-4pXdvd4EDKI-nSABXx8ai9CvXzlxv73V-ePsffTs_IMChVC8mXid6RAsmiwjhXUBbyIZr86UphuPZuQGjslLVG24nqiFNOcb4Dq3Y?testcase_id=4649784087674880


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Apr 12 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4649784087674880 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment