Out-of-memory in libpng_progressive_read_fuzzer |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4521226992353280 Fuzzer: libfuzzer_libpng_progressive_read_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Out-of-memory (exceeds 2048 MB) Crash Address: Crash State: libpng_progressive_read_fuzzer Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=454875:454973 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94t2jSdW_e9WgjDoVoCVCjJ1YHDFscn0dsPY_qnBWba0auTGvvBDOLmpTDFvB1AkLaOoY4ksMLKrA72vvotnFH4l8a0FTjid9qBiPBu11k94-Nn7i7MFRSwKZudOa0feQ6rSrARVKEI3BGSDFyO2ybCSg6kP_AQO94quwr4RdRvmw7P107THu7myfXDf8BztwNTPWdXE_0v8r2zSl-bdxQo5pkwWy963o3rbmorCF8QC9q4GUZzongArGJ2UZsNNbv5zequTlD99S5bnmPnFGIGdlr7GnCQzNJICip77um39JtxIqvjIpn-hyUkYe1rxaplZc-9R-yaFMHtRD7ymNrgBiNRQdLGCclZjbtC7H1WByJN4BM?testcase_id=4521226992353280 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Mar 16 2017
> Through regression range suspected CL is > https://chromium.googlesource.com/chromium/src/+/11a3425fff09d249101f8fb0dcd9c00ddb80283b > scroggo@, could you please take a look?. > Thank you. That CL introduces the fuzzer, so it makes sense that it would be the first one to show this. This image reports dimensions of 8363 x 1, meaning libpng has to allocate 8363 x 8 (8 bits per pixel) = 66904 bytes per row. That is pretty big, but not going to go over the 2048 MB limit. The problem is there is an iCCP profile that reports to have a profile_length of 1879048662. This is obviously incorrect, since it is larger than the size of the chunk itself (276 bytes), but libpng tries to allocate all of this memory (~1.8 gigs) anyway.
,
Mar 19 2017
,
Mar 20 2017
,
Mar 20 2017
It would be good if the libpng fuzzers would stop filing bugs on OOM. Large images with corrupt/large chunks will cause libpng to allocate a lot of memory... there is nothing to fix here. I think it's good that the fuzzer runs with a memory limit - we at least avoid seeing OOM crashes. I just don't think it's a bug when we exceed this limit. Is there a way to go about changing when bugs are filed by the fuzzer?
,
Mar 20 2017
Yes, we already have some protections against large memory buffers allocation, e.g. https://cs.chromium.org/chromium/src/testing/libfuzzer/fuzzers/libpng_read_fuzzer.cc?l=55 or https://cs.chromium.org/chromium/src/testing/libfuzzer/fuzzers/libpng_read_fuzzer.cc?l=110 but they are not sufficient. I think we've discussed some ideas in issue 673082 , so we need to add more checks / limits to avoid OOMs. Unfortunately, this is the only reasonable option. Otherwise, the fuzzer will hit these OOMs too often (even if we disable OOM reporting), and will not discover new inputs and new bugs.
,
Apr 18 2017
ClusterFuzz has detected this issue as fixed in range 464964:465012. Detailed report: https://clusterfuzz.com/testcase?key=4521226992353280 Fuzzer: libfuzzer_libpng_progressive_read_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Out-of-memory (exceeds 2048 MB) Crash Address: Crash State: libpng_progressive_read_fuzzer Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=454875:454973 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=464964:465012 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94t2jSdW_e9WgjDoVoCVCjJ1YHDFscn0dsPY_qnBWba0auTGvvBDOLmpTDFvB1AkLaOoY4ksMLKrA72vvotnFH4l8a0FTjid9qBiPBu11k94-Nn7i7MFRSwKZudOa0feQ6rSrARVKEI3BGSDFyO2ybCSg6kP_AQO94quwr4RdRvmw7P107THu7myfXDf8BztwNTPWdXE_0v8r2zSl-bdxQo5pkwWy963o3rbmorCF8QC9q4GUZzongArGJ2UZsNNbv5zequTlD99S5bnmPnFGIGdlr7GnCQzNJICip77um39JtxIqvjIpn-hyUkYe1rxaplZc-9R-yaFMHtRD7ymNrgBiNRQdLGCclZjbtC7H1WByJN4BM?testcase_id=4521226992353280 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mummare...@chromium.org
, Mar 15 2017Labels: Test-Predator-Wrong M-59
Owner: scroggo@chromium.org
Status: Assigned (was: Untriaged)