Issue metadata
Sign in to add a comment
|
Bad-cast to media::MediaLog from invalid vptr;media::LogHelper::~LogHelper;media::ADTSStreamParser::ParseFrameHeader |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6737055163088896 Fuzzer: libfuzzer_es_parser_adts_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Bad-cast Crash Address: 0x000001478800 Crash State: Bad-cast to media::MediaLog from invalid vptr media::LogHelper::~LogHelper media::ADTSStreamParser::ParseFrameHeader Sanitizer: undefined (UBSAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=465731:465771 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95gQN3cKIVMQOy8lusK6XXfyv12mLo48XYU_GZdmjHft2I5rU4OYl_fC5tYaDa5xfnBTuEgRzi5pP2qCAZz0D_hFkV8_KGrupwUzWDn8cbz0naPQXvhUC58SAbehtybKmoIbQGTD0tkRCrvEXxay1UlUSxlE1-hBDLyoQgq4YqSMkOZ4NNoCtZrqXA2ylxMxxnAt-8_Vh2lYqyJ28rT5vxIMTDq9IP1Ppp26F2DvW4VWdKQztdcmsZUNTBuRfOcove3MUEP6yKilDBNP80hTIL0NaBiRE2_N1r18WPNCgURnvozI4T-xAXnRNO0juGZ0XHrouoER69YYyrtHH9Pwt6QT0lRl14gZKYVhD9Qxp61EHlHd9w?testcase_id=6737055163088896 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Apr 20 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 20 2017
,
Apr 21 2017
,
Apr 21 2017
dalecurtis: Can you please take a look? https://chromium.googlesource.com/chromium/src/+/9cddc0b9cd174242d365e9d64615687384b73c89 is in the regression range and seems related.
,
Apr 21 2017
Ah, looks like we don't initialize the media_log_ variable anymore. Fix coming.
,
Apr 21 2017
This code is Chromecast only, not sure how to tag that though; fix in just a min, but changing labels to reflect non-beta channel release
,
Apr 21 2017
,
Apr 22 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/33317059948e1bc31d86c5918fba4bab0a62a373 commit 33317059948e1bc31d86c5918fba4bab0a62a373 Author: dalecurtis <dalecurtis@chromium.org> Date: Sat Apr 22 02:54:18 2017 Initialize the media_log_ pointer in MPEGStreamParserBase. The ADTSStreamParser is used without initialization, so it doesn't have a valid media_log, it null checks this -- but since a recent change moved MediaLog from a ref ptr to raw we missed initialize. BUG= 713515 TEST=none Review-Url: https://codereview.chromium.org/2829343002 Cr-Commit-Position: refs/heads/master@{#466530} [modify] https://crrev.com/33317059948e1bc31d86c5918fba4bab0a62a373/media/formats/mpeg/mpeg_audio_stream_parser_base.cc
,
Apr 22 2017
,
Apr 24 2017
,
Apr 24 2017
This was only on ToT for 4 days, definitely not in beta.
,
Apr 25 2017
,
Aug 1 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Apr 20 2017