New issue
Advanced search Search tips

Issue 713515 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Bad-cast to media::MediaLog from invalid vptr;media::LogHelper::~LogHelper;media::ADTSStreamParser::ParseFrameHeader

Project Member Reported by ClusterFuzz, Apr 20 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6737055163088896

Fuzzer: libfuzzer_es_parser_adts_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x000001478800
Crash State:
  Bad-cast to media::MediaLog from invalid vptr
  media::LogHelper::~LogHelper
  media::ADTSStreamParser::ParseFrameHeader
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=465731:465771

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95gQN3cKIVMQOy8lusK6XXfyv12mLo48XYU_GZdmjHft2I5rU4OYl_fC5tYaDa5xfnBTuEgRzi5pP2qCAZz0D_hFkV8_KGrupwUzWDn8cbz0naPQXvhUC58SAbehtybKmoIbQGTD0tkRCrvEXxay1UlUSxlE1-hBDLyoQgq4YqSMkOZ4NNoCtZrqXA2ylxMxxnAt-8_Vh2lYqyJ28rT5vxIMTDq9IP1Ppp26F2DvW4VWdKQztdcmsZUNTBuRfOcove3MUEP6yKilDBNP80hTIL0NaBiRE2_N1r18WPNCgURnvozI4T-xAXnRNO0juGZ0XHrouoER69YYyrtHH9Pwt6QT0lRl14gZKYVhD9Qxp61EHlHd9w?testcase_id=6737055163088896


Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Apr 20 2017

Labels: M-59
Project Member

Comment 2 by sheriffbot@chromium.org, Apr 20 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Apr 20 2017

Labels: Pri-1
Project Member

Comment 4 by sheriffbot@chromium.org, Apr 21 2017

Labels: -Security_Impact-Head Security_Impact-Beta

Comment 5 by mea...@chromium.org, Apr 21 2017

Components: Blink>Media
Owner: dalecur...@chromium.org
Status: Assigned (was: Untriaged)
dalecurtis: Can you please take a look?

https://chromium.googlesource.com/chromium/src/+/9cddc0b9cd174242d365e9d64615687384b73c89 is in the regression range and seems related.
Ah, looks like we don't initialize the media_log_ variable anymore. Fix coming.
Labels: -ReleaseBlock-Beta -Security_Impact-Beta
This code is Chromecast only, not sure how to tag that though; fix in just a min, but changing labels to reflect non-beta channel release
Components: -Blink>Media Internals>Media>Source
Project Member

Comment 9 by bugdroid1@chromium.org, Apr 22 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/33317059948e1bc31d86c5918fba4bab0a62a373

commit 33317059948e1bc31d86c5918fba4bab0a62a373
Author: dalecurtis <dalecurtis@chromium.org>
Date: Sat Apr 22 02:54:18 2017

Initialize the media_log_ pointer in MPEGStreamParserBase.

The ADTSStreamParser is used without initialization, so it doesn't
have a valid media_log, it null checks this -- but since a recent
change moved MediaLog from a ref ptr to raw we missed initialize.

BUG= 713515 
TEST=none

Review-Url: https://codereview.chromium.org/2829343002
Cr-Commit-Position: refs/heads/master@{#466530}

[modify] https://crrev.com/33317059948e1bc31d86c5918fba4bab0a62a373/media/formats/mpeg/mpeg_audio_stream_parser_base.cc

Project Member

Comment 10 by sheriffbot@chromium.org, Apr 22 2017

Labels: Security_Impact-Beta
Status: Fixed (was: Assigned)
Labels: -Security_Impact-Beta -M-59 Security_Impact-Head M-60
This was only on ToT for 4 days, definitely not in beta.
Project Member

Comment 13 by sheriffbot@chromium.org, Apr 25 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 14 by sheriffbot@chromium.org, Aug 1 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment