New issue
Advanced search Search tips

Issue 735593 link

Starred by 1 user
Status: Fixed
Owner:
aleloi@chromium.org
Closed: Jul 2017
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Undefined-shift in webrtc::LowCutFilter::BiquadFilter::Process

Project Member Reported by ClusterFuzz, Jun 21 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5757150403231744

Fuzzer: libFuzzer_audio_processing_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  webrtc::LowCutFilter::BiquadFilter::Process
  webrtc::LowCutFilter::Process
  webrtc::AudioProcessingImpl::ProcessCaptureStreamLocked
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=481133:481204

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5757150403231744


Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 1 by bugdroid1@chromium.org, Jun 28 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/9f789a4500bea5fde357227f20fa7554a2241880

commit 9f789a4500bea5fde357227f20fa7554a2241880
Author: Alex Loiko <aleloi@webrtc.org>
Date: Wed Jun 28 14:55:20 2017

LowCutFilter::BiqueadFilter::Process: Fix UBSan fuzzer bug

(left shift of negative value)


Bug:  chromium:735593 
Change-Id: I9f1165370d850456480fbb22ce2434bf933a420b
Reviewed-on: https://chromium-review.googlesource.com/552136
Commit-Queue: Alex Loiko <aleloi@google.com>
Reviewed-by: Per Ã…hgren <peah@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#18812}
[modify] https://crrev.com/9f789a4500bea5fde357227f20fa7554a2241880/webrtc/modules/audio_processing/low_cut_filter.cc

Comment 2 by aleloi@chromium.org, Jun 29 2017

Owner: aleloi@chromium.org
Status: Fixed (was: Untriaged)
Project Member

Comment 3 by ClusterFuzz, Jul 14 2017

Labels: Needs-Feedback
ClusterFuzz testcase 5757150403231744 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

Comment 4 by aleloi@chromium.org, Jul 18 2017

Status: Started (was: Fixed)
Project Member

Comment 5 by bugdroid1@chromium.org, Jul 18 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/b5c1607e9286581bb63c8225df75e47aff8eae96

commit b5c1607e9286581bb63c8225df75e47aff8eae96
Author: Alex Loiko <aleloi@webrtc.org>
Date: Tue Jul 18 12:23:08 2017

UBSan fuzzer bug in LowCutFilter::BiqueadFilter::Process

The variable 'tmp_int32' in LowCutFilter::BiqueadFilter::Process can
be negative. This replaces a left shift with multiplication.

Bug:  chromium:735593 ,  chromium:743330 
Change-Id: Idec7fbcc17495f7241eb4bea44920585740e3695
Reviewed-on: https://chromium-review.googlesource.com/575136
Commit-Queue: Alex Loiko <aleloi@webrtc.org>
Reviewed-by: Sam Zackrisson <saza@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#19074}
[modify] https://crrev.com/b5c1607e9286581bb63c8225df75e47aff8eae96/webrtc/modules/audio_processing/low_cut_filter.cc

Comment 6 by aleloi@chromium.org, Jul 18 2017

Status: Fixed (was: Started)

Sign in to add a comment