Adding some people to CC hoping to find an owner.

Hmm, code definitely seems wrong. It should not be assuming this is a WMPI object. +mcasas do you remember why it's safe to assume this is a WMPI object here?

HtmlVideoElementCapturerSource should not be created out of a 
WebMediaPlayerMS and that should be protected by the statement
in [1].

I can take a deeper look if deemed appropriate, but won't have
time for a few weeks.

Also, moving target to M-62 since this was all behind a flag
until this very morning: 
https://chromium-review.googlesource.com/c/544899/




[1] https://cs.chromium.org/chromium/src/third_party/WebKit/Source/modules/mediacapturefromelement/HTMLMediaElementCapture.cpp?sq=package:chromium&dr&l=127

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

mcasas@ that code looks like it would allow creation with a WMPI if currentSrc is null?

mcasas, can you take a look at the question in C#9 and/or re-assign if not appropriate?  Thanks !!!

mcasas: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Niklase@ can you take a look please? (#9 is relevant) Thanks!

This might be related to issue 730365 as well which is a crash in the similar path. I will take a look.

I built it with below ubsan flags locally.
is_ubsan = true
is_ubsan_vptr = true
I ran it with the command below.
UBSAN_OPTIONS=external_symbolizer_path=/work/chromium/src/third_party/llvm-build/Release+Asserts/bin/llvm-symbolizer:print_stacktrace=1:symbolize=1:print_summary=1 ./out/Release/chrome > out.txt 2>&1

I can't reproduce the same results ubsan bot got with the minimized test case provided. Minimized test case page doesn't even complete loading tbh. Unminimized testcase properly loads but doesn't provide the similar stack, see attached. I am rerunning the fuzzer in the meantime.

I agree with dalecurtis@ suggestion. That looks like a missing case that would allow Mediastream objects. I made a patch that covers these cases: https://chromium-review.googlesource.com/c/chromium/src/+/634516

Deleted: ubsan_logs.txt 59.9 KB

ubsan_logs.txt 59.9 KB View Download

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0c6478f24f6bd0843e166aed9da19481c24d5af8

commit 0c6478f24f6bd0843e166aed9da19481c24d5af8
Author: Emircan Uysaler <emircan@chromium.org>
Date: Fri Aug 25 02:55:11 2017

Avoid MediaStream objects without src in HTMLVideoElementCapturer

This CL changes the check to cover elements without a source in
HTMLVideoElementCapturer.

Bug:  749851 
Change-Id: I2dffec6e44aa496afb370dd79f0cf35e5f8af28a
Reviewed-on: https://chromium-review.googlesource.com/634516
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Reviewed-by: Emircan Uysaler <emircan@chromium.org>
Commit-Queue: Emircan Uysaler <emircan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#497307}
[modify] https://crrev.com/0c6478f24f6bd0843e166aed9da19481c24d5af8/third_party/WebKit/Source/modules/mediacapturefromelement/HTMLMediaElementCapture.cpp

ClusterFuzz has detected this issue as fixed in range 497300:497315.

Detailed report: https://clusterfuzz.com/testcase?key=5889881367904256

Fuzzer: inferno_twister
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x3dacfb6a1788
Crash State:
  Bad-cast to media::WebMediaPlayerImpl from base class subobject at offset 8
  content::HtmlVideoElementCapturerSource::CreateFromWebMediaPlayerImpl
  content::RendererBlinkPlatformImpl::CreateHTMLVideoElementCapturer
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=455091:455392
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=497300:497315

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5889881367904256

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5889881367904256 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot