Integer-overflow in ff_dct32_fixed |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6625875973111808 Fuzzer: libFuzzer_mediasource_MP3_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: ff_dct32_fixed ff_mpa_synth_filter_fixed mp_decode_frame Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=497087:497155 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6625875973111808 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 28 2017
,
Aug 28 2017
I dont seem to have access to the details of this issue so i cannot comment "You (email=michaelni@gmx.at) are not authorized to access this page!"
,
Aug 29 2017
,
Aug 29 2017
This is not specific to Chrome MSE: * running the same case through a UBsan version of plain media_pipeline_integration_fuzzer repros the same error, and * --toolchain=clang-usan version of tip-of-tree ffplay on the test file does *NOT* repro this error * --toolchain=clang-usan version of ffplay from last Chrome ffmpeg roll (8ef2c791c99e7c103782e889e2bca2f6e13a07be) *does* reproduce this issue. --> chcunningham for making certain this is fixed in next FFmpeg roll (or sooner), cc+=dalecurtis
,
Aug 29 2017
Here's the stack trace and sample Michael: #0 0xebb5e0 in ff_dct32_fixed third_party/ffmpeg/libavcodec/dct32_template.c:154:5 #1 0xc61326 in ff_mpa_synth_filter_fixed third_party/ffmpeg/libavcodec/mpegaudiodsp_template.c:188:5 #2 0xc572c7 in mp_decode_frame third_party/ffmpeg/libavcodec/mpegaudiodec_template.c:1636:13 #3 0xc55a6e in decode_frame third_party/ffmpeg/libavcodec/mpegaudiodec_template.c:1697:11 #4 0xafca84 in decode_simple_internal third_party/ffmpeg/libavcodec/decode.c:416:15 #5 0xafc822 in decode_simple_receive_frame third_party/ffmpeg/libavcodec/decode.c:619:15 #6 0xaf9ff8 in decode_receive_frame_internal third_party/ffmpeg/libavcodec/decode.c:637:15 #7 0xaf9a24 in avcodec_send_packet third_party/ffmpeg/libavcodec/decode.c:677:15 #8 0xafa24f in compat_decode third_party/ffmpeg/libavcodec/decode.c:732:15
,
Aug 29 2017
Maybe a1cbf53c566b84a5974f516076cbc36c188f6d08 is fixing this, but reverting it didnt reproduce the issue on ffmpeg HEAD
,
Oct 11 2017
ClusterFuzz has detected this issue as fixed in range 507845:507865. Detailed report: https://clusterfuzz.com/testcase?key=6625875973111808 Fuzzer: libFuzzer_mediasource_MP3_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: ff_dct32_fixed ff_mpa_synth_filter_fixed mp_decode_frame Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=497087:497155 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=507845:507865 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6625875973111808 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 11 2017
ClusterFuzz testcase 6625875973111808 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 11 2017
Looks fixed by the m63 roll (commit 49e240c638f34c4a456fc2c80697161aeb23548c). |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by msrchandra@chromium.org
, Aug 28 2017Labels: M-62 Test-Predator-Wrong-CLs
Status: Assigned (was: Untriaged)