New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 759478 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Oct 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in ff_dct32_fixed

Project Member Reported by ClusterFuzz, Aug 28 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6625875973111808

Fuzzer: libFuzzer_mediasource_MP3_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  ff_dct32_fixed
  ff_mpa_synth_filter_fixed
  mp_decode_frame
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=497087:497155

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6625875973111808

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Cc: msrchandra@chromium.org mich...@niedermayer.cc
Labels: M-62 Test-Predator-Wrong-CLs
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.
Using Code Search for the file, "dct32_template.c", adding the concern owner in cc.

Suspecting Commit#
https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+/15ccaa344c4f645ae791aafecdef3d886e196127

@michael -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.
Status: Available (was: Assigned)

Comment 3 by michae...@gmx.at, Aug 28 2017

I dont seem to have access to the details of this issue so i cannot comment
"You (email=michaelni@gmx.at) are not authorized to access this page!"

Comment 4 by mmoroz@chromium.org, Aug 29 2017

Cc: wolenetz@chromium.org mmoroz@chromium.org
Cc: dalecur...@chromium.org
Components: Internals>Media>FFmpeg
Owner: chcunningham@chromium.org
Status: Assigned (was: Available)
This is not specific to Chrome MSE:
* running the same case through a UBsan version of plain media_pipeline_integration_fuzzer repros the same error, and
* --toolchain=clang-usan version of tip-of-tree ffplay on the test file does *NOT* repro this error
* --toolchain=clang-usan version of ffplay from last Chrome ffmpeg roll (8ef2c791c99e7c103782e889e2bca2f6e13a07be) *does* reproduce this issue.

--> chcunningham for making certain this is fixed in next FFmpeg roll (or sooner), cc+=dalecurtis


Here's the stack trace and sample Michael:

#0 0xebb5e0 in ff_dct32_fixed third_party/ffmpeg/libavcodec/dct32_template.c:154:5
#1 0xc61326 in ff_mpa_synth_filter_fixed third_party/ffmpeg/libavcodec/mpegaudiodsp_template.c:188:5
#2 0xc572c7 in mp_decode_frame third_party/ffmpeg/libavcodec/mpegaudiodec_template.c:1636:13
#3 0xc55a6e in decode_frame third_party/ffmpeg/libavcodec/mpegaudiodec_template.c:1697:11
#4 0xafca84 in decode_simple_internal third_party/ffmpeg/libavcodec/decode.c:416:15
#5 0xafc822 in decode_simple_receive_frame third_party/ffmpeg/libavcodec/decode.c:619:15
#6 0xaf9ff8 in decode_receive_frame_internal third_party/ffmpeg/libavcodec/decode.c:637:15
#7 0xaf9a24 in avcodec_send_packet third_party/ffmpeg/libavcodec/decode.c:677:15
#8 0xafa24f in compat_decode third_party/ffmpeg/libavcodec/decode.c:732:15

clusterfuzz-testcase-minimized-6625875973111808
156 bytes View Download

Comment 7 by michae...@gmx.at, Aug 29 2017

Maybe a1cbf53c566b84a5974f516076cbc36c188f6d08 is fixing this, but reverting it didnt reproduce the issue on ffmpeg HEAD
Project Member

Comment 8 by ClusterFuzz, Oct 11 2017

ClusterFuzz has detected this issue as fixed in range 507845:507865.

Detailed report: https://clusterfuzz.com/testcase?key=6625875973111808

Fuzzer: libFuzzer_mediasource_MP3_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  ff_dct32_fixed
  ff_mpa_synth_filter_fixed
  mp_decode_frame
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=497087:497155
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=507845:507865

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6625875973111808

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Oct 11 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6625875973111808 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Looks fixed by the m63 roll (commit 49e240c638f34c4a456fc2c80697161aeb23548c).

Sign in to add a comment