Issue metadata
Sign in to add a comment
|
Bad-cast to const media::mp4::VideoSampleEntry from invalid vptr;media::mp4::TrackRunIterator::Init;media::mp4::MP4StreamParser::ParseMoof |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5774935846027264 Fuzzer: libFuzzer_mediasource_MP4_AVC1_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Bad-cast Crash Address: 0x3bba1b2f8cf0 Crash State: Bad-cast to const media::mp4::VideoSampleEntry from invalid vptr media::mp4::TrackRunIterator::Init media::mp4::MP4StreamParser::ParseMoof Sanitizer: undefined (UBSAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=497087:497155 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5774935846027264 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 29 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 29 2017
,
Aug 29 2017
,
Aug 29 2017
wolenetz: do you mind taking a look at this? I didn't see anything obvious wrong
,
Aug 29 2017
This looks very much like an issue resulting from the same cause as that underlying bug 759294 . ==> kqyang@, assign back to me if you disagree. Thanks!
,
Aug 29 2017
Yes. It is the same issue. My patch fixes this bug as well: https://chromium-review.googlesource.com/c/chromium/src/+/641405.
,
Aug 29 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d932417fc75bf2d07e1009268e1765a8992c01af commit d932417fc75bf2d07e1009268e1765a8992c01af Author: KongQun Yang <kqyang@chromium.org> Date: Tue Aug 29 23:09:30 2017 Fix sample description index check off by one error Bug: 759294 Bug: 760049 Change-Id: I4008650d6c2aac3be0c0fc9b39e4e8a4e5fc9779 Reviewed-on: https://chromium-review.googlesource.com/641405 Reviewed-by: Matthew Wolenetz <wolenetz@chromium.org> Commit-Queue: Kongqun Yang <kqyang@chromium.org> Cr-Commit-Position: refs/heads/master@{#498274} [modify] https://crrev.com/d932417fc75bf2d07e1009268e1765a8992c01af/media/formats/mp4/track_run_iterator.cc
,
Aug 29 2017
IMHO, this will be needed ASAP in M61 too. kqyang@, please plan, request (after CF confirms fixed and bakes in Canary 24hrs) and do the merge (assuming it gets approved). cc+=govind@ accordingly
,
Aug 29 2017
+ awhalley@ (Security TPM for merge review)
,
Aug 30 2017
ClusterFuzz has detected this issue as fixed in range 498244:498306. Detailed report: https://clusterfuzz.com/testcase?key=5774935846027264 Fuzzer: libFuzzer_mediasource_MP4_AVC1_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Bad-cast Crash Address: 0x3bba1b2f8cf0 Crash State: Bad-cast to const media::mp4::VideoSampleEntry from invalid vptr media::mp4::TrackRunIterator::Init media::mp4::MP4StreamParser::ParseMoof Sanitizer: undefined (UBSAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=497087:497155 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=498244:498306 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5774935846027264 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 30 2017
ClusterFuzz testcase 5774935846027264 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 30 2017
,
Aug 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2a13f4e301f18dac91405b628d82d0d4c4a5d5b0 commit 2a13f4e301f18dac91405b628d82d0d4c4a5d5b0 Author: KongQun Yang <kqyang@chromium.org> Date: Thu Aug 31 17:52:15 2017 Fix sample description index check off by one error TBR=kqyang@chromium.org (cherry picked from commit d932417fc75bf2d07e1009268e1765a8992c01af) Bug: 759294 Bug: 760049 Change-Id: I4008650d6c2aac3be0c0fc9b39e4e8a4e5fc9779 Reviewed-on: https://chromium-review.googlesource.com/641405 Reviewed-by: Matthew Wolenetz <wolenetz@chromium.org> Commit-Queue: Kongqun Yang <kqyang@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#498274} Reviewed-on: https://chromium-review.googlesource.com/646079 Reviewed-by: Kongqun Yang <kqyang@chromium.org> Cr-Commit-Position: refs/branch-heads/3163@{#1034} Cr-Branched-From: ff259bab28b35d242e10186cd63af7ed404fae0d-refs/heads/master@{#488528} [modify] https://crrev.com/2a13f4e301f18dac91405b628d82d0d4c4a5d5b0/media/formats/mp4/track_run_iterator.cc
,
Oct 5 2017
,
Dec 6 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Aug 29 2017