Indirect-leak in av_realloc_f |
|||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5543269835735040 Fuzzer: libFuzzer_mediasource_WEBM_VORBIS_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Indirect-leak Crash Address: Crash State: av_realloc_f alloc_table build_table Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=499800:499873 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5543269835735040 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Oct 16 2017
Looking at the trace, it is happening in libavcodec/libavutil (via ffmpeg). Forwarding to FFmpeg so people familiar with the code can take a look.
,
Oct 16 2017
Chris can you identify if this is new or not with the roll and fix if so?
,
Oct 19 2017
Will do.
,
Oct 24 2017
For more information, please see https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md. The link referenced in the description is no longer valid.
,
Nov 29 2017
Fixed in M64 roll per stats on CF. I've clicked redo on fixed. I don't think we can merge a patch for M63, but this isn't high priority.
,
Dec 6 2017
ClusterFuzz testcase 5543269835735040 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
,
Dec 6 2017
Not fixed after all I guess.
,
Jan 12 2018
Note: This issue continues to reproduce after the M65 FFmpeg roll. (Note to whoever is picking this up: make sure to set ASAN_OPTIONS as specified.)
,
Mar 1 2018
,
Mar 5 2018
I have a local repro on rodete (configure --toolchain=clang-asan) with the specific ASAN_OPTIONS. Note: upstream ffplay rejects the repro case early, so we'll probably need to figure this out downstream and then upstream the fix if possible.
,
Mar 6 2018
Downstream fix is in review: https://chromium-review.googlesource.com/c/chromium/third_party/ffmpeg/+/950227
,
Mar 6 2018
@#12, to get a better initial review, I'll send my fix upstream first.
,
Mar 6 2018
Upstreaming attempt started: https://patchwork.ffmpeg.org/patch/7818/
,
Mar 7 2018
ClusterFuzz testcase 5543269835735040 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 7 2018
This is not yet fixed downstream. Upstream took my patch verbatim. Upstream https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/b59b59944693e645cdcf5e61b60f288820fe48c3 should fix this during the M67 roll tracked by bug 803898 .
,
Mar 15 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720 commit 3a1d00c3ef1de6fcc959696e2a1ff11f901e4720 Author: Matt Wolenetz <wolenetz@chromium.org> Date: Thu Mar 15 22:54:10 2018 Roll src/third_party/ffmpeg/ 4468d4967..02ec9ce5a (389 commits) https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/4468d4967f5d..02ec9ce5a9bc $ git log 4468d4967..02ec9ce5a --date=short --no-merges --format='%ad %ae %s' 2018-03-13 wolenetz Updating build configs for M67 roll. 2018-03-13 wolenetz Update build_ffmpeg.py's sysroot name for M67 2018-03-13 wolenetz Remove deprecated av_register_all from ffmpeg.sigs 2018-03-13 wolenetz Copy [de]muxer, codec and parser lists into configs 2018-03-12 wolenetz Update chromium patches README 2018-03-12 vdixit avformat/hlsenc: fix for zero EXTINF tag duration 2018-03-12 matthieu.bouron avcodec/mediacodecdec_common: make INFO_TRY_AGAIN trace messages more consistent 2018-03-10 aman avcodec/mediacodecdec: add debug logging around hw buffer lifecycle 2018-02-27 michael avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it 2018-02-27 michael avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg (...) Created with: roll-dep src/third_party/ffmpeg Includes removal of FFmpegGlue::InitializeFFmpeg() because av_register_all is no longer needed (and is deprecated in FFmpeg). BUG= 803898 , 772699 , 786793 , 791237 , 791349 , 795653 , 796778 , 800123 , 817338 Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel Change-Id: I94ccecab95831174a3bae6e9a8422e10bfec8e85 Reviewed-on: https://chromium-review.googlesource.com/964248 Reviewed-by: Dale Curtis <dalecurtis@chromium.org> Reviewed-by: Xiaohan Wang <xhwang@chromium.org> Reviewed-by: Sergey Ulanov <sergeyu@chromium.org> Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org> Cr-Commit-Position: refs/heads/master@{#543531} [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/DEPS [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/content/renderer/media/webrtc/peer_connection_dependency_factory.cc [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/cdm/library_cdm/clear_key_cdm/clear_key_cdm.cc [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/ffmpeg/ffmpeg_common_unittest.cc [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_audio_decoder.cc [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_glue.cc [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_glue.h [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_video_decoder.cc [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_video_decoder_unittest.cc [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/gpu/video_encode_accelerator_unittest.cc
,
Mar 21 2018
ClusterFuzz has detected this issue as fixed in range 543528:543541. Detailed report: https://clusterfuzz.com/testcase?key=5543269835735040 Fuzzer: libFuzzer_mediasource_WEBM_VORBIS_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Indirect-leak Crash Address: Crash State: av_realloc_f alloc_table build_table Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=499800:499873 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=543528:543541 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5543269835735040 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 24 2018
|
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 by pnangunoori@chromium.org
, Oct 9 2017Components: Blink>HTML>Table
Labels: M-63 CF-NeedsTriage Test-Predator-Wrong