New issue
Advanced search Search tips

Issue 772874 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Oct 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in media::mp4::TrackRunIterator::cts

Project Member Reported by ClusterFuzz, Oct 9 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5486952882372608

Fuzzer: libFuzzer_mediasource_MP4_AACLC_AVC_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  media::mp4::TrackRunIterator::cts
  media::mp4::MP4StreamParser::EnqueueSample
  media::mp4::MP4StreamParser::Parse
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=499820:499882

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5486952882372608

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Oct 9 2017

Components: Internals>Media
Labels: Test-Predator-AutoComponents
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Oct 9 2017

Labels: Test-Predator-AutoOwner
Owner: wolenetz@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/2ad785825859b6be6964d484a1d6a5f3f2c2ded5 (MSE: Expand pipeline integration fuzzer mimetype/codec coverage).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
Cc: dalecur...@chromium.org wolenetz@chromium.org
Components: -Internals>Media Internals>Media>Source
Labels: M-64
Owner: sande...@chromium.org
=> sandersd@ this is another similar to the one(s) you fixed partially previously.

Maybe take a look also at things like base::CheckMul, base::CheckAdd, .AssignIfValid, etc. (see https://chromium-review.googlesource.com/699522)

Perhaps return parse failure if there's something representable in ISO-BMFF spec, but whose intermediate values go out of range of int64_t.

This issue doesn't seem to merit merge of a fix back to M63 though; update if you disagree.
Project Member

Comment 4 by bugdroid1@chromium.org, Oct 18 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1e66d75fc7625443060e170f5cebac650d3e16fb

commit 1e66d75fc7625443060e170f5cebac650d3e16fb
Author: Dan Sanders <sandersd@chromium.org>
Date: Wed Oct 18 02:37:12 2017

[media] Check for overflow in TrackRunIterator::cts().

This CL moves the CTS computation to AdvanceSample(), which now returns
a bool. Callers have been updated to fail when AdvanceSample() fails.

Bug:  772874 
Change-Id: I1215f6a259eff310b964e1899be4e4138ff34087
Reviewed-on: https://chromium-review.googlesource.com/722164
Reviewed-by: Matthew Wolenetz <wolenetz@chromium.org>
Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org>
Commit-Queue: Dan Sanders <sandersd@chromium.org>
Cr-Commit-Position: refs/heads/master@{#509664}
[modify] https://crrev.com/1e66d75fc7625443060e170f5cebac650d3e16fb/media/formats/mp4/mp4_stream_parser.cc
[modify] https://crrev.com/1e66d75fc7625443060e170f5cebac650d3e16fb/media/formats/mp4/track_run_iterator.cc
[modify] https://crrev.com/1e66d75fc7625443060e170f5cebac650d3e16fb/media/formats/mp4/track_run_iterator.h

Project Member

Comment 5 by ClusterFuzz, Oct 18 2017

ClusterFuzz has detected this issue as fixed in range 509419:509669.

Detailed report: https://clusterfuzz.com/testcase?key=5486952882372608

Fuzzer: libFuzzer_mediasource_MP4_AACLC_AVC_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  media::mp4::TrackRunIterator::cts
  media::mp4::MP4StreamParser::EnqueueSample
  media::mp4::MP4StreamParser::Parse
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=499820:499882
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=509419:509669

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5486952882372608

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Oct 18 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5486952882372608 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Labels: -Test-Predator-AutoComponents Test-Predator-Auto-Components
Labels: -Test-Predator-AutoOwner Test-Predator-Auto-Owner

Sign in to add a comment