Issue metadata
Sign in to add a comment
|
Negative-size-param in mov_read_trun |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4984092339994624 Fuzzer: inferno_flicker Job Type: windows_asan_chrome Platform Id: windows Crash Type: Negative-size-param Crash Address: Crash State: mov_read_trun mov_read_default mov_read_default Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=508814:508897 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4984092339994624 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 15 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 15 2017
,
Oct 18 2017
,
Oct 18 2017
,
Oct 18 2017
Guessing https://chromium.googlesource.com/chromium/src/+/5341599c0b2b5a74f62a7734d592d7faae9983c8 based on regression range. Feel free to re-assign as appropriate.
,
Oct 18 2017
Hmm, strange, will take a look today / tomorrow.
,
Oct 18 2017
+isasi since this file is doing bad things to the edit list. We end up with entries in the index table but no ctts entries. [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000011880] overread end of atom 'elst' by 24576 bytes [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000011880] AVIndex stream 0, sample 750, offset 6b1a, dts 120000, size 32, distance 0, keyframe 1, count: 0, size: 0 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000011880] Failed to add index entry [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000011880] AVIndex stream 0, sample 752, offset 6b3a, dts 120160, size 32, distance 0, keyframe 1, count: 0, size: 0 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000011880] sample 752, count: 0, size: 469419 In this case the first ctts entry we see ends up going into sample position 752, while we expect these things to be 1:1; so where are the missing 752 ctts entries?
,
Oct 18 2017
Proposed fix here. WDYT isasi?
,
Oct 19 2017
There seems to be only 1 edit list in the file. But ffmpeg is detecting 2049 edit lists, because the entry_count field in the 'elst' atom wrongly says 2049. So we read other atoms data as edit lists. The file has no 'ctts' atoms so it shouldn't even be populating any ctts. We can check against the elst atom size to avoid reading wrong number of entries. I will try mailing a patch.
,
Oct 19 2017
Is it ok if we use the test file in the FATE samples for ffmpeg ?
,
Oct 19 2017
It's picking up the ctts from the trun, not a ctts box.
,
Oct 19 2017
Also thanks for looking!
,
Oct 19 2017
There seems to be no content in this one, so it's fine to add, but only after it's fixed in Chrome.
,
Oct 19 2017
sent a patch to ffmpeg. https://ffmpeg.org/pipermail/ffmpeg-devel/2017-October/218191.html
,
Oct 19 2017
Thanks! In case anyone else wonders about the sample attached to that thread, it's not the clusterfuzz test case.
,
Oct 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c51b738e66d2480237ed8e693200f923b97cd2bc commit c51b738e66d2480237ed8e693200f923b97cd2bc Author: Dale Curtis <dalecurtis@chromium.org> Date: Fri Oct 20 17:38:41 2017 Roll src/third_party/ffmpeg/ 3098b6a24..e4859f909 (2 commits) https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/3098b6a24547..e4859f9094f2 $ git log 3098b6a24..e4859f909 --date=short --no-merges --format='%ad %ae %s' 2017-10-19 isasi lavf/mov.c: Fix parsing of edit list atoms with invalid elst entry count. 2017-10-16 dalecurtis Set start_pad correctly in mov_fix_index() Created with: roll-dep src/third_party/ffmpeg Bug: 775042 , 774821 Test: automatic test cases from listed bugs don't reproduce anymore. Change-Id: I4e5a8733afefd1dddd623b050d5ba0555b1d0947 Tbr: chcunningham Reviewed-on: https://chromium-review.googlesource.com/729219 Reviewed-by: Dale Curtis <dalecurtis@chromium.org> Reviewed-by: Chrome Cunningham <chcunningham@chromium.org> Commit-Queue: Dale Curtis <dalecurtis@chromium.org> Cr-Commit-Position: refs/heads/master@{#510480} [modify] https://crrev.com/c51b738e66d2480237ed8e693200f923b97cd2bc/DEPS
,
Oct 20 2017
,
Oct 20 2017
Edit lists are disabled in M63, so this shouldn't be an issue there.
,
Oct 20 2017
,
Oct 22 2017
,
Oct 26 2017
ClusterFuzz has detected this issue as fixed in range 510178:511643. Detailed report: https://clusterfuzz.com/testcase?key=4984092339994624 Fuzzer: inferno_flicker Job Type: windows_asan_chrome Platform Id: windows Crash Type: Negative-size-param Crash Address: Crash State: mov_read_trun mov_read_default mov_read_default Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=508814:508897 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=510178:511643 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4984092339994624 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 26 2017
ClusterFuzz testcase 4984092339994624 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 27 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Oct 15 2017