New issue
Advanced search Search tips

Issue 784216 link

Starred by 1 user
Status: Verified
Owner:
hlundin@chromium.org
Closed: Dec 2017
Cc:
markbrand@google.com
henrik.lundin@webrtc.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in WebRtcSpl_FilterARFastQ12

Project Member Reported by ClusterFuzz, Nov 12 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5914469531385856

Fuzzer: libFuzzer_neteq_signal_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  WebRtcSpl_FilterARFastQ12
  webrtc::Expand::Process
  webrtc::NetEqImpl::DoExpand
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=510927:510949

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5914469531385856

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
Project Member

Comment 1 by ClusterFuzz, Nov 13 2017

Cc: henrik.lundin@webrtc.org markbrand@google.com
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

Adding libFuzzer target for UlpFEC receiver. by markbrand@google.com - https://webrtc.googlesource.com/src/+/0c720505af2f645007b6d9646ddfa56efa64f403

NetEq: Fix an UBSan error by henrik.lundin@webrtc.org - https://webrtc.googlesource.com/src/+/8731176b922ad7d82d0407f2ac36d9f5396f9ac2

If this is incorrect, please apply the Test-Predator-Wrong-CLs label.

Comment 2 by hlundin@chromium.org, Nov 13 2017

Components: Blink>WebRTC>Audio
Owner: hlundin@chromium.org
Status: Assigned (was: Untriaged)
Project Member

Comment 3 by bugdroid1@chromium.org, Dec 7 2017 

The following revision refers to this bug:
  https://webrtc.googlesource.com/src.git/+/6f54e7ab679fe13c62e33c969d3b75d6f71eb4eb

commit 6f54e7ab679fe13c62e33c969d3b75d6f71eb4eb
Author: Henrik Lundin <henrik.lundin@webrtc.org>
Date: Thu Dec 07 16:56:47 2017

Avoid integer-overflow in WebRtcSpl_FilterARFastQ12

Simply use int64_t instead of int32_t for two local variables.
This avoids integer-overflow in some rare cases.

Bug:  chromium:784216 
Change-Id: Ie96835d6dc04e338b157469b74ead29e8bd403dd
Reviewed-on: https://webrtc-review.googlesource.com/26580
Reviewed-by: Karl Wiberg <kwiberg@webrtc.org>
Commit-Queue: Henrik Lundin <henrik.lundin@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#21141}
[modify] https://crrev.com/6f54e7ab679fe13c62e33c969d3b75d6f71eb4eb/common_audio/signal_processing/filter_ar_fast_q12.c

Comment 4 by hlundin@chromium.org, Dec 8 2017 

Note: There was a slight performance regression for 32-bit platforms with this fix. See  crbug.com/793226 .
Project Member

Comment 5 by ClusterFuzz, Dec 9 2017 

ClusterFuzz has detected this issue as fixed in range 522890:522915.

Detailed report: https://clusterfuzz.com/testcase?key=5914469531385856

Fuzzer: libFuzzer_neteq_signal_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  WebRtcSpl_FilterARFastQ12
  webrtc::Expand::Process
  webrtc::NetEqImpl::DoExpand
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=510927:510949
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=522890:522915

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5914469531385856

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Dec 9 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5914469531385856 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment