New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 786269 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Nov 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug

Blocking:
issue 777555



Sign in to add a comment

Null-dereference READ in get_current_frag_stream_info

Project Member Reported by ClusterFuzz, Nov 17 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4586319438413824

Fuzzer: libFuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x00000000000c
Crash State:
  get_current_frag_stream_info
  mov_read_trun
  mov_read_default
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=515341:515403

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4586319438413824

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Cc: jstebb...@jetheaddev.com
Components: Blink>Media
Labels: M-64
Owner: wolenetz@chromium.org
Status: Assigned (was: Untriaged)
Test Predator has given the following results:

mov: fix decode of fragments that overlap in time by jstebbins@jetheaddev.com
Suspected changelist touched the crashing line in mov.c
Suspected changelist touched file(s) in the directory libavformat, which appears in the stack trace.
Suspected changelist touched file mov.c, which appears in the stack trace.


@wolenetz  -- Could you please look into this issue, as we were unable to assign to jstebbins@.

Thank You.
I can not see the detailed report (not authorized to access page).  Are you able to provide a stack trace that shows the line where the crash occurs?
Cc: wolenetz@chromium.org
Components: Internals>Media>FFmpeg
Owner: dalecur...@chromium.org
=> dalecurtis@ since this appears to be in FFmpeg and he's doing/done the most recent ffmpeg roll.
Blocking: 777555
The patch you posted to ffmpeg-devel@ resolves the issue. Thanks jstebbins.hb!

 #0 0x215ca71 in get_current_frag_stream_info third_party/ffmpeg/libavformat/mov.c:1192:15
 #1 0x21525c5 in mov_read_trun third_party/ffmpeg/libavformat/mov.c:4493:24
 #2 0x213d791 in mov_read_default third_party/ffmpeg/libavformat/mov.c:5977:23
 #3 0x213d791 in mov_read_default third_party/ffmpeg/libavformat/mov.c:5977:23
 #4 0x213d791 in mov_read_default third_party/ffmpeg/libavformat/mov.c:5977:23
 #5 0x213d791 in mov_read_default third_party/ffmpeg/libavformat/mov.c:5977:23
 #6 0x213d791 in mov_read_default third_party/ffmpeg/libavformat/mov.c:5977:23
 #7 0x21507cb in mov_read_trak third_party/ffmpeg/libavformat/mov.c:3949:16
 #8 0x213d791 in mov_read_default third_party/ffmpeg/libavformat/mov.c:5977:23
 #9 0x214b5b3 in mov_read_moov third_party/ffmpeg/libavformat/mov.c:1141:16
#10 0x213d791 in mov_read_default third_party/ffmpeg/libavformat/mov.c:5977:23
#11 0x213ed43 in mov_read_header third_party/ffmpeg/libavformat/mov.c:6501:16
#12 0x20e5ed3 in avformat_open_input third_party/ffmpeg/libavformat/utils.c:599:20
Applied upstream patch; will roll deps later after working through a few other bugs we have for the m64 roll.
Project Member

Comment 8 by bugdroid1@chromium.org, Nov 18 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/aea3d2d4d8d304df1a029ef83d248508073bd066

commit aea3d2d4d8d304df1a029ef83d248508073bd066
Author: Dale Curtis <dalecurtis@chromium.org>
Date: Sat Nov 18 06:56:26 2017

Roll ffmpeg DEPS and fix additional ubsan issues.

This change enables AV_EF_EXPLODE such that all serious errors
encountered during demuxing are fatal. Previously ffmpeg would
try to ignore these in some cases; leading to ubsan or other
issues. Specifically  crbug.com/698524  and  crbug.com/710791 .

Due to the removal of the speex parser from ogg, there is one
test that needs updating with the roll too.

https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/1e816bccb5ff..252244150ad7

$ git log 1e816bccb..252244150 --date=short --no-merges --format='%ad %ae %s'
2017-11-17 dalecurtis [mpeg4video] Fix undefined shift on assumed 8-bit input.
2017-11-17 dalecurtis Disable unused ogg codec parsers; they have bugs we don't care about.
2017-11-17 dalecurtis Use ff_thread_once for fixed, float table init.
2017-11-17 dalecurtis Fixup some patches messages.
2017-11-17 dalecurtis [mov] Fix leak of frame_duration_buffer in mov_fix_index().
2017-11-17 dalecurtis Prevent undefined shift with wrap_bits >= 63.
2017-11-15 hubbe avformat/mov: Check size of STSC allocation
2017-11-17 jstebbins [PATCH] lavf/mov: don't read outside frag_index bounds

Created with:
  roll-dep src/third_party/ffmpeg

BUG= 786269 , 782074 , 783459 , 784159 , 654612 , 779924 , 710791 , 698524 
TEST=security test cases no longer fail.

Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: Ibbf3c32080705d6484682351a351663c51a7f752
Reviewed-on: https://chromium-review.googlesource.com/777408
Commit-Queue: Dale Curtis <dalecurtis@chromium.org>
Reviewed-by: Dan Sanders <sandersd@chromium.org>
Cr-Commit-Position: refs/heads/master@{#517709}
[modify] https://crrev.com/aea3d2d4d8d304df1a029ef83d248508073bd066/DEPS
[modify] https://crrev.com/aea3d2d4d8d304df1a029ef83d248508073bd066/media/filters/ffmpeg_demuxer_unittest.cc
[modify] https://crrev.com/aea3d2d4d8d304df1a029ef83d248508073bd066/media/filters/ffmpeg_glue.cc

Project Member

Comment 9 by ClusterFuzz, Nov 19 2017

ClusterFuzz has detected this issue as fixed in range 517706:517712.

Detailed report: https://clusterfuzz.com/testcase?key=4586319438413824

Fuzzer: libFuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x00000000000c
Crash State:
  get_current_frag_stream_info
  mov_read_trun
  mov_read_default
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=515341:515403
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=517706:517712

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4586319438413824

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Nov 19 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4586319438413824 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment