Undefined-shift in ff_vorbis_len2vlc |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4746431926894592 Fuzzer: libFuzzer_mediasource_WEBM_VORBIS_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: ff_vorbis_len2vlc vorbis_parse_setup_hdr_codebooks vorbis_parse_setup_hdr Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=499820:499882 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4746431926894592 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Nov 21 2017
This looks like a fault in FFmpeg. => Dale, who rolled FFmpeg most recently.
,
Nov 21 2017
,
Nov 22 2017
Hmm +mmoroz, is this correct? The error is 1 << 31 can't be represented as an integer type, but that seems wrong? 1 << 31 == 2147483648 which fits in an int?
,
Nov 22 2017
Derp, max int is 2147483647, not 2147483648, so it needs to be 1u.
,
Nov 22 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7f1b654208478be9851c8b2a2ee2591d88d3b99c commit 7f1b654208478be9851c8b2a2ee2591d88d3b99c Author: Dale Curtis <dalecurtis@chromium.org> Date: Wed Nov 22 03:24:28 2017 Roll src/third_party/ffmpeg/ 168dfaa19..abead8cbc (6 commits) https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/168dfaa19bfd..abead8cbcf89 $ git log 168dfaa19..abead8cbc --date=short --no-merges --format='%ad %ae %s' 2017-11-21 dalecurtis [vorbis] 1 << 31 > int32_t::max(), so use 1u << 31 instead. 2017-11-21 dalecurtis [mov] Increment stsd_count while processing stsd data; avoids leaks. 2017-11-21 dalecurtis Update wrap_bits fix to work with wrap_bits == 63,64. 2017-11-21 dalecurtis Free extradata before reallocating. 2017-11-21 dalecurtis Add mips64el build files based. 2017-11-21 milko.leporis [MIPS] Put mips64el Linux configuration options BUG= 787347 , 786803 , 786808 , 783459 TEST=test cases no longer fail. TBR=tguilbert Created with: roll-dep src/third_party/ffmpeg Change-Id: I20b262e221d31a6449b9de966d312e14df67b6b9 Reviewed-on: https://chromium-review.googlesource.com/784104 Reviewed-by: Dale Curtis <dalecurtis@chromium.org> Reviewed-by: Thomas Guilbert <tguilbert@chromium.org> Commit-Queue: Dale Curtis <dalecurtis@chromium.org> Cr-Commit-Position: refs/heads/master@{#518523} [modify] https://crrev.com/7f1b654208478be9851c8b2a2ee2591d88d3b99c/DEPS
,
Nov 22 2017
ClusterFuzz has detected this issue as fixed in range 518512:518527. Detailed report: https://clusterfuzz.com/testcase?key=4746431926894592 Fuzzer: libFuzzer_mediasource_WEBM_VORBIS_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: ff_vorbis_len2vlc vorbis_parse_setup_hdr_codebooks vorbis_parse_setup_hdr Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=499820:499882 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=518512:518527 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4746431926894592 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2017
ClusterFuzz testcase 4746431926894592 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Nov 21 2017Owner: wolenetz@chromium.org
Status: Assigned (was: Untriaged)