Integer-overflow in vp8_packet |
||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5340021237481472 Fuzzer: libFuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: vp8_packet ogg_packet ogg_read_packet Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5340021237481472 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Nov 22 2017
,
Nov 29 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/415212d7045bc6c2ed5c58ec46740251c32ea7ce commit 415212d7045bc6c2ed5c58ec46740251c32ea7ce Author: Dale Curtis <dalecurtis@chromium.org> Date: Wed Nov 29 01:10:35 2017 Roll FFmpeg and update FFmpegDemuxer for security fixes. https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/9cb03e5705c1..18c815f81428 $ git log 9cb03e570..18c815f81 --date=short --no-merges --format='%ad %ae %s' 2017-11-28 dalecurtis Update chromium patches README with new patches. 2017-11-28 dalecurtis Free opus extradata before reallocating. 2017-11-28 dalecurtis Don't manipulate duration when it's AV_NOPTS_VALUE. 2017-11-28 dalecurtis Respect AVERROR codes returned by ogg parsers. 2017-11-25 michael avformat/aacdec: Fix leak in adts_aac_read_packet() Inspection of code reveals that we don't properly ignore invalid codec parameters when setting up the ffmpeg demuxer, so we will now explicitly discard streams which don't have a codec detected. Created with: roll-dep src/third_party/ffmpeg BUG= 788550 , 787803 , 773637 , 787351 TEST=ubsan/asan no longer fail. Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel Change-Id: I87b0482499e41b2c0190ef3852ed81c3e91c4236 Reviewed-on: https://chromium-review.googlesource.com/794844 Commit-Queue: Dale Curtis <dalecurtis@chromium.org> Reviewed-by: Thomas Guilbert <tguilbert@chromium.org> Cr-Commit-Position: refs/heads/master@{#519941} [modify] https://crrev.com/415212d7045bc6c2ed5c58ec46740251c32ea7ce/DEPS [modify] https://crrev.com/415212d7045bc6c2ed5c58ec46740251c32ea7ce/media/filters/ffmpeg_demuxer.cc
,
Nov 29 2017
ClusterFuzz has detected this issue as fixed in range 519939:519974. Detailed report: https://clusterfuzz.com/testcase?key=5340021237481472 Fuzzer: libFuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: vp8_packet ogg_packet ogg_read_packet Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=519939:519974 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5340021237481472 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 29 2017
ClusterFuzz testcase 5340021237481472 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||
►
Sign in to add a comment |
||
Comment 1 by kkaluri@chromium.org
, Nov 22 2017Components: Internals>Media>FFmpeg
Labels: Test-Predator-Wrong M-63
Owner: dalecur...@chromium.org
Status: Assigned (was: Untriaged)