New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 791237 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Mar 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug

Blocking:
issue 771995
issue 803898



Sign in to add a comment

Integer-overflow in avi_read_header

Project Member Reported by ClusterFuzz, Dec 2 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6096304982982656

Fuzzer: libFuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  avi_read_header
  avformat_open_input
  media::FFmpegGlue::OpenContext
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=413192:413325

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6096304982982656

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Dec 2 2017

Components: Internals>Media
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Dec 2 2017

Cc: halliwell@chromium.org dalecur...@chromium.org dbeam@chromium.org
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

Reland of aise gyp/GN failure if proprietary_codecs=1 and ffmpeg_branding=Chromium (patchset #1 id:1 of https://codereview.chromium.org/2260523002/ ) by dalecurtis@chromium.org - https://chromium.googlesource.com/chromium/src/+/f0131b657ac73731cd2f7c69caf0fbded721bb08

Change the way that gzipped resources are loaded from resources.pak by dbeam@chromium.org - https://chromium.googlesource.com/chromium/src/+/49dab440c63881d09a313824a345ec1f8574b025

Default to mojo media for Cast device builds by halliwell@chromium.org - https://chromium.googlesource.com/chromium/src/+/9d734dbcfb2c71fd122c2db648251c05e8b91e82

If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
Blocking: 771995
Owner: sande...@chromium.org
Status: Assigned (was: Untriaged)
Components: -Internals>Media Internals>Media>FFmpeg

Comment 5 by dbeam@chromium.org, Dec 12 2017

Cc: -dbeam@chromium.org
Blocking: 803898
Cc: sande...@chromium.org
Owner: wolenetz@chromium.org
Status: Started (was: Assigned)
I have a local repro on ToT Chromium.
I also have a local repro on upstream ffplay in rodete (configure --toolchain=clang-usan).  Specific UBSAN options (see the report, minus suppressions and symbolization options) are helpful to obtain the stack trace.

I've sent the case upstream to Michael today.
With my review, Michael landed his upstream fix last Thursday:

https://github.com/FFmpeg/FFmpeg/commit/06e092e7819b9437da32925200e7c369f93d82e7

It'll get pulled into the M67 ffmpeg roll (no cherry-pick should be needed for M67).
Project Member

Comment 9 by bugdroid1@chromium.org, Mar 15 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720

commit 3a1d00c3ef1de6fcc959696e2a1ff11f901e4720
Author: Matt Wolenetz <wolenetz@chromium.org>
Date: Thu Mar 15 22:54:10 2018

Roll src/third_party/ffmpeg/ 4468d4967..02ec9ce5a (389 commits)

https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/4468d4967f5d..02ec9ce5a9bc

$ git log 4468d4967..02ec9ce5a --date=short --no-merges --format='%ad %ae %s'
2018-03-13 wolenetz Updating build configs for M67 roll.
2018-03-13 wolenetz Update build_ffmpeg.py's sysroot name for M67
2018-03-13 wolenetz Remove deprecated av_register_all from ffmpeg.sigs
2018-03-13 wolenetz Copy [de]muxer, codec and parser lists into configs
2018-03-12 wolenetz Update chromium patches README
2018-03-12 vdixit avformat/hlsenc: fix for zero EXTINF tag duration
2018-03-12 matthieu.bouron avcodec/mediacodecdec_common: make INFO_TRY_AGAIN trace messages more consistent
2018-03-10 aman avcodec/mediacodecdec: add debug logging around hw buffer lifecycle
2018-02-27 michael avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it
2018-02-27 michael avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg
(...)

Created with:
  roll-dep src/third_party/ffmpeg

Includes removal of FFmpegGlue::InitializeFFmpeg() because
av_register_all is no longer needed (and is deprecated in FFmpeg).

BUG= 803898 ,  772699 ,  786793 ,  791237 ,  791349 ,  795653 ,  796778 ,  800123 ,  817338 

Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: I94ccecab95831174a3bae6e9a8422e10bfec8e85
Reviewed-on: https://chromium-review.googlesource.com/964248
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Reviewed-by: Xiaohan Wang <xhwang@chromium.org>
Reviewed-by: Sergey Ulanov <sergeyu@chromium.org>
Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#543531}
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/DEPS
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/content/renderer/media/webrtc/peer_connection_dependency_factory.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/cdm/library_cdm/clear_key_cdm/clear_key_cdm.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/ffmpeg/ffmpeg_common_unittest.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_audio_decoder.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_glue.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_glue.h
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_video_decoder.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_video_decoder_unittest.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/gpu/video_encode_accelerator_unittest.cc

Project Member

Comment 10 by ClusterFuzz, Mar 16 2018

ClusterFuzz has detected this issue as fixed in range 543518:543534.

Detailed report: https://clusterfuzz.com/testcase?key=6096304982982656

Fuzzer: libFuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  avi_read_header
  avformat_open_input
  media::FFmpegGlue::OpenContext
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=413192:413325
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=543518:543534

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6096304982982656

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 11 by ClusterFuzz, Mar 16 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 6096304982982656 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment