Integer-overflow in mov_read_stts |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6652862951325696 Fuzzer: libFuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: mov_read_stts mov_read_default ff_mov_read_stsd_entries Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=515364:515426 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6652862951325696 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Dec 4 2017
,
Mar 1 2018
,
Mar 6 2018
I have a local repro in ToT Chromium. Getting a repro in upstream ffplay is proving difficult, since the logic in the case is conditioned on the AVIOContext's current position (which differs in Chromium's FFmpegGlue custom Read/Seek/etc operations versus ffplay's). I'll consider fixing this one myself rather than upstreaming the case.
,
Mar 8 2018
I found a way to repro this on upstream ffplay, with --toolchain=clang-usan: use the async ffmpeg protocol to get the IO behavior to be more like what is needed to repro the problem with this repro media. e.g. ffplay async:repro_media_file Specific UBSAN options (see the report, minus suppressions and symbolization options) are helpful to obtain the stack trace. I've sent the case upstream to Michael today.
,
Mar 12 2018
With my review, Michael landed fix upstream last Friday: https://github.com/FFmpeg/FFmpeg/commit/2f37082827a405430c40408ee2db19ea2866ce64 It'll get pulled into the M67 ffmpeg roll (no cherry-pick should be needed for M67).
,
Mar 15 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720 commit 3a1d00c3ef1de6fcc959696e2a1ff11f901e4720 Author: Matt Wolenetz <wolenetz@chromium.org> Date: Thu Mar 15 22:54:10 2018 Roll src/third_party/ffmpeg/ 4468d4967..02ec9ce5a (389 commits) https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/4468d4967f5d..02ec9ce5a9bc $ git log 4468d4967..02ec9ce5a --date=short --no-merges --format='%ad %ae %s' 2018-03-13 wolenetz Updating build configs for M67 roll. 2018-03-13 wolenetz Update build_ffmpeg.py's sysroot name for M67 2018-03-13 wolenetz Remove deprecated av_register_all from ffmpeg.sigs 2018-03-13 wolenetz Copy [de]muxer, codec and parser lists into configs 2018-03-12 wolenetz Update chromium patches README 2018-03-12 vdixit avformat/hlsenc: fix for zero EXTINF tag duration 2018-03-12 matthieu.bouron avcodec/mediacodecdec_common: make INFO_TRY_AGAIN trace messages more consistent 2018-03-10 aman avcodec/mediacodecdec: add debug logging around hw buffer lifecycle 2018-02-27 michael avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it 2018-02-27 michael avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg (...) Created with: roll-dep src/third_party/ffmpeg Includes removal of FFmpegGlue::InitializeFFmpeg() because av_register_all is no longer needed (and is deprecated in FFmpeg). BUG= 803898 , 772699 , 786793 , 791237 , 791349 , 795653 , 796778 , 800123 , 817338 Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel Change-Id: I94ccecab95831174a3bae6e9a8422e10bfec8e85 Reviewed-on: https://chromium-review.googlesource.com/964248 Reviewed-by: Dale Curtis <dalecurtis@chromium.org> Reviewed-by: Xiaohan Wang <xhwang@chromium.org> Reviewed-by: Sergey Ulanov <sergeyu@chromium.org> Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org> Cr-Commit-Position: refs/heads/master@{#543531} [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/DEPS [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/content/renderer/media/webrtc/peer_connection_dependency_factory.cc [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/cdm/library_cdm/clear_key_cdm/clear_key_cdm.cc [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/ffmpeg/ffmpeg_common_unittest.cc [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_audio_decoder.cc [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_glue.cc [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_glue.h [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_video_decoder.cc [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_video_decoder_unittest.cc [modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/gpu/video_encode_accelerator_unittest.cc
,
Mar 16 2018
ClusterFuzz has detected this issue as fixed in range 543518:543534. Detailed report: https://clusterfuzz.com/testcase?key=6652862951325696 Fuzzer: libFuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: mov_read_stts mov_read_default ff_mov_read_stsd_entries Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=515364:515426 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=543518:543534 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6652862951325696 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 16 2018
ClusterFuzz testcase 6652862951325696 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by kkaluri@chromium.org
, Dec 4 2017Components: Internals>Media>FFmpeg
Labels: M-64 CF-NeedsTriage