New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 793201 link

Starred by 2 users
Status: Verified
Owner:
saza@chromium.org
Last visit 19 days ago
Closed: Dec 2017
Cc:
pnangunoori@chromium.org
hlundin@chromium.org
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Undefined-shift in webrtc::ComfortNoiseDecoder::UpdateSid

Project Member Reported by ClusterFuzz, Dec 8 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5457863630913536

Fuzzer: libFuzzer_comfort_noise_decoder_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  webrtc::ComfortNoiseDecoder::UpdateSid
  webrtc::test::FuzzOneInputTest
  webrtc::FuzzOneInput
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=522405:522413

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5457863630913536

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

Comment 1 by pnangunoori@chromium.org, Dec 8 2017

Cc: msrchandra@chromium.org hlundin@chromium.org pnangunoori@chromium.org
Components: Blink>WebRTC
Labels: M-65 Test-Predator-Wrong
Owner: saza@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.
Using the code search for the file, “comfort_noise_decoder_fuzzer.cc” assigning to concern owner from GIT blame.
Suspecting Commit#
https://webrtc.googlesource.com/src.git/+/5dcbbfd1533bf14efee5b6bd2b879d515d1095c5

@saza -- Assigning this issue to you as you were the reviewer. Could you please look into this issue and kindly reassign if it has nothing to do with the above changes.

Thank You.
Project Member

Comment 2 by bugdroid1@chromium.org, Dec 11 2017 

The following revision refers to this bug:
  https://webrtc.googlesource.com/src.git/+/32c6ae249fb879d75de119bc63b9a16f9f14bdca

commit 32c6ae249fb879d75de119bc63b9a16f9f14bdca
Author: Sam Zackrisson <saza@webrtc.org>
Date: Mon Dec 11 12:47:25 2017

Fix fuzzer-found undefined behavior in webrtc_cng

The computation (x-127) << 8 is undefined for x < 127.
This CL replaces the shift with a multiplication: (x-127) * (1 << 8)

Bug:  chromium:793201 
Change-Id: I38b40bd88300208a0bfbbd8fe144b0a5b51a48ed
Reviewed-on: https://webrtc-review.googlesource.com/31800
Commit-Queue: Sam Zackrisson <saza@webrtc.org>
Reviewed-by: Henrik Lundin <henrik.lundin@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#21205}
[modify] https://crrev.com/32c6ae249fb879d75de119bc63b9a16f9f14bdca/modules/audio_coding/codecs/cng/webrtc_cng.cc
Project Member

Comment 3 by ClusterFuzz, Dec 13 2017 

ClusterFuzz has detected this issue as fixed in range 523643:523652.

Detailed report: https://clusterfuzz.com/testcase?key=5457863630913536

Fuzzer: libFuzzer_comfort_noise_decoder_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  webrtc::ComfortNoiseDecoder::UpdateSid
  webrtc::test::FuzzOneInputTest
  webrtc::FuzzOneInput
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=522405:522413
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=523643:523652

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5457863630913536

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 4 by saza@chromium.org, Dec 13 2017

Status: Fixed (was: Assigned)
Project Member

Comment 5 by ClusterFuzz, Dec 13 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5457863630913536 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 6 by a8933...@gmail.com, Dec 17 2017 

a8933413@gmail.com

Comment 7 by a8933...@gmail.com, Dec 18 2017 

ERR_NAME_NOT_RESOLVED

Sign in to add a comment