Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in find_prev_closest_index |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6430122172481536 Fuzzer: inferno_flicker Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: find_prev_closest_index mov_read_trak mov_read_default Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=528999:529004 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6430122172481536 Additional requirements: Requires HTTP Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 20 2018
,
Jan 20 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 20 2018
,
Jan 25 2018
,
Jan 31 2018
Looks like this may have slipped through the sheriff queue. This looks to be in ffmpeg. dalecurtis: could you ptal and help triage? I would assign to sandersd (he is in the regression range) however they haven't visited the bug tracker recently.
,
Jan 31 2018
,
Feb 1 2018
This should be introduced in https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/c2a8f0fcbe57ea9ccaa864130f078af10516c3c1 Looking...
,
Feb 2 2018
I can reproduce this with a new stacktrace:
==1==WARNING: MemorySanitizer: use-of-uninitialized-value
==1==WARNING: invalid path to external symbolizer!
==1==WARNING: Failed to use and restart external symbolizer!
#0 0x55d988a0aa5a in find_prev_closest_index ./../../third_party/ffmpeg/libavformat/mov.c:3164:94
#1 0x55d9889f95d1 in mov_fix_index ./../../third_party/ffmpeg/libavformat/mov.c:3492:13
#2 0x55d9889f95d1 in mov_build_index ./../../third_party/ffmpeg/libavformat/mov.c:3987:0
#3 0x55d9889f95d1 in mov_read_trak ./../../third_party/ffmpeg/libavformat/mov.c:4139:0
#4 0x55d9889d14ad in mov_read_default ./../../third_party/ffmpeg/libavformat/mov.c:6220:23
#5 0x55d9889ea27d in mov_read_moov ./../../third_party/ffmpeg/libavformat/mov.c:1141:16
#6 0x55d9889d14ad in mov_read_default ./../../third_party/ffmpeg/libavformat/mov.c:6220:23
#7 0x55d9889d33f4 in mov_read_header ./../../third_party/ffmpeg/libavformat/mov.c:6744:20
#8 0x55d98895d6d3 in avformat_open_input ./../../third_party/ffmpeg/libavformat/utils.c:617:20
#9 0x55d97f0391cc in media::FFmpegGlue::OpenContext() ./../../media/filters/ffmpeg_glue.cc:116:7
(...)
,
Feb 7 2018
ClusterFuzz testcase 6430122172481536 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Feb 7 2018
This does reveal a real issue (see #9) and the fix is underway. I'll keep this open until that issue is fixed.
,
Feb 12 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/516c31df3aaf109882bcff4d14c06c8edfde77a7 commit 516c31df3aaf109882bcff4d14c06c8edfde77a7 Author: Xiaohan Wang <xhwang@chromium.org> Date: Mon Feb 12 18:33:28 2018 ffmpeg: Fix ctts_index calculation Add check on *ctts_index to avoid access violation. BUG= 804097 Change-Id: Ibf9e99508b89a3e424afcba044c00754999c9c25 Reviewed-on: https://chromium-review.googlesource.com/900267 Reviewed-by: Dale Curtis <dalecurtis@chromium.org> [modify] https://crrev.com/516c31df3aaf109882bcff4d14c06c8edfde77a7/libavformat/mov.c [modify] https://crrev.com/516c31df3aaf109882bcff4d14c06c8edfde77a7/chromium/patches/README
,
Feb 13 2018
M65 Stable promotion is coming VERY soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge into the release branch ASAP. Thank you.
,
Feb 14 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/16f39edca89c5cfc5930f06f81f09491f69829d7 commit 16f39edca89c5cfc5930f06f81f09491f69829d7 Author: Xiaohan Wang <xhwang@chromium.org> Date: Wed Feb 14 01:05:38 2018 Roll src/third_party/ffmpeg/ f5964c36e..58a80d155 (2 commits) https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/f5964c36e1dc..58a80d15568f $ git log f5964c36e..58a80d155 --date=short --no-merges --format='%ad %ae %s' 2018-02-13 xhwang ffmpeg: Set valid qscale value in ff_h264_decode_mb_cavlc() 2018-02-09 xhwang ffmpeg: Fix ctts_index calculation Created with: roll-dep src/third_party/ffmpeg BUG= 806122 , 804097 , 804606 Change-Id: I1dfb85059290569fcde7a5e90e7802c7e5a0bf64 Reviewed-on: https://chromium-review.googlesource.com/917199 Reviewed-by: Dale Curtis <dalecurtis@chromium.org> Commit-Queue: Xiaohan Wang <xhwang@chromium.org> Cr-Commit-Position: refs/heads/master@{#536581} [modify] https://crrev.com/16f39edca89c5cfc5930f06f81f09491f69829d7/DEPS
,
Feb 14 2018
ClusterFuzz has detected this issue as fixed in range 536580:536587. Detailed report: https://clusterfuzz.com/testcase?key=6430122172481536 Fuzzer: inferno_flicker Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: find_prev_closest_index mov_read_trak mov_read_default Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=528999:529004 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=536580:536587 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6430122172481536 Additional requirements: Requires HTTP See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 14 2018
,
Feb 14 2018
Merges should be tracked by merge label, moving this to status=Fixed.
,
Feb 15 2018
,
Feb 16 2018
Hi xhwang@ - what do you think about getting the roll from here and issue 801821 into M65? We do have one more Beta if we can get the merge in before Tuesday next week. Thanks!
,
Feb 16 2018
awhalley: Thanks for the ping! Yes, we have multiple ffmpeg related issues fixed recently and mostly of the fixes are trivial enough that the risk is pretty low. What's the general recommendation of merging fixes to M65 at this point? Shall we merte all Security* bug fixes?
,
Feb 16 2018
This bug requires manual review: DEPS changes referenced in bugdroid comments. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 16 2018
+ awhalley@ for M65 merge review
,
Feb 20 2018
xhwang@ - thanks! Yep, if we can get them in before 1pm PST on Tuesday to catch the last beta. govind@ - good for 65.
,
Feb 20 2018
Approving merge to M65 branch 3325 based on comment #23. Pls merge ASAP. Thank you.
,
Feb 20 2018
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/adbd83a88ab3aaf9aeb72cfc0b7e2c7e37922f40 commit adbd83a88ab3aaf9aeb72cfc0b7e2c7e37922f40 Author: Xiaohan Wang <xhwang@chromium.org> Date: Tue Feb 20 19:43:51 2018
,
Feb 20 2018
,
Feb 23 2018
,
Mar 27 2018
,
May 24 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jan 20 2018Labels: Test-Predator-Auto-Components