Issue metadata
Sign in to add a comment
|
Integer-overflow in ff_h264_chroma422_dc_dequant_idct_10_c |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5394829299941376 Fuzzer: libFuzzer_mediasource_MP4_AVC1_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: ff_h264_chroma422_dc_dequant_idct_10_c hl_decode_mb_complex decode_slice Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=497087:497155 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5394829299941376 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Jan 29 2018
Predator could not provide any possible suspects. From the below CL observing some changes related to MP4, hence suspecting the same https://chromium.googlesource.com/chromium/src/+log/80638c164335ae4a97d134544f789c26c9493597..881a0cd6dd3c6c69fdf86d22ffdfed0b0459498c?pretty=fuller&n=10000 Suspect CL: https://chromium.googlesource.com/chromium/src/+/0b378819e3b3925e0eabd34e73d3972a19b4a46d wolenetz@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner. Thanks!
,
Jan 29 2018
=> xhwang@ who is rolling FFmpeg currently for M66 -- Xiaohan - it looks like the regression range includes my addition of MSE parser+decoder fuzzing. So it looks like this (apparently ffmpeg decoder issue) predates that fuzzing. (I'm adding MSE component just in case it's non-reproducible using normal src= or ffplay). Please take a look.
,
Feb 5 2018
,
Feb 5 2018
,
Feb 14 2018
For the record: The same issue was reported before, and was fixed in: https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+/258763ad0e1efff82bbe2beb97527d3c19f40932%5E%21/#F0 Basically, the maximum value of |coeff_abs| can be 2147483647* + 14U which is 2147483661, which is greater than MAX_INT. Then |-coeff_abs| was passed into get_cabac_bypass_sign() as a signed integer |val|, which gets the value 2147483635, and caused the problem. get_cabac_bypass_sign(CABACContext *c, int val)
,
Feb 14 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/dcccd2a894eb963780da428b5f95ff4cc1ea3359 commit dcccd2a894eb963780da428b5f95ff4cc1ea3359 Author: Xiaohan Wang <xhwang@chromium.org> Date: Wed Feb 14 00:38:02 2018 ffmpeg: Fix integer overflow in decode_cabac_residual_internal() Fix contributed by Michael Niedermayer. See https://patchwork.ffmpeg.org/patch/7588/ Original CL description: Fixes: integer overflows Reported-by: "Xiaohan Wang (王消寒)" <xhwang@chromium.org> Based on limits in "8.5 Transform coefficient decoding process and picture construction process prior to deblocking filter process" BUG= 806580 Change-Id: Iab16165b970ec50d33700ff511f1c2c2dc72abea Reviewed-on: https://chromium-review.googlesource.com/917462 Reviewed-by: Dale Curtis <dalecurtis@chromium.org> [modify] https://crrev.com/dcccd2a894eb963780da428b5f95ff4cc1ea3359/libavcodec/h264_cabac.c [modify] https://crrev.com/dcccd2a894eb963780da428b5f95ff4cc1ea3359/chromium/patches/README
,
Feb 14 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e19b85dee7f81bcce2c2af2ad1688c725ab85960 commit e19b85dee7f81bcce2c2af2ad1688c725ab85960 Author: Xiaohan Wang <xhwang@chromium.org> Date: Wed Feb 14 23:37:39 2018 Roll src/third_party/ffmpeg/ 58a80d155..9ed334093 (4 commits) https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/58a80d15568f..9ed334093692 $ git log 58a80d155..9ed334093 --date=short --no-merges --format='%ad %ae %s' 2018-02-13 sandersd Prevent NULL dereference in mov_seek_fragment() 2018-02-13 xhwang ffmpeg: Fix integer overflow in decode_cabac_residual_internal() 2018-02-13 xhwang ffmpeg: Fix stts_data memory allocation 2018-02-13 sandersd Prevent NULL dereference in mov_read_sidx() Created with: roll-dep src/third_party/ffmpeg BUG= 804070 , 806580 , 801821 , 802335 Change-Id: Iae66a2c0ac4443b8ef04fffa630a925308dfdd04 Reviewed-on: https://chromium-review.googlesource.com/919863 Reviewed-by: Dale Curtis <dalecurtis@chromium.org> Commit-Queue: Xiaohan Wang <xhwang@chromium.org> Cr-Commit-Position: refs/heads/master@{#536884} [modify] https://crrev.com/e19b85dee7f81bcce2c2af2ad1688c725ab85960/DEPS
,
Feb 15 2018
ClusterFuzz has detected this issue as fixed in range 536859:536889. Detailed report: https://clusterfuzz.com/testcase?key=5394829299941376 Fuzzer: libFuzzer_mediasource_MP4_AVC1_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: ff_h264_chroma422_dc_dequant_idct_10_c hl_decode_mb_complex decode_slice Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=497087:497155 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=536859:536889 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5394829299941376 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 15 2018
ClusterFuzz testcase 5394829299941376 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jan 28 2018Labels: Test-Predator-Auto-Components