Null-dereference READ in content::UserMediaProcessor::RequestInfo::AddVideoFormats |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4943430401392640 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_cfi_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000248 Crash State: content::UserMediaProcessor::RequestInfo::AddVideoFormats content::UserMediaProcessor::GotAllVideoInputFormatsForDevice base::OnceCallback<void Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=539020:539023 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4943430401392640 Additional requirements: Requires HTTP Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Feb 26 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/099278c420c6af6245fd61a6145da2818e10d5d4 (Add support for video properties in MediaStreamTrack.getCapabilities()). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Feb 26 2018
In this test case, a continuous reload happens due to location.reload. It seems like |current_request_info_| is not valid when GetAllVideoInputDeviceFormats's callback GotAllVideoInputFormatsForDevice is received thereby causing this crash when |current_request_info_|'s map |video_formats_map_| is accessed.
,
Feb 26 2018
I'll take care of this.
,
Feb 26 2018
Okay, thank you. Is my above understanding correct? And do we need to add a check for |current_request_info_| in the callback GotAllVideoInputFormatsForDevice()?
,
Feb 26 2018
,
Feb 26 2018
Issue 816284 has been merged into this issue.
,
Feb 26 2018
Issue 816231 has been merged into this issue.
,
Feb 26 2018
,
Feb 26 2018
c.padhi@: Your understanding is correct. The fix is to check if |current_request_info_| is the same request that originated the mojo call, and proceed only if it is. I missed that in the original review, but all asynchronous callbacks in UserMediaProcessor have to do that. https://chromium-review.googlesource.com/c/chromium/src/+/937222 will fix it.
,
Feb 26 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/106d17cba9878a0af93bbf1128ab51932d33fea2 commit 106d17cba9878a0af93bbf1128ab51932d33fea2 Author: Guido Urdaneta <guidou@chromium.org> Date: Mon Feb 26 13:47:05 2018 Check that request is valid after getting video formats on UserMediaProcessor. Bug: 816323 Change-Id: I5345d13037105374ad8ca062e8c55a4dec13d9e4 Reviewed-on: https://chromium-review.googlesource.com/937222 Commit-Queue: Guido Urdaneta <guidou@chromium.org> Reviewed-by: Chandan Padhi <c.padhi@samsung.com> Cr-Commit-Position: refs/heads/master@{#539120} [modify] https://crrev.com/106d17cba9878a0af93bbf1128ab51932d33fea2/content/renderer/media/stream/user_media_processor.cc [modify] https://crrev.com/106d17cba9878a0af93bbf1128ab51932d33fea2/content/renderer/media/stream/user_media_processor.h
,
Feb 26 2018
,
Feb 27 2018
ClusterFuzz has detected this issue as fixed in range 539112:539120. Detailed report: https://clusterfuzz.com/testcase?key=4943430401392640 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_cfi_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000248 Crash State: content::UserMediaProcessor::RequestInfo::AddVideoFormats content::UserMediaProcessor::GotAllVideoInputFormatsForDevice base::OnceCallback<void Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=539020:539023 Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=539112:539120 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4943430401392640 Additional requirements: Requires HTTP See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 27 2018
ClusterFuzz testcase 4943430401392640 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 1 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/76575bdb52d2726b39153600b17bea08bd8ab286 commit 76575bdb52d2726b39153600b17bea08bd8ab286 Author: Guido Urdaneta <guidou@chromium.org> Date: Thu Mar 01 16:32:42 2018 Improve handling of frame reloads in getUserMedia() This mainly serves as a test for https://crbug.com/816323 , but also removes two DCHECKs that were wrong. This CL also removes UserMediaProcessor::RequestInfo::HasPendingSources() since it was used just for implementing two DCHECKs, one of which is no longer valid due to other recent changes. No behavior change is intended. Bug: 816597 , 816323 Change-Id: Icfddae5f9a9709e9702f696cb70f289697bdcb6b Reviewed-on: https://chromium-review.googlesource.com/938041 Reviewed-by: Harald Alvestrand <hta@chromium.org> Commit-Queue: Guido Urdaneta <guidou@chromium.org> Cr-Commit-Position: refs/heads/master@{#540176} [modify] https://crrev.com/76575bdb52d2726b39153600b17bea08bd8ab286/content/browser/renderer_host/media/media_stream_manager.cc [modify] https://crrev.com/76575bdb52d2726b39153600b17bea08bd8ab286/content/renderer/media/stream/user_media_processor.cc [add] https://crrev.com/76575bdb52d2726b39153600b17bea08bd8ab286/third_party/WebKit/LayoutTests/fast/mediastream/getusermedia-reload-no-crash.html |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Feb 26 2018Labels: Test-Predator-Auto-Components