New issue
Advanced search Search tips

Issue 817338 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Mar 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug

Blocking:
issue 803898



Sign in to add a comment

Integer-overflow in mov_get_stsc_samples

Project Member Reported by ClusterFuzz, Feb 28 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5721405073915904

Fuzzer: libFuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  mov_get_stsc_samples
  mov_read_packet
  ff_read_packet
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=433019:433116

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5721405073915904

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Feb 28 2018

Components: Internals>Media>FFmpeg
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Cc: xhw...@chromium.org

Comment 3 by xhw...@chromium.org, Feb 28 2018

Cc: tmathmeyer@chromium.org wolenetz@chromium.org
Another one that I cannot repro on Rodete :(
Cc: -tmathmeyer@chromium.org
Owner: tmathmeyer@chromium.org
tmathmeyer: Please help check whether you can repro on your Trusty machine. If yes, please help investigate this issue. If not, please assign back to me or xhwang@. Thanks!
Blocking: 803898
Owner: xhw...@chromium.org
sorry, my machine runs rodette now :(
iirc there was a penalty for not upgrading before today (which i think was loss of access to the corp network?)
There's possibility of a trusty VM that could be used. Please see internal email on this. xhwang@, do you mind if I leave this one on your plate?
wolenetz: I don't feel it's worth the effort to setup a VM just to fix this one or two issues. Given there will definitely be more coming during the M67 roll, it would be really nice if you could take it and do it in the M67 roll. 

It's also very possible that you'll need to merge fixes back to M66 as well as those issues are found and fixed during your roll.
Owner: wolenetz@chromium.org
Status: Assigned (was: Untriaged)
Status: Started (was: Assigned)
I have a local repro on rodete (configure --toolchain=clang-usan) upstream ffplay. I'll send the case upstream for them to analyze/fix.
I've sent the case to Michael today.
Michael has a patch in review upstream: https://patchwork.ffmpeg.org/patch/7822/
Project Member

Comment 15 by bugdroid1@chromium.org, Mar 15 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720

commit 3a1d00c3ef1de6fcc959696e2a1ff11f901e4720
Author: Matt Wolenetz <wolenetz@chromium.org>
Date: Thu Mar 15 22:54:10 2018

Roll src/third_party/ffmpeg/ 4468d4967..02ec9ce5a (389 commits)

https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/4468d4967f5d..02ec9ce5a9bc

$ git log 4468d4967..02ec9ce5a --date=short --no-merges --format='%ad %ae %s'
2018-03-13 wolenetz Updating build configs for M67 roll.
2018-03-13 wolenetz Update build_ffmpeg.py's sysroot name for M67
2018-03-13 wolenetz Remove deprecated av_register_all from ffmpeg.sigs
2018-03-13 wolenetz Copy [de]muxer, codec and parser lists into configs
2018-03-12 wolenetz Update chromium patches README
2018-03-12 vdixit avformat/hlsenc: fix for zero EXTINF tag duration
2018-03-12 matthieu.bouron avcodec/mediacodecdec_common: make INFO_TRY_AGAIN trace messages more consistent
2018-03-10 aman avcodec/mediacodecdec: add debug logging around hw buffer lifecycle
2018-02-27 michael avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it
2018-02-27 michael avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg
(...)

Created with:
  roll-dep src/third_party/ffmpeg

Includes removal of FFmpegGlue::InitializeFFmpeg() because
av_register_all is no longer needed (and is deprecated in FFmpeg).

BUG= 803898 ,  772699 ,  786793 ,  791237 ,  791349 ,  795653 ,  796778 ,  800123 ,  817338 

Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: I94ccecab95831174a3bae6e9a8422e10bfec8e85
Reviewed-on: https://chromium-review.googlesource.com/964248
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Reviewed-by: Xiaohan Wang <xhwang@chromium.org>
Reviewed-by: Sergey Ulanov <sergeyu@chromium.org>
Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#543531}
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/DEPS
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/content/renderer/media/webrtc/peer_connection_dependency_factory.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/cdm/library_cdm/clear_key_cdm/clear_key_cdm.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/ffmpeg/ffmpeg_common_unittest.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_audio_decoder.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_glue.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_glue.h
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_video_decoder.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_video_decoder_unittest.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/gpu/video_encode_accelerator_unittest.cc

Project Member

Comment 16 by ClusterFuzz, Mar 16 2018

ClusterFuzz has detected this issue as fixed in range 543518:543534.

Detailed report: https://clusterfuzz.com/testcase?key=5721405073915904

Fuzzer: libFuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  mov_get_stsc_samples
  mov_read_packet
  ff_read_packet
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=433019:433116
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=543518:543534

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5721405073915904

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 17 by ClusterFuzz, Mar 16 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 5721405073915904 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
The upstream fix introduced a new failure mode. See bug 822547.

Sign in to add a comment