Integer-overflow in h264_select_output_frame |
|||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4836577419984896 Fuzzer: libFuzzer_mediasource_MP4_AACLC_AVC_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: h264_select_output_frame h264_field_start ff_h264_queue_decode_slice Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=499820:499882 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4836577419984896 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Mar 19 2018
Predator could not provide any possible suspects. From the below CL observing some changes related to 'Mp4' , hence suspecting the same https://chromium.googlesource.com/chromium/src/+log/e9e69daaec55e841dcb7abf4645346dc8351ca3b..5ad2ea2a387858d61ff3e0ac42b1b18dfbb43a77?pretty=fuller&n=10000 Suspect CL: https://chromium.googlesource.com/chromium/src/+/2ad785825859b6be6964d484a1d6a5f3f2c2ded5 wolenetz@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner. Thanks!
,
Mar 19 2018
The regression range is ancient (goes back to when I added the fuzzer last year); not due to M67 roll but P1 regardless.
,
Mar 19 2018
I have a local repro on current trunk. I also have repro on current ffmpeg, and also on ancient ffmpeg (mid-September 2017). async: protocol is necessary to obtain the same error on upstream ffplay_g. I've sent the case upstream to Michael today for a fix. In ffplay_g, there were also multiple alignment USAN errors included in the case. Marking M-65 also in case the fix meets that bar.
,
Apr 7 2018
ClusterFuzz has detected this issue as fixed in range 548850:548860. Detailed report: https://clusterfuzz.com/testcase?key=4836577419984896 Fuzzer: libFuzzer_mediasource_MP4_AACLC_AVC_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: h264_select_output_frame h264_field_start ff_h264_queue_decode_slice Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=499820:499882 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=548850:548860 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4836577419984896 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 7 2018
ClusterFuzz testcase 4836577419984896 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Apr 9 2018
This is not yet fixed. Confirmed continued local repro. Potential fix is in review since last Friday with Micheal upstream (I LGTM'ed it today % question of the sizeof(int) < sizeof(int64_t) assumption it embeds.)
,
Apr 12 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/c6aed052aba910a88d6e68c02946d17f94702da5 commit c6aed052aba910a88d6e68c02946d17f94702da5 Author: Matt Wolenetz <wolenetz@chromium.org> Date: Thu Apr 12 22:16:45 2018 lavf/mov and lavc/h264_slice cherry-picks Two cherry-picks: avformat/mov: Fix extradata memleak Fixes: crbug 822705 Reported-by: Matt Wolenetz <wolenetz@google.com> Reviewed-by: Matt Wolenetz <wolenetz@google.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 0a8133119ca5d087c7c7140d100406ff84c477ee) avcodec/h264_slice: Fix integer overflow with last_poc Fixes: signed integer overflow: 2147483646 - -2816 cannot be represented in type 'int' Fixes: crbug 823145 Reported-by: Matt Wolenetz <wolenetz@google.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 8c02cd8ca097871dcd00cf8e08ce51660873f405) BUG=822705,823145 R=xhwang@chromium.org Change-Id: I965760d7cdc3cb214e70bef66ce5896d6acca4ac Reviewed-on: https://chromium-review.googlesource.com/1011382 Reviewed-by: Xiaohan Wang <xhwang@chromium.org> [modify] https://crrev.com/c6aed052aba910a88d6e68c02946d17f94702da5/libavcodec/h264_slice.c [modify] https://crrev.com/c6aed052aba910a88d6e68c02946d17f94702da5/libavformat/mov.c
,
Apr 13 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c13b8c3fe0f2af202dc6c813cbe81f415147bf1d commit c13b8c3fe0f2af202dc6c813cbe81f415147bf1d Author: Matt Wolenetz <wolenetz@chromium.org> Date: Fri Apr 13 01:04:22 2018 Roll src/third_party/ffmpeg/ 5af686b3c..c6aed052a (1 commit) https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/5af686b3cfa2..c6aed052aba9 $ git log 5af686b3c..c6aed052a --date=short --no-merges --format='%ad %ae %s' 2018-04-12 wolenetz lavf/mov and lavc/h264_slice cherry-picks Created with: roll-dep src/third_party/ffmpeg BUG=823145,822705 TBR=xhwang@chromium.org Change-Id: I05c5b0c781157a67454e8d624f68ad8adcc00136 Reviewed-on: https://chromium-review.googlesource.com/1011397 Reviewed-by: Matthew Wolenetz <wolenetz@chromium.org> Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org> Cr-Commit-Position: refs/heads/master@{#550451} [modify] https://crrev.com/c13b8c3fe0f2af202dc6c813cbe81f415147bf1d/DEPS
,
Apr 17 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c13b8c3fe0f2af202dc6c813cbe81f415147bf1d commit c13b8c3fe0f2af202dc6c813cbe81f415147bf1d Author: Matt Wolenetz <wolenetz@chromium.org> Date: Fri Apr 13 01:04:22 2018 Roll src/third_party/ffmpeg/ 5af686b3c..c6aed052a (1 commit) https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/5af686b3cfa2..c6aed052aba9 $ git log 5af686b3c..c6aed052a --date=short --no-merges --format='%ad %ae %s' 2018-04-12 wolenetz lavf/mov and lavc/h264_slice cherry-picks Created with: roll-dep src/third_party/ffmpeg BUG=823145,822705 TBR=xhwang@chromium.org Change-Id: I05c5b0c781157a67454e8d624f68ad8adcc00136 Reviewed-on: https://chromium-review.googlesource.com/1011397 Reviewed-by: Matthew Wolenetz <wolenetz@chromium.org> Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org> Cr-Commit-Position: refs/heads/master@{#550451} [modify] https://crrev.com/c13b8c3fe0f2af202dc6c813cbe81f415147bf1d/DEPS
,
Apr 24 2018
,
Apr 24 2018
#8 fixed the issue in trunk, but just missed the M67 branch cut. --> liberato@, please check if either of the issues rolled in #8 (bug 823145 and bug 822705) meet the release managers' bar for merge-to-M67 and do the merge (buildspec change) if approved.
,
Apr 30 2018
,
Apr 30 2018
This bug requires manual review: DEPS changes referenced in bugdroid comments. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 30 2018
Before we approve merge to M67, please answer followings: * This does't seem like M67 regression exists on M65 & M66, could you pls explain why it is imp to merge? * Is the change well baked/verified in Canary, having enough automation tests coverage and safe to merge to M67? * Any other important details to justify the merge. Please note M67 is already in Beta, so merge bar is very high. Thank you.
,
May 1 2018
thanks, nvm.
,
Jul 19
This bug has a stale milestone. Please close appropriately, update the milestone and set P1/P2, or drop the milestone and set as P3. I'll automatically punt these issues to M70 next week otherwise.
,
Jul 27
These issues have seen no update and have stale milestones, dropping priority and removing milestone. |
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 by ClusterFuzz
, Mar 18 2018Labels: Test-Predator-Auto-Components