New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 828526 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Apr 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug

Blocking:
issue 803898



Sign in to add a comment

Direct-leak in opus_multistream_decoder_create

Project Member Reported by ClusterFuzz, Apr 3 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5637372251996160

Fuzzer: libFuzzer_audio_decoder_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  opus_multistream_decoder_create
  libopus_decode_init
  avcodec_open2
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=546309:546321

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5637372251996160

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Apr 3 2018

Components: Internals>Media>FFmpeg
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Apr 3 2018

Labels: Test-Predator-Auto-Owner
Owner: mmoroz@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/4b5068a99a84ff2edb34aa0549afc89aa751ccb4 (Add audio_decoder_fuzzer fuzz target.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Cc: mmoroz@chromium.org dalecur...@chromium.org wolenetz@chromium.org
Owner: ----
Status: Untriaged (was: Assigned)
Matt, Dale, do you know who I can route this to?
Cc: liber...@chromium.org
matt or liberato (next ffmpeg roller) are the right folks.
Cc: -liber...@chromium.org
Owner: liber...@chromium.org
Status: Assigned (was: Untriaged)
Cc: -dalecur...@chromium.org -wolenetz@chromium.org liber...@chromium.org
Owner: wolenetz@chromium.org
Frank, since I'm syncing w/Michael this week, I'll start on this (though it may pass to you to fix in your roll).

I have a confirmed local repro using *both* audio_decoder_fuzzer and media_pipeline_integration_fuzzer.

I couldn't get this to repro on current upstream ffplay (3b2fd960481d90d0788e1958a2b1469ac55ba3c5) or on upstream ffplay from the M67 hash (9c249110ea974ce213840fde5ee5a3d842fa088d).

Will investigate further to see if -ss 0, async:, etc options may enable repro (or if this is something specific to downstream).


Note: local fuzzer repros require the custom ASAN_OPTIONS from the report.
It looks like this is a leak in //third_party/opus. Hence the plain upstream ffplay no-repro.
Cc: wolenetz@chromium.org henrika@chromium.org
Owner: sergeyu@chromium.org
--> sergeyu@ / henrika@ this looks like a memory leak in //third_party/opus, as used by the "libopus" configuration of ffmpeg in Chrome. Please take a look.
Cc: dalecur...@chromium.org
Dale - am I correct that //third_party/opus/OWNERS are the ones to fix this leak in libopus?
Cc: sergeyu@chromium.org
Owner: wolenetz@chromium.org
Hmm. I added some logging to my local Chrome build. It looks like there is *not* a multistream_decoder_destroy operation done in the repro case. Therefore, it seems more likely this *is* an ffmpeg issue with how it invokes libopus API. I'll take this one back (though I may need to hand it over to liberato@ for next roll.)
Cc: minyue@chromium.org gustaf@chromium.org
Potential downstream ffmpeg fix is in review: https://chromium-review.googlesource.com/c/chromium/third_party/ffmpeg/+/1006035
Cc: xhw...@chromium.org
The path that triggered this issue is https://cs.chromium.org/chromium/src/third_party/ffmpeg/libavcodec/utils.c?q=avcodec_open2&sq=package:chromium&l=949 (following successful decoder init in line 921).
Similar patch is also in upstream review @ https://patchwork.ffmpeg.org/patch/8381/, though landing downstream before branch cut might simplify this part of liberato@'s roll, hence trying downstream too :)
Project Member

Comment 17 by bugdroid1@chromium.org, Apr 11 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/5af686b3cfa25ee98bb9a88008ff04257d560764

commit 5af686b3cfa25ee98bb9a88008ff04257d560764
Author: Matt Wolenetz <wolenetz@chromium.org>
Date: Wed Apr 11 21:53:12 2018

lavc/libopusdec: Allow avcodec_open2 to call .close

If there is a decoder initialization failure detected in avcodec_open2
after .init is called, allow graceful decoder .close to prevent leaking
libopus decoder allocations.

BUG= 828526 

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e43e97f0e0f0596b56ceb2f887fe7414f202f081)

R=xhwang@chromium.org

Change-Id: Ibac71ede2d86c1b03ea4e164494e5d0e8c819df7
Reviewed-on: https://chromium-review.googlesource.com/1008682
Reviewed-by: Xiaohan Wang <xhwang@chromium.org>

[modify] https://crrev.com/5af686b3cfa25ee98bb9a88008ff04257d560764/libavcodec/libopusdec.c

Blocking: 803898
Project Member

Comment 19 by bugdroid1@chromium.org, Apr 12 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/876e4e3bfe8b0905d9045c680530f2e08d1aa0b7

commit 876e4e3bfe8b0905d9045c680530f2e08d1aa0b7
Author: Matt Wolenetz <wolenetz@chromium.org>
Date: Thu Apr 12 19:26:06 2018

Roll src/third_party/ffmpeg/ 272be0ac4..5af686b3c (1 commit)

https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/272be0ac4cae..5af686b3cfa2

$ git log 272be0ac4..5af686b3c --date=short --no-merges --format='%ad %ae %s'
2018-04-11 wolenetz lavc/libopusdec: Allow avcodec_open2 to call .close

Created with:
  roll-dep src/third_party/ffmpeg

TBR=xhwang@chromium.org

Bug:  828526 
Change-Id: I07f28b8b0cc722d5f07040738fc15d3a3db3f832
Reviewed-on: https://chromium-review.googlesource.com/1008879
Reviewed-by: Matthew Wolenetz <wolenetz@chromium.org>
Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550303}
[modify] https://crrev.com/876e4e3bfe8b0905d9045c680530f2e08d1aa0b7/DEPS

Project Member

Comment 20 by ClusterFuzz, Apr 13 2018

ClusterFuzz has detected this issue as fixed in range 550297:550318.

Detailed report: https://clusterfuzz.com/testcase?key=5637372251996160

Fuzzer: libFuzzer_audio_decoder_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  opus_multistream_decoder_create
  libopus_decode_init
  avcodec_open2
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=546309:546321
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=550297:550318

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5637372251996160

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 21 by ClusterFuzz, Apr 13 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5637372251996160 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 22 by bugdroid1@chromium.org, Apr 17 2018

Labels: merge-merged-testbranch
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/876e4e3bfe8b0905d9045c680530f2e08d1aa0b7

commit 876e4e3bfe8b0905d9045c680530f2e08d1aa0b7
Author: Matt Wolenetz <wolenetz@chromium.org>
Date: Thu Apr 12 19:26:06 2018

Roll src/third_party/ffmpeg/ 272be0ac4..5af686b3c (1 commit)

https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/272be0ac4cae..5af686b3cfa2

$ git log 272be0ac4..5af686b3c --date=short --no-merges --format='%ad %ae %s'
2018-04-11 wolenetz lavc/libopusdec: Allow avcodec_open2 to call .close

Created with:
  roll-dep src/third_party/ffmpeg

TBR=xhwang@chromium.org

Bug:  828526 
Change-Id: I07f28b8b0cc722d5f07040738fc15d3a3db3f832
Reviewed-on: https://chromium-review.googlesource.com/1008879
Reviewed-by: Matthew Wolenetz <wolenetz@chromium.org>
Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550303}
[modify] https://crrev.com/876e4e3bfe8b0905d9045c680530f2e08d1aa0b7/DEPS

Sign in to add a comment