Direct-leak in opus_multistream_decoder_create |
||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5637372251996160 Fuzzer: libFuzzer_audio_decoder_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Direct-leak Crash Address: Crash State: opus_multistream_decoder_create libopus_decode_init avcodec_open2 Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=546309:546321 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5637372251996160 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Apr 3 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/4b5068a99a84ff2edb34aa0549afc89aa751ccb4 (Add audio_decoder_fuzzer fuzz target.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Apr 3 2018
Matt, Dale, do you know who I can route this to?
,
Apr 3 2018
matt or liberato (next ffmpeg roller) are the right folks.
,
Apr 9 2018
,
Apr 9 2018
Frank, since I'm syncing w/Michael this week, I'll start on this (though it may pass to you to fix in your roll). I have a confirmed local repro using *both* audio_decoder_fuzzer and media_pipeline_integration_fuzzer. I couldn't get this to repro on current upstream ffplay (3b2fd960481d90d0788e1958a2b1469ac55ba3c5) or on upstream ffplay from the M67 hash (9c249110ea974ce213840fde5ee5a3d842fa088d). Will investigate further to see if -ss 0, async:, etc options may enable repro (or if this is something specific to downstream).
,
Apr 9 2018
Note: local fuzzer repros require the custom ASAN_OPTIONS from the report.
,
Apr 9 2018
It looks like this is a leak in //third_party/opus. Hence the plain upstream ffplay no-repro.
,
Apr 9 2018
--> sergeyu@ / henrika@ this looks like a memory leak in //third_party/opus, as used by the "libopus" configuration of ffmpeg in Chrome. Please take a look.
,
Apr 9 2018
Dale - am I correct that //third_party/opus/OWNERS are the ones to fix this leak in libopus?
,
Apr 10 2018
Hmm. I added some logging to my local Chrome build. It looks like there is *not* a multistream_decoder_destroy operation done in the repro case. Therefore, it seems more likely this *is* an ffmpeg issue with how it invokes libopus API. I'll take this one back (though I may need to hand it over to liberato@ for next roll.)
,
Apr 10 2018
,
Apr 10 2018
Potential downstream ffmpeg fix is in review: https://chromium-review.googlesource.com/c/chromium/third_party/ffmpeg/+/1006035
,
Apr 10 2018
,
Apr 10 2018
The path that triggered this issue is https://cs.chromium.org/chromium/src/third_party/ffmpeg/libavcodec/utils.c?q=avcodec_open2&sq=package:chromium&l=949 (following successful decoder init in line 921).
,
Apr 10 2018
Similar patch is also in upstream review @ https://patchwork.ffmpeg.org/patch/8381/, though landing downstream before branch cut might simplify this part of liberato@'s roll, hence trying downstream too :)
,
Apr 11 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/5af686b3cfa25ee98bb9a88008ff04257d560764 commit 5af686b3cfa25ee98bb9a88008ff04257d560764 Author: Matt Wolenetz <wolenetz@chromium.org> Date: Wed Apr 11 21:53:12 2018 lavc/libopusdec: Allow avcodec_open2 to call .close If there is a decoder initialization failure detected in avcodec_open2 after .init is called, allow graceful decoder .close to prevent leaking libopus decoder allocations. BUG= 828526 Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit e43e97f0e0f0596b56ceb2f887fe7414f202f081) R=xhwang@chromium.org Change-Id: Ibac71ede2d86c1b03ea4e164494e5d0e8c819df7 Reviewed-on: https://chromium-review.googlesource.com/1008682 Reviewed-by: Xiaohan Wang <xhwang@chromium.org> [modify] https://crrev.com/5af686b3cfa25ee98bb9a88008ff04257d560764/libavcodec/libopusdec.c
,
Apr 11 2018
,
Apr 12 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/876e4e3bfe8b0905d9045c680530f2e08d1aa0b7 commit 876e4e3bfe8b0905d9045c680530f2e08d1aa0b7 Author: Matt Wolenetz <wolenetz@chromium.org> Date: Thu Apr 12 19:26:06 2018 Roll src/third_party/ffmpeg/ 272be0ac4..5af686b3c (1 commit) https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/272be0ac4cae..5af686b3cfa2 $ git log 272be0ac4..5af686b3c --date=short --no-merges --format='%ad %ae %s' 2018-04-11 wolenetz lavc/libopusdec: Allow avcodec_open2 to call .close Created with: roll-dep src/third_party/ffmpeg TBR=xhwang@chromium.org Bug: 828526 Change-Id: I07f28b8b0cc722d5f07040738fc15d3a3db3f832 Reviewed-on: https://chromium-review.googlesource.com/1008879 Reviewed-by: Matthew Wolenetz <wolenetz@chromium.org> Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org> Cr-Commit-Position: refs/heads/master@{#550303} [modify] https://crrev.com/876e4e3bfe8b0905d9045c680530f2e08d1aa0b7/DEPS
,
Apr 13 2018
ClusterFuzz has detected this issue as fixed in range 550297:550318. Detailed report: https://clusterfuzz.com/testcase?key=5637372251996160 Fuzzer: libFuzzer_audio_decoder_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Direct-leak Crash Address: Crash State: opus_multistream_decoder_create libopus_decode_init avcodec_open2 Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=546309:546321 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=550297:550318 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5637372251996160 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 13 2018
ClusterFuzz testcase 5637372251996160 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Apr 17 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/876e4e3bfe8b0905d9045c680530f2e08d1aa0b7 commit 876e4e3bfe8b0905d9045c680530f2e08d1aa0b7 Author: Matt Wolenetz <wolenetz@chromium.org> Date: Thu Apr 12 19:26:06 2018 Roll src/third_party/ffmpeg/ 272be0ac4..5af686b3c (1 commit) https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/272be0ac4cae..5af686b3cfa2 $ git log 272be0ac4..5af686b3c --date=short --no-merges --format='%ad %ae %s' 2018-04-11 wolenetz lavc/libopusdec: Allow avcodec_open2 to call .close Created with: roll-dep src/third_party/ffmpeg TBR=xhwang@chromium.org Bug: 828526 Change-Id: I07f28b8b0cc722d5f07040738fc15d3a3db3f832 Reviewed-on: https://chromium-review.googlesource.com/1008879 Reviewed-by: Matthew Wolenetz <wolenetz@chromium.org> Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org> Cr-Commit-Position: refs/heads/master@{#550303} [modify] https://crrev.com/876e4e3bfe8b0905d9045c680530f2e08d1aa0b7/DEPS |
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by ClusterFuzz
, Apr 3 2018Labels: Test-Predator-Auto-Components