New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 837922 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Last visit 19 days ago
Closed: May 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in WebRtcIlbcfix_DoThePlc

Project Member Reported by ClusterFuzz, Apr 28 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6667675296858112

Fuzzer: libFuzzer_audio_decoder_ilbc_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  WebRtcIlbcfix_DoThePlc
  WebRtcIlbcfix_DecodeImpl
  WebRtcIlbcfix_Decode
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6667675296858112

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Cc: pnangunoori@chromium.org
Components: Internals>Media>Audio
Labels: M-67 Test-Predator-Wrong CF-NeedsTriage
Unable to provide possible suspect using Predator, CL and Code Search.
Could someone please look into the issue.
Thank You.
Owner: hlundin@chromium.org
Owner: saza@chromium.org
Status: Assigned (was: Untriaged)

Comment 5 by saza@chromium.org, May 11 2018

Status: Started (was: Assigned)
Project Member

Comment 6 by bugdroid1@chromium.org, May 15 2018

The following revision refers to this bug:
  https://webrtc.googlesource.com/src.git/+/ae93f0412a05cd1f865b6c0abb6d234bbfa4fe12

commit ae93f0412a05cd1f865b6c0abb6d234bbfa4fe12
Author: Sam Zackrisson <saza@webrtc.org>
Date: Tue May 15 13:01:42 2018

Make an energy computation not overflow in iLBC PLC

The current implementation carefully shifts down the energy so as not to overflow.
The fuzzer audio_decoder_ilbc_fuzzer found an integer overflow anyway.
The energy is only used for a threshold check.

This fix stops the energy computation when the threshold is reached, before it can overflow.

Bug:  chromium:837922 
Change-Id: I45e84d2d271a37e6476b08433a2cbd5a8f6e6f26
Reviewed-on: https://webrtc-review.googlesource.com/76122
Commit-Queue: Sam Zackrisson <saza@webrtc.org>
Reviewed-by: Minyue Li <minyue@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#23242}
[modify] https://crrev.com/ae93f0412a05cd1f865b6c0abb6d234bbfa4fe12/modules/audio_coding/codecs/ilbc/do_plc.c

Project Member

Comment 7 by bugdroid1@chromium.org, May 15 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c3a9d847c7fc2dcc5db06b0f120c181c8605f7d1

commit c3a9d847c7fc2dcc5db06b0f120c181c8605f7d1
Author: webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Date: Tue May 15 17:16:22 2018

Roll src/third_party/webrtc/ 59216ec4a..28a325b52 (2 commits)

https://webrtc.googlesource.com/src.git/+log/59216ec4a415..28a325b52314

$ git log 59216ec4a..28a325b52 --date=short --no-merges --format='%ad %ae %s'

Created with:
  roll-dep src/third_party/webrtc
BUG= chromium:837922 


The AutoRoll server is located here: https://webrtc-chromium-roll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.


CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_chromium_archive_rel_ng;master.tryserver.chromium.mac:mac_chromium_archive_rel_ng
TBR=webrtc-chromium-sheriffs-robots@google.com

Change-Id: I870a6247f79807e033d7a70773eb0f9b0d2946e9
Reviewed-on: https://chromium-review.googlesource.com/1059708
Commit-Queue: webrtc-chromium-autoroll <webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Reviewed-by: webrtc-chromium-autoroll <webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#558761}
[modify] https://crrev.com/c3a9d847c7fc2dcc5db06b0f120c181c8605f7d1/DEPS

Project Member

Comment 8 by ClusterFuzz, May 16 2018

ClusterFuzz has detected this issue as fixed in range 558760:558767.

Detailed report: https://clusterfuzz.com/testcase?key=6667675296858112

Fuzzer: libFuzzer_audio_decoder_ilbc_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  WebRtcIlbcfix_DoThePlc
  WebRtcIlbcfix_DecodeImpl
  WebRtcIlbcfix_Decode
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=558760:558767

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6667675296858112

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, May 16 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 6667675296858112 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment