Security: corrupt VP9 frame will cause tab crash |
||||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Original bug: crbug.com/webm/1543 VERSION Chrome Version: m67- (all current stable-tip of tree) Operating System: All REPRODUCTION CASE Attached. Drop the .crash extension and open with file:///...crbug-webm-1543.webm FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: tab Crash State: stacktrace would be similar to: ==14188== at 0x0: ??? ==14188== by 0x4D8C07: vpx_rb_read_bit (bitreader_buffer.c:26) ==14188== by 0x4D8C07: vpx_rb_read_literal (bitreader_buffer.c:33) ==14188== by 0x4B916A: vp9_read_frame_size (vp9_decodeframe.c:2002) ==14188== by 0x4B8FA8: decoder_peek_si_internal (vp9_dx_iface.c:163) ==14188== by 0x4B908F: decode_one (vp9_dx_iface.c:283) ==14188== by 0x4B81B2: decoder_decode (vp9_dx_iface.c:361) ==14188== by 0x4671EA: vpx_codec_decode (vpx_decoder.c:116)
,
Jul 26
,
Jul 26
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6204574168514560.
,
Jul 26
Detailed report: https://clusterfuzz.com/testcase?key=6204574168514560 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: base::CreateThread base::Thread::StartWithOptions base::Thread::Start Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6204574168514560 See https://github.com/google/clusterfuzz-tools for more information.
,
Jul 26
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Jul 26
,
Jul 27
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a7948e97ce51557236900d95558cc28af6c4c5d6 commit a7948e97ce51557236900d95558cc28af6c4c5d6 Author: James Zern <jzern@chromium.org> Date: Fri Jul 27 00:03:23 2018 Roll src/third_party/libvpx/source/libvpx/ 2c45cd174..3b921d49b (40 commits) https://chromium.googlesource.com/webm/libvpx.git/+log/2c45cd174a95..3b921d49b07a $ git log 2c45cd174..3b921d49b --date=short --no-merges --format='%ad %ae %s' 2018-07-25 marpan vp9: Modify condition for force test of intra 2018-07-25 marpan vp9: Avoid early breakout on slide change 2018-07-24 jzern vp9: fix OOB read in decoder_peek_si_internal 2018-07-25 marpan Revert "vp9: Adjust reset segment for real-time screen-content" 2018-07-25 jingning Clean up get_overlap_area function 2018-07-24 jingning Factor out mode estimation process in tpl model build 2018-07-24 yaowu Improve help message for arnr-type 2018-07-24 huisu Fix typos in txfm_rd_in_plane() 2018-07-24 marpan vp9: Modify logic for flat blocks in nonrd-pickmode. 2018-07-24 wtc Check size limit in vpx_realloc_frame_buffer. 2018-07-24 slavarnway VPX: avg_intrin_sse2.c, avg_intrin_avx2.c cleanup 2018-07-24 paulwilkins Limit min Q for normal frames. 2018-07-23 marpan vp9: Adjust reset segment for real-time screen-content 2018-07-23 slavarnway VPX: Improve HBD vpx_hadamard_32x32_avx2() 2018-07-23 jingning Pass in block size for motion search function 2018-07-22 jingning Make the tpl model update operated in 8x8 block unit 2018-07-23 jingning Refactor overlap area computation 2018-07-23 slavarnway VPX: Add vpx_hadamard_32x32_avx2 2018-07-20 huisu Add prune_ref_frame_for_rect_partitions feature 2018-07-22 jingning Map coding block size to transform block size (...) Created with: roll-dep src/third_party/libvpx/source/libvpx R=tomfinegan@chromium.org Bug: 867792 Change-Id: I196965bee2e278b011cde10ad677b7f69aff0ef1 Reviewed-on: https://chromium-review.googlesource.com/1151052 Reviewed-by: Johann Koenig <johannkoenig@google.com> Reviewed-by: Tom Finegan <tomfinegan@chromium.org> Commit-Queue: James Zern <jzern@google.com> Cr-Commit-Position: refs/heads/master@{#578492} [modify] https://crrev.com/a7948e97ce51557236900d95558cc28af6c4c5d6/DEPS [modify] https://crrev.com/a7948e97ce51557236900d95558cc28af6c4c5d6/third_party/libvpx/README.chromium [modify] https://crrev.com/a7948e97ce51557236900d95558cc28af6c4c5d6/third_party/libvpx/source/config/linux/ia32/vpx_dsp_rtcd.h [modify] https://crrev.com/a7948e97ce51557236900d95558cc28af6c4c5d6/third_party/libvpx/source/config/linux/x64/vpx_dsp_rtcd.h [modify] https://crrev.com/a7948e97ce51557236900d95558cc28af6c4c5d6/third_party/libvpx/source/config/mac/ia32/vpx_dsp_rtcd.h [modify] https://crrev.com/a7948e97ce51557236900d95558cc28af6c4c5d6/third_party/libvpx/source/config/mac/x64/vpx_dsp_rtcd.h [modify] https://crrev.com/a7948e97ce51557236900d95558cc28af6c4c5d6/third_party/libvpx/source/config/vpx_version.h [modify] https://crrev.com/a7948e97ce51557236900d95558cc28af6c4c5d6/third_party/libvpx/source/config/win/ia32/vpx_dsp_rtcd.h [modify] https://crrev.com/a7948e97ce51557236900d95558cc28af6c4c5d6/third_party/libvpx/source/config/win/x64/vpx_dsp_rtcd.h
,
Jul 27
ClusterFuzz has detected this issue as fixed in range 578489:578493. Detailed report: https://clusterfuzz.com/testcase?key=6204574168514560 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: base::CreateThread base::Thread::StartWithOptions base::Thread::Start Sanitizer: address (ASAN) Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=578489:578493 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6204574168514560 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 27
ClusterFuzz testcase 6204574168514560 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 27
,
Jul 27
,
Jul 27
,
Jul 27
This bug requires manual review: DEPS changes referenced in bugdroid comments. Please contact the milestone owner if you have questions. Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 27
+awhalley@ (Security TPM) for M69 merge review.
,
Jul 27
The merge will be for an update to DEPS to reference the m69-3497 upstream branch containing a cherry-pick of the fix in comment #1.
,
Jul 28
,
Jul 30
govind@ - good for 69
,
Jul 30
Approving merge to M69 branch 3497 based on comment #17. Please merge ASAP. Thank you.
,
Jul 30
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f0191c3dd6a2090304c7372703c40254212c8688 commit f0191c3dd6a2090304c7372703c40254212c8688 Author: James Zern <jzern@chromium.org> Date: Mon Jul 30 21:50:37 2018 Roll src/third_party/libvpx/source/libvpx/ 2c45cd174..b0dfe4e5c (1 commit) https://chromium.googlesource.com/webm/libvpx.git/+log/2c45cd174a95..b0dfe4e5c1dd $ git log 2c45cd174..b0dfe4e5c --date=short --no-merges --format='%ad %ae %s' 2018-07-24 jzern vp9: fix OOB read in decoder_peek_si_internal Created with: roll-dep src/third_party/libvpx/source/libvpx R=johannkoenig@chromium.org Bug: 867792 Change-Id: I2dbdaf205764a9241f302fe280db6620cf5e7c9e Reviewed-on: https://chromium-review.googlesource.com/1155738 Reviewed-by: Johann Koenig <johannkoenig@google.com> Cr-Commit-Position: refs/branch-heads/3497@{#251} Cr-Branched-From: 271eaf50594eb818c9295dc78d364aea18c82ea8-refs/heads/master@{#576753} [modify] https://crrev.com/f0191c3dd6a2090304c7372703c40254212c8688/DEPS [modify] https://crrev.com/f0191c3dd6a2090304c7372703c40254212c8688/third_party/libvpx/README.chromium [modify] https://crrev.com/f0191c3dd6a2090304c7372703c40254212c8688/third_party/libvpx/source/config/vpx_version.h
,
Jul 31
,
Jul 31
This bug requires manual review: Request affecting a post-stable build Please contact the milestone owner if you have questions. Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 2
awhalley@ how critical is this for M68?
,
Aug 2
jzern, mind adding me to crbug.com/webm/1543 ?
,
Aug 2
Done (@chromium.org)
,
Aug 3
Thanks! abdulsyed@: not critical but as an externally reported medium, it's within scope for a speculative merge to stable once it's been in Beta for a while, in case there's another 68 respin (though I know that's unlikely)
,
Aug 6
Seems like its been in Beta since Thursday. jzern@ how safe is this fix? What are the chances of it introducing new regressions in M68?
,
Aug 6
No chance for the NULL pointer check. With a valid file the other half of this change won't occur as we don't use this function in chrome to probe partial frame data and a frame of this size would otherwise fail as it would be incomplete.
,
Aug 9
Let's target this for M69.
,
Aug 16
,
Nov 3
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||
Comment 1 by jzern@chromium.org
, Jul 26