New issue
Advanced search Search tips

Issue 868241 link

Starred by 1 user
Status: Fixed
Owner:
guidou@chromium.org
Closed: Jul 31
Cc:
kkaluri@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in content::MediaDevicesManager::ComputeVideoInputCapabilities

Project Member Reported by ClusterFuzz, Jul 27 
Detailed report: https://clusterfuzz.com/testcase?key=4820135039467520

Fuzzer: mojo_fuzzer
Job Type: linux_asan_chrome_mojo
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  content::MediaDevicesManager::ComputeVideoInputCapabilities
  content::MediaDevicesManager::OnDevicesEnumerated
  base::internal::Invoker<base::internal::BindState<void
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mojo&range=575724:575746

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4820135039467520

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by kkaluri@chromium.org, Jul 27

Cc: kkaluri@chromium.org
Labels: M-70
Owner: guidou@chromium.org
Status: Assigned (was: Untriaged)
Predator has provided one possible suspect, hence assigning it to guidou@

Suspect CL : https://chromium.googlesource.com/chromium/src/+/4273437267c208d21f3a5dba963673501cc72c95

guidou@ Could you please look into it.

Comment 2 by guidou@chromium.org, Jul 30

Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, Jul 30 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e777b139d2bbbfe81293df28a29373cfad8fff46

commit e777b139d2bbbfe81293df28a29373cfad8fff46
Author: Guido Urdaneta <guidou@chromium.org>
Date: Mon Jul 30 13:27:30 2018

Fix possible use-after-move in MediaDevicesManager

A result was unnecessarily moved and possibly used after move
in content::MediaDevicesManager::OnDevicesEnumerated.

Existing unit tests cover the affected code path, although it
does not result in a crash, perhaps because the move is
unnecessary and might be optimized away.

No crashes have been observed in the wild either, except on
a clusterfuzz build that performs IPC directly instead of going
through the getCapabilities() JavaScript API.

Bug:  868241 
Change-Id: I2a3d9704a789c67b9eb763e1257504187201f941
Reviewed-on: https://chromium-review.googlesource.com/1154911
Reviewed-by: Henrik Boström <hbos@chromium.org>
Commit-Queue: Guido Urdaneta <guidou@chromium.org>
Cr-Commit-Position: refs/heads/master@{#579026}
[modify] https://crrev.com/e777b139d2bbbfe81293df28a29373cfad8fff46/content/browser/renderer_host/media/media_devices_manager.cc

Comment 4 by guidou@chromium.org, Jul 31

Status: Fixed (was: Started)

Sign in to add a comment