Issue metadata
Sign in to add a comment
|
Security: libaom/av1_dec_fuzzer: Crash in av1_decode_tg_tiles_and_wrapup |
||||||||||||||||||||||
Issue descriptionOriginal bug reported by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9720 Detailed report: https://oss-fuzz.com/testcase?key=6252202405396480 Project: libaom Fuzzer: libFuzzer_libaom_av1_dec_fuzzer Fuzz target binary: av1_dec_fuzzer Job Type: libfuzzer_asan_libaom Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x6340000252d0 Crash State: av1_decode_tg_tiles_and_wrapup aom_decode_frame_from_obus av1_receive_compressed_data Sanitizer: address (ASAN) Recommended Security Severity: Medium Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=6252202405396480 The upstream fix is: https://aomedia-review.googlesource.com/q/Ic02900ec50dc8f4af6dea3678f49e1bec41a770c
,
Aug 7
,
Aug 7
,
Aug 7
Not sure if this is high enough severity for Release-Block-Beta but this code is in M69.
,
Aug 7
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ac46ca48dcac85e0822478a0dedb11d5616daa3a commit ac46ca48dcac85e0822478a0dedb11d5616daa3a Author: Wan-Teh Chang <wtc@google.com> Date: Tue Aug 07 23:57:48 2018 Roll src/third_party/libaom/source/libaom/ bc484c485..7a76b645a (72 commits) https://aomedia.googlesource.com/aom.git/+log/bc484c485277..7a76b645a08c $ git log bc484c485..7a76b645a --date=short --no-merges --format='%ad %ae %s' 2018-08-06 tomfinegan Move aom_read_obu_header from exports_test to exports_dec 2018-08-06 wtc Add a regression test for bug oss-fuzz:9720 . 2018-08-06 tomfinegan av1_txfm_test: exclude from shared lib tests. 2018-08-03 mbonadei aomenc: replace uint16 with uint16_t 2018-08-06 ranjit.tulabandu Fix crash issue with monochrome content 2018-08-01 ranjit.tulabandu Fix issues in interpolation filter selection 2018-08-03 urvang Refactor code in setup_ref_mv_list. 2018-08-03 urvang Introduce read_delta_q_params() function. 2018-08-03 chiyotsai Remove repeated code in encode_rd_sb_row 2018-08-03 chiyotsai Replace is_single_inter_mode with is_inter_singleref_mode 2018-08-04 wtc read_tile_info: Validate context_update_tile_id. 2018-08-04 wtc Fix spelling mistake: partiton => partition. 2018-08-03 wtc Document get_partition_subsize and ss_size_lookup. 2018-08-03 debargha Make ss_size lookup same as the spec 2018-08-03 urvang Rename some intra mode functions for clarity. 2018-08-03 urvang Introduce write_intra_prediction_modes() func. 2018-08-03 sarahparker Clean up show_existing_frame decision 2018-08-03 urvang wiener_test: Dedup compute_stats_win* funcs. 2018-08-03 urvang Introduce write_delta_q_params() function. 2018-08-02 wtc Add comments for width/height lookup tables. (...) Created with: roll-dep src/third_party/libaom/source/libaom R=johannkoenig@google.com,urvang@chromium.org BUG= 871928 BUG= oss-fuzz:9720 Change-Id: Ie58f1c92c5cac29d9a6b98de1871620f4467a567 Reviewed-on: https://chromium-review.googlesource.com/1166147 Reviewed-by: Johann Koenig <johannkoenig@google.com> Commit-Queue: Wan-Teh Chang <wtc@google.com> Cr-Commit-Position: refs/heads/master@{#581396} [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/DEPS [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/README.chromium [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/libaom_srcs.gni [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/config/aom_version.h [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/arm-neon-cpu-detect/config/aom_config.asm [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/arm-neon-cpu-detect/config/aom_config.c [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/arm-neon-cpu-detect/config/aom_config.h [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/arm-neon/config/aom_config.asm [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/arm-neon/config/aom_config.c [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/arm-neon/config/aom_config.h [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/arm/config/aom_config.asm [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/arm/config/aom_config.c [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/arm/config/aom_config.h [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/arm64/config/aom_config.asm [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/arm64/config/aom_config.c [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/arm64/config/aom_config.h [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/generic/config/aom_config.asm [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/generic/config/aom_config.c [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/generic/config/aom_config.h [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/ia32/config/aom_config.asm [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/ia32/config/aom_config.c [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/ia32/config/aom_config.h [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/x64/config/aom_config.asm [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/linux/x64/config/aom_config.h [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/win/ia32/config/aom_config.asm [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/win/ia32/config/aom_config.c [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/win/ia32/config/aom_config.h [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/win/x64/config/aom_config.asm [modify] https://crrev.com/ac46ca48dcac85e0822478a0dedb11d5616daa3a/third_party/libaom/source/config/win/x64/config/aom_config.h
,
Aug 8
,
Aug 8
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 8
I'd like to request merge approval for M69: https://chromium-review.googlesource.com/c/chromium/src/+/1168148 The only libaom change in this DEPS roll is: https://aomedia-review.googlesource.com/c/aom/+/67281
,
Aug 8
+awhalley@ (Security TPM) for M69 merge review.
,
Aug 8
This bug requires manual review: DEPS changes referenced in bugdroid comments. Please contact the milestone owner if you have questions. Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 9
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 9
govind - good for 69
,
Aug 9
Approving merge to M69 branch 3497 based on comment #12, pls merge ASAP.
,
Aug 9
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5207ac6ab23cb007970cd0e2263908d3d15a59be commit 5207ac6ab23cb007970cd0e2263908d3d15a59be Author: Wan-Teh Chang <wtc@google.com> Date: Thu Aug 09 22:19:06 2018 Roll src/third_party/libaom/source/libaom/ e96c7350a..9655bde9f (1 commit) https://aomedia.googlesource.com/aom.git/+log/e96c7350ab1e..9655bde9fba5 $ git log e96c7350a..9655bde9f --date=short --no-merges --format='%ad %ae %s' 2018-08-04 wtc read_tile_info: Validate context_update_tile_id. Created with: roll-dep src/third_party/libaom/source/libaom R=johannkoenig@google.com BUG: 871928 BUG: oss-fuzz:9720 Change-Id: I2ab7faaffc7763ae2cc29c2ee70ae6b3a70c2ca0 Reviewed-on: https://chromium-review.googlesource.com/1168148 Reviewed-by: Johann Koenig <johannkoenig@google.com> Cr-Commit-Position: refs/branch-heads/3497@{#522} Cr-Branched-From: 271eaf50594eb818c9295dc78d364aea18c82ea8-refs/heads/master@{#576753} [modify] https://crrev.com/5207ac6ab23cb007970cd0e2263908d3d15a59be/DEPS [modify] https://crrev.com/5207ac6ab23cb007970cd0e2263908d3d15a59be/third_party/libaom/README.chromium [modify] https://crrev.com/5207ac6ab23cb007970cd0e2263908d3d15a59be/third_party/libaom/source/config/config/aom_version.h
,
Aug 10
,
Aug 15
,
Nov 15
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by jialiul@chromium.org
, Aug 7