Null-dereference WRITE in vp8_intra4x4_predict |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5643071879118848 Fuzzer: libFuzzer_media_vpx_video_decoder_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Null-dereference WRITE Crash Address: 0x000000000002 Crash State: vp8_intra4x4_predict mt_decode_macroblock mt_decode_mb_rows Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=584316:584317 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5643071879118848 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Aug 20
ClusterFuzz testcase 5643071879118848 appears to be flaky, updating reproducibility label.
,
Aug 20
It could be fixed by this CL: https://chromium-review.googlesource.com/c/webm/libvpx/+/1165791 I tried the fuzzer with this CL and it was fixed. I'm still working on that.
,
Aug 20
,
Aug 22
The following revision refers to this bug: https://chromium.googlesource.com/webm/libvpx/+/ca9ab3fc46b2d3d839ff1e09660e83f146dd9a0b commit ca9ab3fc46b2d3d839ff1e09660e83f146dd9a0b Author: Jerome Jiang <jianj@google.com> Date: Wed Aug 22 18:03:32 2018 Revert "vp8: Fix memory address overflow in decoder." This reverts commit 45cf384738ad261de7d00769c19b9b2842af06a7. BUG= 875626 , 875680 ,webm:1496 Change-Id: I78037b5e57dbf6cfe326b29beaad1128868f09f2 [modify] https://crrev.com/ca9ab3fc46b2d3d839ff1e09660e83f146dd9a0b/vp8/decoder/threading.c
,
Aug 22
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8abf422373a5f872de1d91e16102ed908049fb5b commit 8abf422373a5f872de1d91e16102ed908049fb5b Author: Jerome Jiang <jianj@google.com> Date: Wed Aug 22 23:14:23 2018 Roll src/third_party/libvpx/source/libvpx/ 6c62530c6..dbcb89be2 (28 commits) https://chromium.googlesource.com/webm/libvpx.git/+log/6c62530c666f..dbcb89be244e $ git log 6c62530c6..dbcb89be2 --date=short --no-merges --format='%ad %ae %s' 2018-08-22 jianj Revert "vp8: Fix memory address overflow in decoder." 2018-08-22 jingning Set refresh_frame_context flag off in show_existing_frame mode 2018-08-21 jingning Drop empty line in vp9_get_compressed_data() 2018-08-21 jingning Allow codec to skip temporal filter for intermediate ARFs 2018-08-21 jingning Control reference frame refresh flags for USE_BUF_FRAME 2018-08-21 jingning Safely swap the show frame buffer pointer in show_existing mode 2018-08-21 jingning Skip loop filter operation in show_existing_frame mode 2018-08-21 jingning Point show frame buffer towards existing frame buffer 2018-08-21 jingning Skip frame encoding when show_existing_frame is on 2018-08-21 jingning Add USE_BUF_FRAME enum to FRAME_UPDATE_TYPE 2018-08-20 jingning Unify set_arf_sign_bias function 2018-08-20 jingning Remove unneeded frame_till_gf_update_due assignment 2018-08-20 jingning Add multi_layer_arf flag 2018-08-20 jingning Add a comment in init_gop_frames() 2018-06-12 supradeep.tr Loopfilter MultiThread Optimization 2018-08-17 jingning Skip frame bit-stream writing for show-existing frame 2018-08-17 jingning Support code show_existing_frame in bit-stream header 2018-08-17 jingning Refactor init_gop_frame() 2018-08-17 jingning Clean up var define in apply_temporal_filter() 2018-08-17 jingning Add inline to mod_index() (...) Created with: roll-dep src/third_party/libvpx/source/libvpx R=johannkoenig@google.com BUG= 875626 , 875680 Change-Id: I4d395733d13462e248119791f9483396c0614f5b Reviewed-on: https://chromium-review.googlesource.com/1185797 Reviewed-by: Johann Koenig <johannkoenig@google.com> Commit-Queue: Jerome Jiang <jianj@google.com> Cr-Commit-Position: refs/heads/master@{#585297} [modify] https://crrev.com/8abf422373a5f872de1d91e16102ed908049fb5b/DEPS [modify] https://crrev.com/8abf422373a5f872de1d91e16102ed908049fb5b/third_party/libvpx/README.chromium [modify] https://crrev.com/8abf422373a5f872de1d91e16102ed908049fb5b/third_party/libvpx/libvpx_srcs.gni [modify] https://crrev.com/8abf422373a5f872de1d91e16102ed908049fb5b/third_party/libvpx/source/config/vpx_version.h
,
Aug 28
The CL causing this has been reverted.
,
Aug 28
,
Oct 31
The following revision refers to this bug: https://chromium.googlesource.com/webm/libvpx/+/f3a027a46de103c97f9f413fea003dc3d97e2cfc commit f3a027a46de103c97f9f413fea003dc3d97e2cfc Author: Jerome Jiang <jianj@google.com> Date: Wed Oct 31 18:42:28 2018 vp8: fix to address overflow in decoder. Can't call internal error from the decoder thread. Add vpx_internal_error_info to MACROBLOCKD. When corrupted frame detected, the decoder thread returns to its own context and signal completion of decoding for current frame. The main decoding thread will detect error too and return error code to decoding API call. Each thread will signal end of decoding of the frame. Main thread waits for the signal of all other threads to start decoding next frame. BUG= 875626 ,webm:1496 Change-Id: Icd05fbc558893a4e7d8532c1e7177e7550283a64 [modify] https://crrev.com/f3a027a46de103c97f9f413fea003dc3d97e2cfc/vp8/decoder/threading.c [modify] https://crrev.com/f3a027a46de103c97f9f413fea003dc3d97e2cfc/vp8/common/blockd.h [modify] https://crrev.com/f3a027a46de103c97f9f413fea003dc3d97e2cfc/vp8/decoder/decoderthreading.h [modify] https://crrev.com/f3a027a46de103c97f9f413fea003dc3d97e2cfc/vp8/decoder/onyxd_if.c [modify] https://crrev.com/f3a027a46de103c97f9f413fea003dc3d97e2cfc/vp8/decoder/decodeframe.c |
||||
►
Sign in to add a comment |
||||
Comment 1 by kkaluri@chromium.org
, Aug 20Components: Internals>Media
Labels: M-70 Test-Predator-Wrong
Owner: jianj@chromium.org
Status: Assigned (was: Untriaged)