New issue
Advanced search Search tips

Issue 891967 link

Starred by 2 users
Status: Verified
Owner:
cblume@chromium.org
Closed: Nov 16
Cc:
kkaluri@chromium.org
mmoroz@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Timeout in libpng_read_fuzzer

Project Member Reported by ClusterFuzz, Oct 4 
Detailed report: https://clusterfuzz.com/testcase?key=5386974402445312

Fuzzer: libFuzzer_libpng_read_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Timeout (exceeds 25 secs)
Crash Address: 
Crash State:
  libpng_read_fuzzer
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=583284:583299

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5386974402445312

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
Project Member

Comment 1 by ClusterFuzz, Oct 4

Cc: aizatsky@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Comment 2 by kkaluri@chromium.org, Oct 4

Cc: kkaluri@chromium.org
Labels: M-70 CF-NeedsTriage Test-Predator-Wrong
Unable to find actual suspect through code search and also observing no CL's under regression range, hence adding appropriate label and requesting someone from Dev team to look in to this issue.

Thanks!

Comment 3 by manoranj...@chromium.org, Oct 12

Labels: -CF-NeedsTriage
Owner: mmoroz@chromium.org
Status: Assigned (was: Untriaged)
mmoroz@, just wondering do you have any inputs here?

Comment 4 by mmoroz@chromium.org, Oct 15 

Interesting! Looks like an inputs is too big to process:

$ pngcheck -v clusterfuzz-testcase-minimized-libpng_read_fuzzer-5386974402445312 
File: clusterfuzz-testcase-minimized-libpng_read_fuzzer-5386974402445312 (209705 bytes)
  chunk IHDR at offset 0x0000c, length 13
    253544 x 200 image, 48-bit RGB, non-interlaced
  chunk IDAT at offset 0x00025, length 352326290
    zlib: deflated, 32K window, default compression
:  EOF while reading data

Comment 5 by mmoroz@chromium.org, Nov 2

Cc: -aizatsky@chromium.org mmoroz@chromium.org
Owner: cblume@chromium.org
cblume@, since you've been interesting in PNG fuzzing, maybe you could also take a look at this one and e.g. add some limits against super big images?

We have some, but it looks like it can be improved: https://cs.chromium.org/chromium/src/testing/libfuzzer/fuzzers/libpng_read_fuzzer.cc?q=libpng_read_fuz&sq=package:chromium&g=0&l=129
Project Member

Comment 6 by ClusterFuzz, Nov 16 

ClusterFuzz has detected this issue as fixed in range 608446:608451.

Detailed report: https://clusterfuzz.com/testcase?key=5386974402445312

Fuzzer: libFuzzer_libpng_read_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Timeout (exceeds 25 secs)
Crash Address: 
Crash State:
  libpng_read_fuzzer
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=583284:583299
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=608446:608451

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5386974402445312

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Nov 16

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5386974402445312 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment