New issue
Advanced search Search tips

Issue 912628 link

Starred by 1 user
Status: Fixed
Owner:
yguyon@google.com
Closed: Dec 12
Cc:
mbarow...@chromium.org
jzern@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

ASSERT: 0

Project Member Reported by ClusterFuzz, Dec 6 
Detailed report: https://clusterfuzz.com/testcase?key=5049657895682048

Fuzzer: libFuzzer_libwebp_advanced_api_fuzzer
Fuzz target binary: libwebp_advanced_api_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  0
  EmptyUpsampleFunc
  EmitFancyRGB
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=614208:614220

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5049657895682048

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
Project Member

Comment 1 by ClusterFuzz, Dec 6

Cc: mbarow...@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Comment 2 by mbarow...@chromium.org, Dec 6

Cc: jzern@chromium.org
Labels: ClusterFuzz-Wrong
Owner: yguyon@google.com
I did some initial digging and found that it's probably because the target uses :libwebp_config_internal as a config, which defines WEBP_REDUCE_CSP. Then in upsampling.c, the upsampling function definitions are skipped because !defined(WEBP_REDUCE_CSP) is *false*. Then EmptyUpsampleFunction is eventually called, which throws an error seen here.

Reassigning to someone more familiar with fuzzer code.

Comment 3 by jzern@chromium.org, Dec 7 

Yes that sounds correct. This fuzzer target tries all output formats, we'll need a separate libwebp target for these to depend on.
Project Member

Comment 4 by bugdroid1@chromium.org, Dec 11 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/16401656ac50803fdb7598ed385bce0151c3a87c

commit 16401656ac50803fdb7598ed385bce0151c3a87c
Author: Yannis Guyon <yguyon@google.com>
Date: Tue Dec 11 19:52:11 2018

third_party/libwebp/fuzzing: Restrict colorspace

In target libwebp_advanced_api_fuzzer, restrict
config.output.colorspace to MODE_RGBA, MODE_BGRA, MODE_rgbA and
MODE_bgrA, the only supported modes when WEBP_REDUCE_CSP is defined,
which is the case in chromium.

BUG= chromium:912628 

Change-Id: I5f08fc85ece0a4a5a4d402d3fc7c77f794404b1c
Reviewed-on: https://chromium-review.googlesource.com/c/1368126
Reviewed-by: James Zern <jzern@google.com>
Commit-Queue: Yannis Guyon <yguyon@google.com>
Cr-Commit-Position: refs/heads/master@{#615631}
[modify] https://crrev.com/16401656ac50803fdb7598ed385bce0151c3a87c/third_party/libwebp/fuzzing/fuzz_advanced_api.cc

Comment 5 by yguyon@google.com, Dec 12

Status: Fixed (was: Untriaged)
Project Member

Comment 6 by ClusterFuzz, Dec 12 

ClusterFuzz has detected this issue as fixed in range 615622:615631.

Detailed report: https://clusterfuzz.com/testcase?key=5049657895682048

Fuzzer: libFuzzer_libwebp_advanced_api_fuzzer
Fuzz target binary: libwebp_advanced_api_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  0
  EmptyUpsampleFunc
  EmitFancyRGB
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=614208:614220
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=615622:615631

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5049657895682048

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment