Issue 1728 in webm: Integer-overflow in vp8_get_compressed_data
10 views
Skip to first unread message
eug… via monorail
Apr 29, 2021, 1:37:49 AM4/29/21
to webm-d...@webmproject.org
Status: Untriaged
Owner: ----
Labels: Type-Bug Pri-2
Components: libvpx
New issue 1728 by eug...@chromium.org: Integer-overflow in vp8_get_compressed_data
https://bugs.chromium.org/p/webm/issues/detail?id=1728
../../third_party/libvpx/source/libvpx/vp8/encoder/onyx_if.c:4924:55: runtime error: signed integer overflow: 2882303761517200780 * 10 cannot be represented in type 'long'
#0 0x55c896e69f9a in vp8_get_compressed_data third_party/libvpx/source/libvpx/vp8/encoder/onyx_if.c:4924:55
#1 0x55c896e51d80 in vp8e_encode third_party/libvpx/source/libvpx/vp8/vp8_cx_iface.c:927:25
#2 0x55c896ff9b5c in vpx_codec_encode third_party/libvpx/source/libvpx/vpx/src/vpx_encoder.c:208:13
#3 0x55c8913c8279 in media::VpxVideoEncoder::Encode(scoped_refptr<media::VideoFrame>, bool, base::OnceCallback<void (media::Status)>) media/video/vpx_video_encoder.cc:484:20
#4 0x55c8912ca12b in Invoke<void (media::VideoEncoder::*)(scoped_refptr<media::VideoFrame>, bool, base::OnceCallback<void (media::Status)>), media::VideoEncoder *, scoped_refptr<media::VideoFrame>, bool, base::OnceCallback<void (media::Status)> > base/bind_internal.h:509:12
#5 0x55c8912ca12b in MakeItSo<void (media::VideoEncoder::*)(scoped_refptr<media::VideoFrame>, bool, base::OnceCallback<void (media::Status)>), media::VideoEncoder *, scoped_refptr<media::VideoFrame>, bool, base::OnceCallback<void (media::Status)> > base/bind_internal.h:648:12
#6 0x55c8912ca12b in RunImpl<void (media::VideoEncoder::*)(scoped_refptr<media::VideoFrame>, bool, base::OnceCallback<void (media::Status)>), std::tuple<base::internal::UnretainedWrapper<media::VideoEncoder>, scoped_refptr<media::VideoFrame>, bool, base::OnceCallback<void (media::Status)> >, 0, 1, 2, 3> base/bind_internal.h:721:12
#7 0x55c8912ca12b in base::internal::Invoker<base::internal::BindState<void (media::VideoEncoder::*)(scoped_refptr<media::VideoFrame>, bool, base::OnceCallback<void (media::Status)>), base::internal::UnretainedWrapper<media::VideoEncoder>, scoped_refptr<media::VideoFrame>, bool, base::OnceCallback<void (media::Status)> >, void ()>::RunOnce(base::internal::BindStateBase*) base/bind_internal.h:690:12
#8 0x55c895ca8aff in Run base/callback.h:101:12
#9 0x55c895ca8aff in base::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/task/common/task_annotator.cc:173:33
#10 0x55c895cf9392 in base::internal::TaskTracker::RunSkipOnShutdown(base::internal::Task*) base/task/thread_pool/task_tracker.cc:664:19
#11 0x55c895cf89f6 in base::internal::TaskTracker::RunTaskWithShutdownBehavior(base::TaskShutdownBehavior, base::internal::Task*) base/task/thread_pool/task_tracker.cc:679:7
#12 0x55c895cf7def in base::internal::TaskTracker::RunTask(base::internal::Task, base::internal::TaskSource*, base::TaskTraits const&) base/task/thread_pool/task_tracker.cc:525:5
#13 0x55c895d6747d in base::internal::TaskTrackerPosix::RunTask(base::internal::Task, base::internal::TaskSource*, base::TaskTraits const&) base/task/thread_pool/task_tracker_posix.cc:22:16
#14 0x55c895cf6912 in base::internal::TaskTracker::RunAndPopNextTask(base::internal::RegisteredTaskSource) base/task/thread_pool/task_tracker.cc:432:5
#15 0x55c895d28551 in base::internal::WorkerThread::RunWorker() base/task/thread_pool/worker_thread.cc:366:34
#16 0x55c895d27970 in base::internal::WorkerThread::RunPooledWorker() base/task/thread_pool/worker_thread.cc:261:3
#17 0x55c895d2731f in base::internal::WorkerThread::ThreadMain() base/task/thread_pool/worker_thread.cc:241:7
#18 0x55c895d68211 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:96:13
#19 0x7f87dd42d6b9 in start_thread /build/glibc-LK5gWL/glibc-2.23/nptl/pthread_create.c:333
#20 0x7f87d6eeb41c in clone /build/glibc-LK5gWL/glibc-2.23/sysdeps/unix/sysv/linux/x86_64/clone.S:109
this_duration had value 2882303761517200780
Issue was found by chromium fuzzer: https://crbug.com/1203958
--
You received this message because:
1. The project was configured to send all issue notifications to this address
You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings
Owner: ----
Labels: Type-Bug Pri-2
Components: libvpx
New issue 1728 by eug...@chromium.org: Integer-overflow in vp8_get_compressed_data
https://bugs.chromium.org/p/webm/issues/detail?id=1728
../../third_party/libvpx/source/libvpx/vp8/encoder/onyx_if.c:4924:55: runtime error: signed integer overflow: 2882303761517200780 * 10 cannot be represented in type 'long'
#0 0x55c896e69f9a in vp8_get_compressed_data third_party/libvpx/source/libvpx/vp8/encoder/onyx_if.c:4924:55
#1 0x55c896e51d80 in vp8e_encode third_party/libvpx/source/libvpx/vp8/vp8_cx_iface.c:927:25
#2 0x55c896ff9b5c in vpx_codec_encode third_party/libvpx/source/libvpx/vpx/src/vpx_encoder.c:208:13
#3 0x55c8913c8279 in media::VpxVideoEncoder::Encode(scoped_refptr<media::VideoFrame>, bool, base::OnceCallback<void (media::Status)>) media/video/vpx_video_encoder.cc:484:20
#4 0x55c8912ca12b in Invoke<void (media::VideoEncoder::*)(scoped_refptr<media::VideoFrame>, bool, base::OnceCallback<void (media::Status)>), media::VideoEncoder *, scoped_refptr<media::VideoFrame>, bool, base::OnceCallback<void (media::Status)> > base/bind_internal.h:509:12
#5 0x55c8912ca12b in MakeItSo<void (media::VideoEncoder::*)(scoped_refptr<media::VideoFrame>, bool, base::OnceCallback<void (media::Status)>), media::VideoEncoder *, scoped_refptr<media::VideoFrame>, bool, base::OnceCallback<void (media::Status)> > base/bind_internal.h:648:12
#6 0x55c8912ca12b in RunImpl<void (media::VideoEncoder::*)(scoped_refptr<media::VideoFrame>, bool, base::OnceCallback<void (media::Status)>), std::tuple<base::internal::UnretainedWrapper<media::VideoEncoder>, scoped_refptr<media::VideoFrame>, bool, base::OnceCallback<void (media::Status)> >, 0, 1, 2, 3> base/bind_internal.h:721:12
#7 0x55c8912ca12b in base::internal::Invoker<base::internal::BindState<void (media::VideoEncoder::*)(scoped_refptr<media::VideoFrame>, bool, base::OnceCallback<void (media::Status)>), base::internal::UnretainedWrapper<media::VideoEncoder>, scoped_refptr<media::VideoFrame>, bool, base::OnceCallback<void (media::Status)> >, void ()>::RunOnce(base::internal::BindStateBase*) base/bind_internal.h:690:12
#8 0x55c895ca8aff in Run base/callback.h:101:12
#9 0x55c895ca8aff in base::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/task/common/task_annotator.cc:173:33
#10 0x55c895cf9392 in base::internal::TaskTracker::RunSkipOnShutdown(base::internal::Task*) base/task/thread_pool/task_tracker.cc:664:19
#11 0x55c895cf89f6 in base::internal::TaskTracker::RunTaskWithShutdownBehavior(base::TaskShutdownBehavior, base::internal::Task*) base/task/thread_pool/task_tracker.cc:679:7
#12 0x55c895cf7def in base::internal::TaskTracker::RunTask(base::internal::Task, base::internal::TaskSource*, base::TaskTraits const&) base/task/thread_pool/task_tracker.cc:525:5
#13 0x55c895d6747d in base::internal::TaskTrackerPosix::RunTask(base::internal::Task, base::internal::TaskSource*, base::TaskTraits const&) base/task/thread_pool/task_tracker_posix.cc:22:16
#14 0x55c895cf6912 in base::internal::TaskTracker::RunAndPopNextTask(base::internal::RegisteredTaskSource) base/task/thread_pool/task_tracker.cc:432:5
#15 0x55c895d28551 in base::internal::WorkerThread::RunWorker() base/task/thread_pool/worker_thread.cc:366:34
#16 0x55c895d27970 in base::internal::WorkerThread::RunPooledWorker() base/task/thread_pool/worker_thread.cc:261:3
#17 0x55c895d2731f in base::internal::WorkerThread::ThreadMain() base/task/thread_pool/worker_thread.cc:241:7
#18 0x55c895d68211 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:96:13
#19 0x7f87dd42d6b9 in start_thread /build/glibc-LK5gWL/glibc-2.23/nptl/pthread_create.c:333
#20 0x7f87d6eeb41c in clone /build/glibc-LK5gWL/glibc-2.23/sysdeps/unix/sysv/linux/x86_64/clone.S:109
this_duration had value 2882303761517200780
Issue was found by chromium fuzzer: https://crbug.com/1203958
--
You received this message because:
1. The project was configured to send all issue notifications to this address
You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings
jz… via monorail
May 4, 2021, 4:48:38 PM5/4/21
to webm-d...@webmproject.org
Updates:
Cc: deba...@google.com yu...@google.com
Owner: mar...@google.com
Status: Available
Comment #1 on issue 1728 by jz...@google.com: Integer-overflow in vp8_get_compressed_data
https://bugs.chromium.org/p/webm/issues/detail?id=1728#c1
There was some work done in https://crbug.com/webm/701 to handle rollover, but it looks like it could be extended. I don't think this is a critical issue, though it may affect some encoder decisions.
Cc: deba...@google.com yu...@google.com
Owner: mar...@google.com
Status: Available
Comment #1 on issue 1728 by jz...@google.com: Integer-overflow in vp8_get_compressed_data
https://bugs.chromium.org/p/webm/issues/detail?id=1728#c1
There was some work done in https://crbug.com/webm/701 to handle rollover, but it looks like it could be extended. I don't think this is a critical issue, though it may affect some encoder decisions.
jz… via monorail
Sep 16, 2021, 1:16:19 PM9/16/21
to webm-d...@webmproject.org
Updates:
Cc: ji...@google.com
Status: Assigned
Comment #3 on issue 1728 by jz...@google.com: Integer-overflow in vp8_get_compressed_data
https://bugs.chromium.org/p/webm/issues/detail?id=1728#c3
Marco or Jerome, any chance to look at this? We were holding the release on this one.
Cc: ji...@google.com
Status: Assigned
Comment #3 on issue 1728 by jz...@google.com: Integer-overflow in vp8_get_compressed_data
https://bugs.chromium.org/p/webm/issues/detail?id=1728#c3
Marco or Jerome, any chance to look at this? We were holding the release on this one.
ji… via monorail
Sep 16, 2021, 1:17:55 PM9/16/21
to webm-d...@webmproject.org
Updates:
Cc: -ji...@google.com mar...@google.com
Owner: ji...@google.com
Comment #4 on issue 1728 by ji...@google.com: Integer-overflow in vp8_get_compressed_data
https://bugs.chromium.org/p/webm/issues/detail?id=1728#c4
I'll take care of this
Cc: -ji...@google.com mar...@google.com
Owner: ji...@google.com
Comment #4 on issue 1728 by ji...@google.com: Integer-overflow in vp8_get_compressed_data
https://bugs.chromium.org/p/webm/issues/detail?id=1728#c4
I'll take care of this
Git Watcher via monorail
Sep 22, 2021, 1:28:06 PM9/22/21
to webm-d...@webmproject.org
Comment #5 on issue 1728 by Git Watcher: Integer-overflow in vp8_get_compressed_data
https://bugs.chromium.org/p/webm/issues/detail?id=1728#c5
The following revision refers to this bug:
https://chromium.googlesource.com/webm/libvpx/+/09775194ffdb84b4979f3988e7ef301575b661df
commit 09775194ffdb84b4979f3988e7ef301575b661df
Author: Jerome Jiang <ji...@google.com>
Date: Mon Sep 20 20:37:43 2021
Cap duration to avoid overflow
Bug: webm:1728
Change-Id: Id13475660fa921e8ddcc89847e978da4c8d85886
[modify] https://crrev.com/09775194ffdb84b4979f3988e7ef301575b661df/vp8/encoder/onyx_if.c
Git Watcher via monorail
Sep 27, 2021, 6:32:07 PM9/27/21
to webm-d...@webmproject.org
Updates:
Labels: merge-merged-smew
Comment #6 on issue 1728 by Git Watcher: Integer-overflow in vp8_get_compressed_data
https://bugs.chromium.org/p/webm/issues/detail?id=1728#c6
Labels: merge-merged-smew
Comment #6 on issue 1728 by Git Watcher: Integer-overflow in vp8_get_compressed_data
https://bugs.chromium.org/p/webm/issues/detail?id=1728#c6
The following revision refers to this bug:
https://chromium.googlesource.com/webm/libvpx/+/d00e68ad8789dc8bb210961532e20f0e9f6d55ae
commit d00e68ad8789dc8bb210961532e20f0e9f6d55ae
commit d00e68ad8789dc8bb210961532e20f0e9f6d55ae
Author: Jerome Jiang <ji...@google.com>
Date: Mon Sep 20 20:37:43 2021
Cap duration to avoid overflow
Bug: webm:1728
Change-Id: Id13475660fa921e8ddcc89847e978da4c8d85886
(cherry picked from commit 09775194ffdb84b4979f3988e7ef301575b661df)
[modify] https://crrev.com/d00e68ad8789dc8bb210961532e20f0e9f6d55ae/vp8/encoder/onyx_if.c
[modify] https://crrev.com/d00e68ad8789dc8bb210961532e20f0e9f6d55ae/vp8/encoder/onyx_if.c
ji… via monorail
Sep 27, 2021, 7:03:53 PM9/27/21
to webm-d...@webmproject.org
Updates:
Status: Fixed
Comment #7 on issue 1728 by ji...@google.com: Integer-overflow in vp8_get_compressed_data
https://bugs.chromium.org/p/webm/issues/detail?id=1728#c7
(No comment was entered for this change.)
Status: Fixed
Comment #7 on issue 1728 by ji...@google.com: Integer-overflow in vp8_get_compressed_data
https://bugs.chromium.org/p/webm/issues/detail?id=1728#c7
(No comment was entered for this change.)
Reply all
Reply to author
Forward
0 new messages