This was found by fuzzing libvpx (commit c6641709a707ccb98cbdf785428659e44d4f2c8b) and it appears to be in our branch. https://dxr.mozilla.org/mozilla-central/source/media/libvpx/vp8/common/loopfilter.c#222 vp8/common/vp8_loopfilter.c:222:35: runtime error: index 225 out of bounds for type 'unsigned char ' #0 0x77cca4 in vp8_loop_filter_row_normal (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x77cca4) #1 0x83f283 in decode_mb_rows (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x83f283) #2 0x837e2d in vp8_decode_frame (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x837e2d) #3 0x5d052d in vp8dx_receive_compressed_data (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x5d052d) #4 0x5ca52c in vp8_decode (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x5ca52c) #5 0x4ecdde in vpx_codec_decode (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x4ecdde) #6 0x4eb189 in main /home/user/code/libvpx/examples/simple_decoder.c:135:11 #7 0x7f121a2a5ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287 #8 0x41dad5 in _start (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x41dad5)
Priority: -- → P1
Part 1: Test cases given as list. No actual test changes from before. This will help with this bug and future ones, to easily add more test cases.
Assignee: nobody → gsquelart
Attachment #8690624 - Flags: review?(giles)
Part 2: Added vp8/ivf test case.
Attachment #8690626 - Flags: review?(giles)
This issue has the same cause as bug 1224363 (filter_level not clamped to 0-63), though the effect appears elsewhere, so there is no more need for a fix.
Depends on: 1224363
Comment on attachment 8690624 [details] [diff] [review] 1224369-p1-gtest-list-of-test-cases.patch Review of attachment 8690624 [details] [diff] [review]: ----------------------------------------------------------------- Nice.
Attachment #8690624 - Flags: review?(giles) → review+
Attachment #8690626 - Flags: review?(giles) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/06c9e401ee3c https://hg.mozilla.org/integration/mozilla-inbound/rev/6b7901d50318 I might have been to eager to check-in, as I believe this bug should be sec-low or even no-sec. Also this bug is actually fixed by the patch in bug 1224363 (which is sec-low or could be no-sec, as confirmed by an libvpx expert in bug 1224363 comment 15). The patches here are just a gtest test case. But sorry if I should have asked for official approval first. Could you please lower the sec rating?
sec-moderate was low enough for landing.
Whiteboard: [adv-main45+] → [adv-main45+][post-critsmash-triage]
You need to log in before you can comment on or make changes to this bug.