[FFmpeg-devel] [RFC] Fuzzer results and bugfixes
Vitor Sessak
vitor1001
Sat Mar 6 11:59:20 CET 2010
Michael Niedermayer wrote:
> On Fri, Mar 05, 2010 at 04:30:50PM -0800, Jason Garrett-Glaser wrote:
>> All,
>>
>> I wrote a rather simple fuzzer and started running it on ffmpeg using
>> various input files. I've found about 6 crashes so far (some appear
>> to be possibly exploitable); I suspect to find a lot more as I try
>> more types of input files. Here's my tentative plan:
>>
>> 1. Start a roundup thread specifically for this fuzzer (only one bug
>> report rather than a massive spam).
>
>> 2. Offer the same bugfix rewards as usual for fixing crashes reported
>> in this thread by the fuzzer (duplicate crashes caused by the same bug
>> are obviously not counted).
>
> i wonder if security relevant bugs should have a higher bounty on them
>
>
>> 3. Because I have a very slow upload and most input files have
>> multiple crashes, each sample will be only uploaded once: instead, the
>> random seed used to generate the fuzz test failure will be posted.
>> For example:
>>
>> IronMan.mkv 140
>>
>> means that IronMan.mkv, fuzzed with seed 140, caused a crash in decoding.
>>
>> Using the fuzzer is trivial and much faster than waiting for my upload:
>>
>> ./fuzzer input output seed
>>
>> Is this a good idea? I think it would be the most convenient for
>> dealing with fuzzer-found crash bugs. Furthermore, it would easily
>> allow others to report new fuzzer-found crash bugs in a central
>> location without scaring the crap out of everyone with hundreds of bug
>> reports.
>
> having hundread unrelated crashes in one roundup report seems quite difficult
> to handle for people who try to fix any.
> That is its quite hard to keep track of which are still in need of a fix
> especially if one starts with
> <list of 200 seeds crashing>
> <list of 20 seeds fixed by X>
> <list of 29 seeds fixed by Y>
> <list of 3 seeds fixed by Z>
Another possibility would be to put this in a wiki page table (with
columns: "input file", "seed", "fixed by", "notes") and with color
coding (red = not fixed, green = fixed).
-Vitor
More information about the ffmpeg-devel
mailing list