Author: chcunningham
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/1675282361cc4dfa9e25beaabeb8c2e104140713
Time: Thu Mar 17 18:58:00 2016
File audio_renderer_mixer_input.cc is changed in this cl (and is part of stack frame #6, "media::AudioRendererMixerInput::Play")
Minimum distance from crash line to modified line: 13. (file: audio_renderer_mixer_input.cc, crashed on: 98, modified: 111).

Hey inferno, seems we only have stack for the allocation, not the overflow. I can try a local repro, but is there any way to get the bot to give me a stack?

Inferno, could you reply to #3?  Thanks!

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5465468940320768

Fuzzer: inferno_flicker
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x0c136084
Crash State:
  media::AudioBus::AudioBus
  media::AudioBus::CreateWrapper
  media::MultiChannelResampler::MultiChannelResampler
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=379959:383563

Minimized Testcase (94.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94Y_hu_e_RviVRmA4x2Gv3p9Y5GMKO5uKnIsdbWtM8S68gOiP4Qsz5wt4w8MbUo3SX2z_1bbgzPPmSWeYBnmvjZxAT1rBeG5OefCilgxfYF5ct66ABclZaUFy7pLlZ4amhfGzvaDx3Edj4GbRFn7qBdCmFT4nJ6Z4aTgdqQ0afzzI346Dk

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Might be the same as  issue 599846  though the traces are different. chcunningham@ is OOO for a while, so over to some other folk.  cc:tguilbert@ who will be looking into that issue.

This medium+ severity security issue is a regression on trunk.

Please fix this asap. If you are unable to look into this soon, please revert your change.

- Your friendly ClusterFuzz

We're about 2 weeks away from M51 Beta launch. Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged ASAP. 

M50 Stable is launching very soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged ASAP. All changes MUST be merged into the release branch by 5pm on Apr-8 to make into the desktop Stable final build cut. Thanks!

This medium+ severity security issue is a regression on trunk.

Please fix this asap. If you are unable to look into this soon, please revert your change.

- Your friendly ClusterFuzz

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/43eed5f900264ff88be25806c883dab2011260fa

commit 43eed5f900264ff88be25806c883dab2011260fa
Author: tguilbert <tguilbert@chromium.org>
Date: Thu Apr 07 23:34:48 2016

Fixing AudioBuffer params and channel layout bugs

Work for AAC implicit signaling introduced the possiblity for audio rendering
configs to change to change midstream. Checking for channel layout changes
caused a regression and caused 6 channel audio playback to fail.

Clusterfuzz also detected some heap buffer overflow issues, when the decoded
audio buffers we receive have a different channel layout or sample rate than
the ones we expect.

This change allows FfmpegAudioDecoder to ignore channel layout changes on non
AAC codec. It also checks that decoded AudioBuffer sample rate and channel
count match the expected parameters before adding them to the splicer queue, in
AudioRendererImpl.

BUG= 599625 ,  599846 ,  600538 
TEST=manual tests on an ASAN build, with ffmpeg_regression_test to follow
REVIEW=dalecurtis

Review URL: https://codereview.chromium.org/1868983004

Cr-Commit-Position: refs/heads/master@{#385922}

[modify] https://crrev.com/43eed5f900264ff88be25806c883dab2011260fa/media/filters/ffmpeg_audio_decoder.cc
[modify] https://crrev.com/43eed5f900264ff88be25806c883dab2011260fa/media/renderers/audio_renderer_impl.cc

Seems like fix at comment #15 landed at last night canary. If it looks good, please request a merge to M50 & M51. Thank you. 

Marked  issue 599846  for merge.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7f2efb0b0cde7dffa231f43418eeddf9ef897ecc

commit 7f2efb0b0cde7dffa231f43418eeddf9ef897ecc
Author: Dale Curtis <dalecurtis@chromium.org>
Date: Fri Apr 08 19:35:09 2016

Merge M50: "Fixing AudioBuffer params and channel layout bugs"

Work for AAC implicit signaling introduced the possiblity for audio rendering
configs to change to change midstream. Checking for channel layout changes
caused a regression and caused 6 channel audio playback to fail.

Clusterfuzz also detected some heap buffer overflow issues, when the decoded
audio buffers we receive have a different channel layout or sample rate than
the ones we expect.

This change allows FfmpegAudioDecoder to ignore channel layout changes on non
AAC codec. It also checks that decoded AudioBuffer sample rate and channel
count match the expected parameters before adding them to the splicer queue, in
AudioRendererImpl.

BUG= 599625 ,  599846 ,  600538 
TEST=manual tests on an ASAN build, with ffmpeg_regression_test to follow
REVIEW=dalecurtis

Review URL: https://codereview.chromium.org/1868983004

Cr-Commit-Position: refs/heads/master@{#385922}
(cherry picked from commit 43eed5f900264ff88be25806c883dab2011260fa)

Review URL: https://codereview.chromium.org/1870113003 .

Cr-Commit-Position: refs/branch-heads/2661@{#533}
Cr-Branched-From: ef6f6ae5e4c96622286b563658d5cd62a6cf1197-refs/heads/master@{#378081}

[modify] https://crrev.com/7f2efb0b0cde7dffa231f43418eeddf9ef897ecc/media/filters/ffmpeg_audio_decoder.cc
[modify] https://crrev.com/7f2efb0b0cde7dffa231f43418eeddf9ef897ecc/media/renderers/audio_renderer_impl.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/adb97b41fa91b752c3b99f67e3f370a36e6cedf4

commit adb97b41fa91b752c3b99f67e3f370a36e6cedf4
Author: Dale Curtis <dalecurtis@chromium.org>
Date: Fri Apr 08 23:14:51 2016

Fix incorrect merge of security fix.

(cherry picked from commit 923f48d50fe35ac3ee00a80cc848a2e2983f106d)

BUG= 599625 

Review URL: https://codereview.chromium.org/1868403002 .

Cr-Commit-Position: refs/branch-heads/2661@{#536}
Cr-Branched-From: ef6f6ae5e4c96622286b563658d5cd62a6cf1197-refs/heads/master@{#378081}

[modify] https://crrev.com/adb97b41fa91b752c3b99f67e3f370a36e6cedf4/media/renderers/audio_renderer_impl.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot