xhwang@, could you please take a look?

Seems a crash in AudioBuffer with out of range access on |channel_data_|.

Dale: Could you please take a look?

+chcunningham who was also looking at a similar crash.

If it repros locally, just adding some checks along the way should reveal this. I wonder if this is a consequence of allowing channel changes.

Over to tguilbert@ to take a look!

This medium+ severity security issue is a regression on trunk.

Please fix this asap. If you are unable to look into this soon, please revert your change.

- Your friendly ClusterFuzz

We're about 2 weeks away from M51 Beta launch. Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged ASAP. 

Moving to RBS-M50 since this patch was merged back. We have a fix in process.

M50 Stable is launching very soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged ASAP. All changes MUST be merged into the release branch by 5pm on Apr-8 to make into the desktop Stable final build cut. Thanks!

This medium+ severity security issue is a regression on trunk.

Please fix this asap. If you are unable to look into this soon, please revert your change.

- Your friendly ClusterFuzz

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/43eed5f900264ff88be25806c883dab2011260fa

commit 43eed5f900264ff88be25806c883dab2011260fa
Author: tguilbert <tguilbert@chromium.org>
Date: Thu Apr 07 23:34:48 2016

Fixing AudioBuffer params and channel layout bugs

Work for AAC implicit signaling introduced the possiblity for audio rendering
configs to change to change midstream. Checking for channel layout changes
caused a regression and caused 6 channel audio playback to fail.

Clusterfuzz also detected some heap buffer overflow issues, when the decoded
audio buffers we receive have a different channel layout or sample rate than
the ones we expect.

This change allows FfmpegAudioDecoder to ignore channel layout changes on non
AAC codec. It also checks that decoded AudioBuffer sample rate and channel
count match the expected parameters before adding them to the splicer queue, in
AudioRendererImpl.

BUG= 599625 ,  599846 ,  600538 
TEST=manual tests on an ASAN build, with ffmpeg_regression_test to follow
REVIEW=dalecurtis

Review URL: https://codereview.chromium.org/1868983004

Cr-Commit-Position: refs/heads/master@{#385922}

[modify] https://crrev.com/43eed5f900264ff88be25806c883dab2011260fa/media/filters/ffmpeg_audio_decoder.cc
[modify] https://crrev.com/43eed5f900264ff88be25806c883dab2011260fa/media/renderers/audio_renderer_impl.cc

ClusterFuzz has detected this issue as fixed in range 385504:385978.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4644078523777024

Fuzzer: inferno_flicker
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x6030000abaa8
Crash State:
  media::AudioBuffer::ReadFrames
  media::AudioBufferQueue::InternalRead
  media::AudioRendererAlgorithm::FillBuffer
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=383194:384380
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=385504:385978

Minimized Testcase (94.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94uAPQ4nSVldA41d6P29FGNSJJBnJy3o6XDdxdyAPy4w5W7Wv4FfdeHDila8Eg1cg-_WlmDYvw3pEdfp3V2STF1hF5FHVyeEdAMkd79wT7aRBy0WkYQUwo4GCxYMndZvMbtbDAjwE1GrLuPlUlNsAo8_2AO5RSox6P-mbanQVUXWZdXoZQ

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Looks fixed, cool! Thanks!

Btw, we have ambiguous M-50 and M-51 labels, probably need to left just one of them?

Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

Needs merge to m50, since branch cut is coming up and this is found fixed, marking for merge.

Merge approved for M50 (branch 2661) per comment #20.

Please merge your change to M50 branch 2661 by 5:00 PM PST on April 8th,Friday (today) to make into the desktop Stable final build cut. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7f2efb0b0cde7dffa231f43418eeddf9ef897ecc

commit 7f2efb0b0cde7dffa231f43418eeddf9ef897ecc
Author: Dale Curtis <dalecurtis@chromium.org>
Date: Fri Apr 08 19:35:09 2016

Merge M50: "Fixing AudioBuffer params and channel layout bugs"

Work for AAC implicit signaling introduced the possiblity for audio rendering
configs to change to change midstream. Checking for channel layout changes
caused a regression and caused 6 channel audio playback to fail.

Clusterfuzz also detected some heap buffer overflow issues, when the decoded
audio buffers we receive have a different channel layout or sample rate than
the ones we expect.

This change allows FfmpegAudioDecoder to ignore channel layout changes on non
AAC codec. It also checks that decoded AudioBuffer sample rate and channel
count match the expected parameters before adding them to the splicer queue, in
AudioRendererImpl.

BUG= 599625 ,  599846 ,  600538 
TEST=manual tests on an ASAN build, with ffmpeg_regression_test to follow
REVIEW=dalecurtis

Review URL: https://codereview.chromium.org/1868983004

Cr-Commit-Position: refs/heads/master@{#385922}
(cherry picked from commit 43eed5f900264ff88be25806c883dab2011260fa)

Review URL: https://codereview.chromium.org/1870113003 .

Cr-Commit-Position: refs/branch-heads/2661@{#533}
Cr-Branched-From: ef6f6ae5e4c96622286b563658d5cd62a6cf1197-refs/heads/master@{#378081}

[modify] https://crrev.com/7f2efb0b0cde7dffa231f43418eeddf9ef897ecc/media/filters/ffmpeg_audio_decoder.cc
[modify] https://crrev.com/7f2efb0b0cde7dffa231f43418eeddf9ef897ecc/media/renderers/audio_renderer_impl.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot