=>wolenetz for ffmpeg roll. we can shard these out to others on the team / michael at ffmpeg.

wolenetz@ -- setting current milestone (M50) as the milestone since it is a Medium Pri bug. Please feel free to change.

wolenetz: Uh oh! This issue still open and hasn't been updated in the last 19 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sharding this one to tguilbert@. Thanks Thomas!

It seems like the clusterfuzz reporting was slightly off... I get a consistent repro, but it happens a line earlier, with a slightly deeper stack trace:

==73927==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0xbdc2d8 in vorbis_header ./out/libfuzzer_msan/../../third_party/ffmpeg/libavformat/oggparsevorbis.c:315:9
    #1 0xbb653c in ogg_packet ./out/libfuzzer_msan/../../third_party/ffmpeg/libavformat/oggdec.c:530:22
    #2 0xbb16bb in ogg_get_length ./out/libfuzzer_msan/../../third_party/ffmpeg/libavformat/oggdec.c:642:33
    #3 0xbb16bb in ogg_read_header ./out/libfuzzer_msan/../../third_party/ffmpeg/libavformat/oggdec.c:718:0
.... (Identical stack trace then)


Using that stack trace, you can easily see that this line:
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/ffmpeg/libavformat/oggparsevorbis.c&q=oggparsevorbis&sq=package:chromium&type=cs&l=315

Might be using the allocated but un-initialized memory from this line:
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/ffmpeg/libavformat/oggparsevorbis.c&q=oggparsevorbis&sq=package:chromium&type=cs&l=302

I have not checked if this repros in ffplay, but the code in the latest is present in FFMPEG. I will build an MSAN ffplay once I am done with my USAN FFPLAY build.

I will send an email to Michael Niedermayer soon, once I have finished investigating 600959

ClusterFuzz has detected this issue as fixed in range 391516:392381.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5513888052805632

Fuzzer: libfuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  ogg_packet
  ogg_get_length
  ogg_read_header
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=379005:379097
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=391516:392381

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv977KTVScjDbcdwvZ0PV8JV9002yll8xdgy_QI6o-DJcwASd99HUcNLXmMxF0dSyCSZQdaluJykSrD2spYHUMTaWnWgF5yHByZk9Wtp2kx_AB5W6elM-14oCafs2RbJuOv9KkIUr8DBf_o1EhcHgB4321hx5JQ


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

I find it unlikely that the issue fixed itself.

I have initiated a re-run.

It turns out that 595997, 600968 and 600969 (this bug) are all symptoms of 602185.

chcunningham has astutely pointed out that the memory allocation I reference above actually zeros out the memory after allocating it, and therefore wasn't the cause of the bug.

I tried applying his patch for 602185 to a local msan build of the media_pipeline_integration_fuzzer, and confirmed that the 3 bugs repro without the patch (when you run them more than once in a row, using the -runs=100 flag), and that they do not reproduce after adding Chris' fix.

ClusterFuzz has detected this issue as fixed in range 391516:392381.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5513888052805632

Fuzzer: libfuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  ogg_packet
  ogg_get_length
  ogg_read_header
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=379005:379097
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=391516:392381

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv977KTVScjDbcdwvZ0PV8JV9002yll8xdgy_QI6o-DJcwASd99HUcNLXmMxF0dSyCSZQdaluJykSrD2spYHUMTaWnWgF5yHByZk9Wtp2kx_AB5W6elM-14oCafs2RbJuOv9KkIUr8DBf_o1EhcHgB4321hx5JQ


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot