kwiberg: Uh oh! This issue still open and hasn't been updated in the last 15 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

kwiberg: Uh oh! This issue still open and hasn't been updated in the last 30 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

@kwiberg: Ping, can you please take a look at this medium severity bug whenever you have a chance? It's been open for more than 1.5 months now.

I have a potential fix for this, but since I don't understand the code too well it might not be an ideal one. Will upload for review once gclient sync finishes on my webrtc checkout.

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/7bf939c72061b48789304315c857c65a6ad8a1ae

commit 7bf939c72061b48789304315c857c65a6ad8a1ae
Author: mbarbella <mbarbella@chromium.org>
Date: Fri Jun 03 17:05:58 2016

Check for out-of-bounds access on |kIntrpCoef|.

BUG= chromium:600953 

Review-Url: https://codereview.webrtc.org/2025493002
Cr-Commit-Position: refs/heads/master@{#13039}

[modify] https://crrev.com/7bf939c72061b48789304315c857c65a6ad8a1ae/webrtc/modules/audio_coding/codecs/isac/fix/source/pitch_filter.c

Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

ClusterFuzz has detected this issue as fixed in range 398366:399171.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5300886984720384

Fuzzer: libfuzzer_audio_decoder_isacfix_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Global-buffer-overflow READ 2
Crash Address: 0x0000005a89f4
Crash State:
  WebRtcIsacfix_PitchFilterCore
  WebRtcIsacfix_PitchFilter
  WebRtcIsacfix_DecodeImpl
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=381907:381934
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95N9yHnhha7VRloueni5rIMzbAMXGSC3jAk9hOqoRC4SYPsQbTDeyBeFdfCLG5h4NEn612ZcYmXfDG6HOI8gnwOWtEhqcFbfHCpIZtm7uK1SfMlJjmIXxi-OC2ZXud4V_--G1QhlgYsNow8GbaR8BLo3Avyjw

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Regressed in 381907, initially in 51.0.2683.0
Fixed     in 398366, initially in 53.0.2763.0

Approving merge to M52.

Hello!  Please merge to M52 by 5pm PDT Today (Tuesday 12th) if at all possible.  Cheers!

Sorry for the delay here, I totally missed this. Is anyone from the WebRTC team able to help with the merge on this one or able to point me to any docs related to the process? Not sure how we normally handle these.

Please merge your change to M52 branch 2743 before 5:00 PM PST Friday (07/15/16) as we are very close to M52 stable candidate cut. 

+ tommi@, could you ptal comment #22 & #23. Thank you.

Re #22: Normally you check out a release branch (like branch-heads/52), see: https://webrtc.org/native-code/development/#working-with-release-branches

I'll take care of the merge. Sorry for dropping the ball on this, I misremembered that ISAC wasn't part of the Chromium build, but I think it's iLBC that's being excluded. Either way, I'll make sure it lands. Thanks for fixing it.

Then git cherry-pick -x 7bf939c72061b48789304315c857c65a6ad8a1ae, and git cl upload like normal.

git cl upload takes care of it and https://codereview.webrtc.org/2144733007/ shows:

Base URL:
https://chromium.googlesource.com/external/webrtc.git@52
Target Ref:
refs/pending/branch-heads/52

Both indicating that it's targeting the tagged M52 WebRTC branch.

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/ca7fe7ea0257ae5e4318549abbe7c0f79063865e

commit ca7fe7ea0257ae5e4318549abbe7c0f79063865e
Author: Peter Boström <pbos@webrtc.org>
Date: Thu Jul 14 07:11:36 2016

Check for out-of-bounds access on |kIntrpCoef|.

BUG= chromium:600953 

Review-Url: https://codereview.webrtc.org/2025493002
Cr-Commit-Position: refs/heads/master@{#13039}
(cherry picked from commit 7bf939c72061b48789304315c857c65a6ad8a1ae)

BUG= chromium:600953 
R=tommi@webrtc.org

Review URL: https://codereview.webrtc.org/2144733007 .

Cr-Commit-Position: refs/branch-heads/52@{#10}
Cr-Branched-From: a376e70cf9d0df3c35d53533b454da542661775b-refs/heads/master@{#12798}

[modify] https://crrev.com/ca7fe7ea0257ae5e4318549abbe7c0f79063865e/webrtc/modules/audio_coding/codecs/isac/fix/source/pitch_filter.c

Thanks, Peter!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot