=>wolenetz who will be working on the ffmpeg roll for m-51

Sharding this one to tguilbert@. Thanks Thomas!

This one is probably also in M-50. Please check as part of fixing this.

This repros using the ToT ffplay.


On this line:
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/ffmpeg/libavformat/oggdec.c&sq=package:chromium&type=cs&l=367

gp is assigned the value of 2^63, which is then assigned to os->granule, which is ok, because they are both unsigned longs.

Starting from this line:
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/ffmpeg/libavformat/oggparseopus.c&sq=package:chromium&type=cs&l=145

The value from os->granule minus an amount 'x' is stored in priv->cur_dts (a signed long), and then priv->cur_dts is re-incremented by the same value 'x', triggering the signed overflow.

I will coordinate with chcunningham in order to get the fixes upstream and in chrome.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/7c3fccefe652fcaf4e937132af10c7703db7028a

commit 7c3fccefe652fcaf4e937132af10c7703db7028a
Author: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue May 10 21:12:58 2016

avformat/oggparseopus: Check that granule pos is within the supported range

Larger values would imply file durations of astronomic proportions and cause
overflows

Fixes integer overflow
Fixes: usan_int64_overflow

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8efaee3710baa87af40556a622bf2d96a27c6425)

BUG= 600959 

Change-Id: Ib48df949577a34d81277e681c750aa1cccc965bc

[modify] https://crrev.com/7c3fccefe652fcaf4e937132af10c7703db7028a/libavformat/oggparseopus.c
[modify] https://crrev.com/7c3fccefe652fcaf4e937132af10c7703db7028a/chromium/patches/README

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/79fb282a377bd92f2a679babae5c627a4f4f118a

commit 79fb282a377bd92f2a679babae5c627a4f4f118a
Author: tguilbert <tguilbert@chromium.org>
Date: Thu May 12 03:21:23 2016

Roll src/third_party/ffmpeg/ 20d74768d..77fdc79ab (3 commits).

https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/20d74768dcd9..77fdc79ab485

$ git log 20d74768d..77fdc79ab --date=short --no-merges --format='%ad %ae %s'
2016-05-11 michael avformat/utils: Check bps before using it in a shift in ff_get_pcm_codec_id()
2016-05-09 chcunningham libavformat/oggdec: Free stream private when header parsing fails.
2016-05-10 michael avformat/oggparseopus: Check that granule pos is within the supported range

BUG= 600959 , 602185 , 603495 
R=wolenetz

Review-Url: https://codereview.chromium.org/1969993003
Cr-Commit-Position: refs/heads/master@{#393167}

[modify] https://crrev.com/79fb282a377bd92f2a679babae5c627a4f4f118a/DEPS

ClusterFuzz has detected this issue as fixed in range 392658:393412.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5348140953108480

Fuzzer: libfuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  opus_packet
  ogg_packet
  ogg_get_length
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=392658:393412

Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9721NXWfVBrExF-v-qMCromqo6bYYJKmawFf0rgD0t3AbxK1JQqEZquNnuI4yzm0SVvu9Gc85vGwS3SRVXhrII2JGsyHThVmRjo0Sbk18mBsV9-VvjYIvViAaQAhZsV-7YOQktDkZ2CwzChP1HiKn76vMJcqg

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

Approving merge to M51 branch 2704 based on email thread "Re: Heads up: upcoming ffmpeg DEPS roll for M50/M51". 

Please merge your change to M51 branch 2704 before 5:00 PM PST Monday (05/16).So we can take it for next week LAST M51 beta release. Thank you.

The following revision refers to this bug:
  http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=87918

------------------------------------------------------------------
r87918 | chcunningham@google.com | 2016-05-16T18:28:23.295236Z

-----------------------------------------------------------------

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot