I'm setting High severity because there is a large buffer OOB READ (READ of size 10552 at 0x60500000c64d thread T1 (FFmpegDemuxer) and also it looks like it might be a OOB WRITE on next iteration of the loop at fixup_vorbis_headers().

I wonder if we can change this target function to not spawn any threads? 
This should make it quite a bit more efficient. 

wolenetz: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sharding this one to chcunningham@. Thanks Chris!

Probably in M-50 - Chris, please check as part of fixing this.

Just FYI: We're cutting M50 Stable RC on Monday @ 1:00 PM PST for M50 Stable refresh release on Tuesday (05/10). 

Understood. Do you know what time the cut is made on Monday? I've made progress on this, but it will be tight to get it in by then.

We're planning to cut RC on Monday @ 1:00 PM PST.

This bug already exists on live stable build, right? If it is, then I wouldn't hold the stable release for next week for this bug [if fix is NOT ready in time]. Please do let me know if there is any concern here. Thank you.

Yes, its already in live stable. I will still try to fix quickly, but IMO, its not worth holding the release if I fail to make it happen. 

Technical details:
I've traced the allocation (originally size 13), The ogg demuxing is flipping back and forth between treating this like vorbis and opus and thats causing the private data (that stores the length of this allocation) to be misinterpreted and overridden with a new much larger invalid length of 10552. A bit more digging to know why its flipping back and forth... I'll update by EOD.

Removing release block label per comments 17 and 16.

Same bug exists on M51 as well. So adding "M-51" label.

Patch submitted for review upstream
http://ffmpeg.org/pipermail/ffmpeg-devel/2016-May/194058.html

Will cherry pick and merge back when asap.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/f9d14636785028c9f4f9feb1f5ff866faec2d33f

commit f9d14636785028c9f4f9feb1f5ff866faec2d33f
Author: Chris Cunningham <chcunningham@chromium.org>
Date: Mon May 09 22:27:29 2016

libavformat/oggdec: Free stream private when header parsing fails.

Leaking this private structure opens up the possibility that it may
be re-used when parsing later packets in the stream. This is
problematic if the later packets are not the same codec type (e.g.
private allocated during Vorbis parsing, but later packets are Opus
and the private is assumed to be the oggopus_private type in
opus_header()).

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 542f725964e52201000ec34e2f23229cf534ad3a)

BUG= 602185 

Change-Id: If92d22fe68be601d9fac8ab4c6b3142baecab03e

[modify] https://crrev.com/f9d14636785028c9f4f9feb1f5ff866faec2d33f/libavformat/oggdec.c
[modify] https://crrev.com/f9d14636785028c9f4f9feb1f5ff866faec2d33f/chromium/patches/README

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/79fb282a377bd92f2a679babae5c627a4f4f118a

commit 79fb282a377bd92f2a679babae5c627a4f4f118a
Author: tguilbert <tguilbert@chromium.org>
Date: Thu May 12 03:21:23 2016

Roll src/third_party/ffmpeg/ 20d74768d..77fdc79ab (3 commits).

https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/20d74768dcd9..77fdc79ab485

$ git log 20d74768d..77fdc79ab --date=short --no-merges --format='%ad %ae %s'
2016-05-11 michael avformat/utils: Check bps before using it in a shift in ff_get_pcm_codec_id()
2016-05-09 chcunningham libavformat/oggdec: Free stream private when header parsing fails.
2016-05-10 michael avformat/oggparseopus: Check that granule pos is within the supported range

BUG= 600959 , 602185 , 603495 
R=wolenetz

Review-Url: https://codereview.chromium.org/1969993003
Cr-Commit-Position: refs/heads/master@{#393167}

[modify] https://crrev.com/79fb282a377bd92f2a679babae5c627a4f4f118a/DEPS

ClusterFuzz has detected this issue as fixed in range 392580:392609.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5321617718116352

Fuzzer: libfuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ {*}
Crash Address: 0x60500000c64d
Crash State:
  fixup_vorbis_headers
  vorbis_header
  ogg_packet
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=379001:379054
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=392580:392609

Minimized Testcase (6.86 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9659be56qMfmJk4NNfnnGD0tDi-D3AIjynWkkoBxJZ1v6Ta-EKGXM6mMwWLnUpgWfdWob-RFT3wN_CqytBynelKQkZMisXPKSQ29qbkdppqmyy4QzzDSnUI3Mu9w0TX4zQ6sYVmmnrQec3432C5kEG5agjQKg

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

Approving merge to M51 branch 2704 based on email thread "Re: Heads up: upcoming ffmpeg DEPS roll for M50/M51". 

Please merge your change to M51 branch 2704 before 5:00 PM PST Monday (05/16).So we can take it for next week LAST M51 beta release. Thank you.

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges.

- Your friendly ClusterFuzz

The following revision refers to this bug:
  http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=87918

------------------------------------------------------------------
r87918 | chcunningham@google.com | 2016-05-16T18:28:23.295236Z

-----------------------------------------------------------------

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot