yaowu: ptal

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/webm/libvpx/+/4f0e4d6cef827bc452848e126a6bedc47424da88

commit 4f0e4d6cef827bc452848e126a6bedc47424da88
Author: Yaowu Xu <yaowu@google.com>
Date: Wed May 18 00:18:26 2016

Prevent invalid read

This commit adds a check before reading into RefBuffer to prevent OOB
read.

BUG=https://bugs.chromium.org/p/chromium/issues/detail?id=612023

Change-Id: I5b02951932e7f457cfbe6b2e650790496b8577ae

[modify] https://crrev.com/4f0e4d6cef827bc452848e126a6bedc47424da88/vp9/decoder/vp9_decodeframe.c

yaowu@, can you roll libvpx forward in chromium and then close this as fixed.

Marco, could you please update this bug after you are done with the roll? thanks

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9

commit 7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9
Author: marpan <marpan@chromium.org>
Date: Mon May 23 18:09:06 2016

Roll src/third_party/libvpx/source/libvpx/ 57566ff24..4f774ac50 (29 commits).

https://chromium.googlesource.com/webm/libvpx.git/+log/57566ff24adb..4f774ac50e4d

$ git log 57566ff24..4f774ac50 --date=short --no-merges --format='%ad %ae %s'
2016-05-19 jzern Revert "Code clean of sub_pixel_variance4xh"
2016-05-19 jzern Revert "Extend the external fb interface to allocate individual planes."
2016-05-19 jzern vp8/error_concealment: remove shift of negative value
2016-05-16 jackychen vp9: Refactor some denoiser logic in vp9_pick_inter_mode.
2016-04-13 dcastagna Extend the external fb interface to allocate individual planes.
2016-05-18 yaowu Clarify integer value ranges
2016-05-17 aconverse Move, rename, and inline high_inter_predictor.
2016-05-17 yaowu Prevent invalid read
2016-05-18 slavarnway Code clean of sub_pixel_variance4xh
2016-05-17 slavarnway VP9: _get_pred_context_switchable_interp()
2016-05-17 yaowu Promote to uint32_t before left shift
2016-05-11 johannkoenig neon hadamard 8x8
2016-05-10 huisu Add level test for VP9
2016-05-13 jackychen Move non-zero mv bias on large block out of vp9_pick_inter_mode.
2016-05-13 marpan vp9: Update to rc-metric for keeping track of average frame size.
2016-05-13 tomfinegan convolve_test: Fix high bit depth IOC runtime errors.
2016-05-02 bvibber Add --enable-shared option to iosbuild.sh to build dynamic framework
2016-05-11 huisu Fix typos in control function for VP9E_SET_TARGET_LEVEL
2016-05-09 tomfinegan simple_encoder: Add a frame limit argument.
2016-05-11 tomfinegan twopass_encoder: Add frame limit argument.
(...)

R=johannkoenig@google.com

BUG= 612021 ,  612023 

Review-Url: https://codereview.chromium.org/2005893002
Cr-Commit-Position: refs/heads/master@{#395363}

[modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/DEPS
[modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/README.chromium
[modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/libvpx_srcs.gni
[modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/libvpx_srcs_arm64.gypi
[modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/libvpx_srcs_arm_neon.gypi
[modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/libvpx_srcs_arm_neon_cpu_detect_intrinsics.gypi
[modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/libvpx_srcs_x86.gypi
[modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/libvpx_srcs_x86_64.gypi
[modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/linux/arm-neon-cpu-detect/vpx_dsp_rtcd.h
[modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/linux/arm-neon/vpx_dsp_rtcd.h
[modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/linux/arm64/vpx_dsp_rtcd.h
[modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/linux/ia32/vpx_dsp_rtcd.h
[modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/linux/x64/vpx_dsp_rtcd.h
[modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/mac/ia32/vpx_dsp_rtcd.h
[modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/mac/x64/vpx_dsp_rtcd.h
[modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/vpx_version.h
[modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/win/ia32/vpx_dsp_rtcd.h
[modify] https://crrev.com/7257d4cc4f0856ec0b4e2c44dedbdaef7dbf41a9/third_party/libvpx/source/config/win/x64/vpx_dsp_rtcd.h

Marking this as fixed, thanks!

ClusterFuzz has detected this issue as fixed in range 395301:395401.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5391103330615296

Fuzzer: libfuzzer_media_vpx_video_decoder_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x61f00000ee38
Crash State:
  setup_frame_size_with_refs
  read_uncompressed_header
  vp9_decode_frame
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=392685:393435
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=395301:395401

Minimized Testcase (158.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv952qMbYjknC44QGURmUwSdbdQgfVyI2DlHqUo2Pu5wbnXKmB4afm4aQAGXO9HGjMzfin1LjN4340YjrGtXUAAMGt1FiGoceWaktt0i7gt3xw3h4GU5Q7KYh2dpX6ltnEAKp_i5xEeE--hTBVQXNVNLccvmOBNvAWRAiwgY1WSZNKVm8vs0

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

Regressed in 392685, initially in 52.0.2733.0
Fixed     in 395363, initially in 53.0.2747.0

Approving merge to M52.

Hello!  Please merge to M52 by 5pm PDT Today (Tuesday 12th) if at all possible.  Cheers!

Johann can you merge this in?

Please merge your change to M52 branch 2743 before 5:00 PM PST Friday (07/15/16) as we are very close to M52 stable candidate cut. 

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/webm/libvpx/+/669e7b7454ccb4088e300965a5e8ff2586f0d0db

commit 669e7b7454ccb4088e300965a5e8ff2586f0d0db
Author: Yaowu Xu <yaowu@google.com>
Date: Wed May 18 00:18:26 2016

Prevent invalid read

This commit adds a check before reading into RefBuffer to prevent OOB
read.

BUG=https://bugs.chromium.org/p/chromium/issues/detail?id=612023

(cherry picked from commit 4f0e4d6cef827bc452848e126a6bedc47424da88)

Change-Id: I4f0732d4ca92f79b57103bffcff15499073e79a4

[modify] https://crrev.com/669e7b7454ccb4088e300965a5e8ff2586f0d0db/vp9/decoder/vp9_decodeframe.c

If this is already merged to M52, please apply "merge-merged-2743" label and remove "merge-merged-m52-2743" & "Merge-Approved-52" labels. Thank you.

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/a754de3405d0fb192dc25e7de4f072cdfd064edd

commit a754de3405d0fb192dc25e7de4f072cdfd064edd
Author: Johann <johannkoenig@google.com>
Date: Mon Jul 18 18:51:01 2016

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/a754de3405d0fb192dc25e7de4f072cdfd064edd

commit a754de3405d0fb192dc25e7de4f072cdfd064edd
Author: Johann <johannkoenig@google.com>
Date: Mon Jul 18 18:51:01 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot