Very similar to  bug 612023 , but another one. I manually verified: previous testcase is not reproducible now, but this one causes heap-buffer-overflow.

The following revision refers to this bug:
  https://chromium.googlesource.com/webm/libvpx/+/75b6cfe1c50e749a0edb5460a491ca5ac947aff5

commit 75b6cfe1c50e749a0edb5460a491ca5ac947aff5
Author: Yaowu Xu <yaowu@google.com>
Date: Wed May 25 16:28:36 2016

Prevent read to invalid RefBuffer

This commit adds check to validate RefBuffer before reading into the
data structure, to prevent invalid read.

BUG=https://bugs.chromium.org/p/chromium/issues/detail?id=614701

Change-Id: Ie111e95bd18e88fa19d8b25e097cdf52b7139cb6

[modify] https://crrev.com/75b6cfe1c50e749a0edb5460a491ca5ac947aff5/vp9/decoder/vp9_decodeframe.c

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5453723803582464

Fuzzer: libfuzzer_media_vpx_video_decoder_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x61f00000ee38
Crash State:
  setup_frame_size_with_refs
  read_uncompressed_header
  vp9_decode_frame
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=392685:393435

Minimized Testcase (94.78 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94tXnneRfKlpA78WlBpYOINL-774P86xbw6E5CbJOOkQL6mEf6s1aljpx4mI95XLTTAQP2nN73z2L4lW_hFkh9IRSledYqOxnw7xQJp8PO44k1BAXEFkQs4_b-6kFDjxXwPHH0kxCxUZZBVA5yCqo1R9KeS7D1uOrZejXBaZnkl3AMgows

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5184593955389440

Fuzzer: libfuzzer_media_vpx_video_decoder_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x61f00000ee38
Crash State:
  setup_frame_size_with_refs
  read_uncompressed_header
  vp9_decode_frame
  
Recommended Security Severity: Medium


Minimized Testcase (96.41 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95k043EHsBpSM4H1vPlJtIfv2E6xIpA4sLBgY0Guge6X4mF-Rgt1RHDCE2FVps9OLBY31PklxRlt6O_7RHG2hcPZDu9jM3NhjZsU86y9qzbZaaj-cAqvGxy92t3T8YxzxNKQWFnJM-HaENqfg3TRsZv9PUkrtRGZLR1oz9VBqT4dVKs67A

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Tom/Marco, would either of you be able to do a libvpx roll with the fix? Thanks. 

We will do a roll on tuesday.

Yeah, Tuesday. Rolling before a long weekend sets the waterfall on fire (well, sometimes).

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d

commit dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d
Author: marpan <marpan@chromium.org>
Date: Wed Jun 01 15:55:23 2016

Roll src/third_party/libvpx/source/libvpx/ 4f774ac50..f80d8011a (12 commits).

https://chromium.googlesource.com/webm/libvpx.git/+log/4f774ac50e4d..f80d8011a014

$ git log 4f774ac50..f80d8011a --date=short --no-merges --format='%ad %ae %s'
2016-05-27 jzern acm_random,Rand9Signed: correct cast
2016-05-17 linfengz Upgrade fwht4x4_mmx() to fwht4x4_sse2() for vp9 and vp10.
2016-05-27 tomfinegan vpx_ports/mem_ops.h: cast the lhs of bitwise shifts of 24.
2016-05-19 linfengz Upgrade vpx_lpf_{vertical,horizontal}_4 mmx to sse2
2016-05-25 yaowu Convert to unsigned int before left shift
2016-05-25 marpan vp9: Add datarate test for 1 pass VBR mode.
2016-05-24 yaowu Fix comments in build_intra_predictors_high()
2016-05-25 yaowu Prevent read to invalid RefBuffer
2016-05-24 bvibber Move git version extras out of iOS shared framework bundle version
2016-05-24 jzern remove vp9_diamond_search_sad_avx.c
2016-05-24 slavarnway Code clean of sub_pixel_variance4xh -- 2
2016-05-20 jackychen vp9: Remove a redundent condition in sub-pixel filter choosing.

R=johannkoenig@google.com
BUG= 614701 ,  614648 ,  615046 

Review-Url: https://codereview.chromium.org/2027703002
Cr-Commit-Position: refs/heads/master@{#397153}

[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/DEPS
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/BUILD.gn
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/README.chromium
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/generate_gypi.sh
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/libvpx.gyp
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/libvpx_srcs.gni
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/libvpx_srcs_x86.gypi
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/libvpx_srcs_x86_64.gypi
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/libvpx_srcs_x86_64_intrinsics.gypi
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/libvpx_srcs_x86_intrinsics.gypi
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/source/config/linux/ia32/vp9_rtcd.h
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/source/config/linux/ia32/vpx_dsp_rtcd.h
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/source/config/linux/x64/vp9_rtcd.h
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/source/config/linux/x64/vpx_dsp_rtcd.h
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/source/config/mac/ia32/vp9_rtcd.h
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/source/config/mac/ia32/vpx_dsp_rtcd.h
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/source/config/mac/x64/vp9_rtcd.h
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/source/config/mac/x64/vpx_dsp_rtcd.h
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/source/config/vpx_version.h
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/source/config/win/ia32/vp9_rtcd.h
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/source/config/win/ia32/vpx_dsp_rtcd.h
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/source/config/win/x64/vp9_rtcd.h
[modify] https://crrev.com/dfb18ad9f81978e1beccc6ba528acf6d9ee9f07d/third_party/libvpx/source/config/win/x64/vpx_dsp_rtcd.h

ClusterFuzz has detected this issue as fixed in range 397107:397187.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5184593955389440

Fuzzer: libfuzzer_media_vpx_video_decoder_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x61f00000ee38
Crash State:
  setup_frame_size_with_refs
  read_uncompressed_header
  vp9_decode_frame
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=392685:393435
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=397107:397187

Minimized Testcase (96.41 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95k043EHsBpSM4H1vPlJtIfv2E6xIpA4sLBgY0Guge6X4mF-Rgt1RHDCE2FVps9OLBY31PklxRlt6O_7RHG2hcPZDu9jM3NhjZsU86y9qzbZaaj-cAqvGxy92t3T8YxzxNKQWFnJM-HaENqfg3TRsZv9PUkrtRGZLR1oz9VBqT4dVKs67A

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Mark as fixed, based on #13

Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

Approving merge to M52 branch 2743 based on comment #13 & #14. Please merge asap. Thank you.

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Assinging to johann for the merge.

Have the changes staged:
https://chromium-review.googlesource.com/#/c/356191/
https://chromereviews.googleplex.com/459687013

will submit Monday.

The following revision refers to this bug:
  http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=89147

------------------------------------------------------------------
r89147 | johannkoenig@google.com | 2016-06-27T17:35:57.741150Z

-----------------------------------------------------------------

The following revision refers to this bug:
  https://chromium.googlesource.com/webm/libvpx/+/3b3ee4a4db9ef239b1e171967c20fc43459430ac

commit 3b3ee4a4db9ef239b1e171967c20fc43459430ac
Author: Yaowu Xu <yaowu@google.com>
Date: Wed May 25 16:28:36 2016

Prevent read to invalid RefBuffer

This commit adds check to validate RefBuffer before reading into the
data structure, to prevent invalid read.

BUG=https://bugs.chromium.org/p/chromium/issues/detail?id=614701

(cherry picked from commit 75b6cfe1c50e749a0edb5460a491ca5ac947aff5)

Change-Id: Ie111e95bd18e88fa19d8b25e097cdf52b7139cb6

[modify] https://crrev.com/3b3ee4a4db9ef239b1e171967c20fc43459430ac/vp9/decoder/vp9_decodeframe.c

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot