pthatcher, deadbeef, looks like the fuzzer found an overflow in sctp data media channels. Can you discuss and help with an owner? I didn't find anything obvious in the blame list here, but the error at least appears to be reproducible so I hope it should be possible to debug what's going on here.

I think I found the issue just by inspecting the code. See: https://codereview.webrtc.org/2061093003/

I have *no* idea how we didn't find this earlier... I guess we don't usually run tests with verbose logging enabled?

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5401728401014784

Fuzzer: phoglund_webrtc_peerconnection
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x06e173d4
Crash State:
  usrsctp_dumppacket
  cricket::SctpDataMediaChannel::OnPacketReceived
  cricket::DataMediaChannel::~DataMediaChannel
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=398942:399015

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95eKGobLVDTuUHLl7Bt4j6T9Dt75dm0A9NGXsqhgEKDfl0Hkl5OFY11N5aC8ZfHYHrKtWGblXuX-WCVI7oaLYjsqQIMW5sWANkmv11rU5F0jldcctvVBw_g3SfykAYK2NkBGyY6bIu-YZDWM2yNhjEn10cVqlKiXCHfw76esWpUiqeBlhw


Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Looks like it was successfully fixed by this CL: https://codereview.webrtc.org/2061093003/

Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

I'm not sure if this really needs merging, since it only occurs if you enable verbose logging.

If this require a merge to M53, Could you please confirm whether this change is baked/verified in Canary and safe to merge?

This fix is already in M53. I'll remove the merge request label.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot