Mind giving this a look, pbos@?

flim@: This is in Opus right?

Yep, stack:

=================================================================
==19067==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000006ec2a0 at pc 0x000000569394 bp 0x7ffd2c1068f0 sp 0x7ffd2c1068e8
READ of size 2 at 0x0000006ec2a0 thread T0
SCARINESS: 24 (2-byte-read-global-buffer-overflow-far-from-bounds)
    #0 0x569393 in silk_NLSF2A third_party/opus/src/silk/NLSF2A.c:106:19
    #1 0x55c254 in silk_decode_parameters third_party/opus/src/silk/decode_parameters.c:55:5
    #2 0x55aef1 in silk_decode_frame third_party/opus/src/silk/decode_frame.c:80:9
    #3 0x559639 in silk_Decode third_party/opus/src/silk/dec_API.c:300:20
    #4 0x4fd971 in opus_decode_frame third_party/opus/src/src/opus_decoder.c:379:20
    #5 0x4fcb9d in opus_decode_native third_party/opus/src/src/opus_decoder.c:667:13
    #6 0x502516 in opus_decode third_party/opus/src/src/opus_decoder.c:782:10
    #7 0x4f507d in DecodeNative third_party/webrtc/modules/audio_coding/codecs/opus/opus_interface.c:279:13
    #8 0x4f507d in WebRtcOpus_DecodeFec third_party/webrtc/modules/audio_coding/codecs/opus/opus_interface.c:350
    #9 0x4ea6e2 in webrtc::AudioDecoderOpus::DecodeRedundantInternal(unsigned char const*, unsigned long, int, short*, webrtc::AudioDecoder::SpeechType*) third_party/webrtc/modules/audio_coding/codecs/opus/audio_decoder_opus.cc:56:13
    #10 0x4f695c in webrtc::AudioDecoder::DecodeRedundant(unsigned char const*, unsigned long, int, unsigned long, short*, webrtc::AudioDecoder::SpeechType*) third_party/webrtc/modules/audio_coding/codecs/audio_decoder.cc:42:10
    #11 0x4ea13a in webrtc::FuzzAudioDecoder(webrtc::DecoderFunctionType, unsigned char const*, unsigned long, webrtc::AudioDecoder*, int, unsigned long, short*) third_party/webrtc/test/fuzzers/audio_decoder_fuzzer.cc:63:18
    #12 0x4e9eee in webrtc::FuzzOneInput(unsigned char const*, unsigned long) third_party/webrtc/test/fuzzers/audio_decoder_opus_redundant_fuzzer.cc:21:3
    #13 0x4f8cc8 in LLVMFuzzerTestOneInput third_party/webrtc/test/fuzzers/webrtc_fuzzer_main.cc:39:3
    #14 0x4f5bd8 in main third_party/libFuzzer/src/afl/afl_driver.cpp:273:7
    #15 0x7efd6bc43f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

Are there any instructions on how to set up AFL fuzzing to repro this locally btw?

flim@: This input seems to overflow silk_LSFCosTab_FIX_Q12.

"See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information." in comment #0 :)

https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md - this is the right link.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This change is brought in by upgrading Opus to v1.1.3. I'm working on a fix to be submitted upstream, but we currently have no easy way of cherry picking. I'm looking into changing this now. On the other hand, rolling back to v1.1.2 would cause two ClusterFuzz bugs [1, 2] to resurface.

[1] https://bugs.chromium.org/p/chromium/issues/detail?id=606381
[2] https://bugs.chromium.org/p/chromium/issues/detail?id=600978

The fix has been committed upstream (https://git.xiph.org/?p=opus.git;a=commit;h=79e8f527b0344b0897a65be35e77f7885bd99409) and opus is being moved off DEPS in chromium. Once that has landed, I will apply the fix locally.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7b9d8ea29454181f7210e06deff1df2d89347e80

commit 7b9d8ea29454181f7210e06deff1df2d89347e80
Author: flim <flim@chromium.org>
Date: Tue Aug 09 09:26:49 2016

Opus: Ensure that NLSF cannot be negative when computing a min distance between them

Ref:
https://git.xiph.org/?p=opus.git;a=commit;h=79e8f527b0344b0897a65be35e77f7885bd99409

BUG= 632124 

Review-Url: https://codereview.chromium.org/2214813002
Cr-Commit-Position: refs/heads/master@{#410621}

[modify] https://crrev.com/7b9d8ea29454181f7210e06deff1df2d89347e80/third_party/opus/README.chromium
[modify] https://crrev.com/7b9d8ea29454181f7210e06deff1df2d89347e80/third_party/opus/src/silk/NLSF_stabilize.c

ClusterFuzz has detected this issue as fixed in range 410573:410881.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5685381651759104

Fuzzer: afl_audio_decoder_opus_redundant_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Global-buffer-overflow READ 2
Crash Address: 0x0000006ec2a0
Crash State:
  silk_NLSF2A
  silk_decode_parameters
  silk_decode_frame
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=407731:407784
Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=410573:410881

Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Jco0bin0jzCPJEWLATIRmgzFHVwiEdGLn_2Vk15ayVrvFMUSrc3AFeoiGTePz_X-R8nUrQJwjuZgO3YBROySVd6JcIfrm_f4nmC4TBSwp-KWDajwiEqu-7sSCdWcGaE6-TutP0QQn9d4W6KYFlDLxvTqYpA?testcase_id=5685381651759104

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot