Patrick, can you help to find an owner for this webrtc one.

Kostya, this was also not hit by libFuzzer.

Are we already merging corpora between afl and libFuzzer for this target? 
If no, I'd just wait for libFuzzer results for a few days (given the recent change in https://github.com/google/sanitizers/issues/710).

Yes corpora is merged for all targets since last Friday. But yes, since this new change just went in, we can wait a few more days and see if it hits on libFuzzer.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6378462720032768

Fuzzer: libfuzzer_audio_decoder_isac_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60700000ca9c
Crash State:
  Decode
  DecodeInternal
  webrtc::AudioDecoderIsacT<webrtc::IsacFloat>::DecodeInternal
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=395675:395769

Minimized Testcase (0.08 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94J0ex_qaHWNo4SKYnANKl1CXlaD5Ac5Q2OgWk4S-zp_ddkTnz1LtkwmKYYaEb4a0TujgWPHMofB1-AgTD_OI8zAZmbr9tNI0GJd3z3MkyUm1ERUvs-L5rtys1lwk7RwCv8-9wJMbdQIZZq_RoZ3ugg2UVf6A?testcase_id=6378462720032768

Issue manually filed by: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6741033792831488

Fuzzer: libfuzzer_audio_decoder_isac_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60800000dafc
Crash State:
  Decode
  WebRtcIsac_Decode
  webrtc::IsacFloat::DecodeInternal
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=395717:395804

Minimized Testcase (0.08 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96-10QhtkySEF_HEF5_2iop_Ngg1VU1y9udeTHFcby7b4l52d33WitTBybNSUpReMkCCEc9pOq21h07-_XXbgdmCvxXhRMbha8RZgY69g070ZFVhpHpvoqpjHZgUYNDoJc8f-0LeQ15nSrt6KAjWW2F6ycfUw?testcase_id=6741033792831488

Issue manually filed by: inferno

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

kwiberg: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

smaller repro (37 bytes)
==9141==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000009ac at pc 0x0000005559fc bp 0x7ffcba0c6230 sp 0x7ffcba0c6228
READ of size 1 at 0x6040000009ac thread T0
    #0 0x5559fb in Decode third_party/webrtc/modules/audio_coding/codecs/isac/main/source/isac.c:1259:17
    #1 0x5538a8 in WebRtcIsac_Decode third_party/webrtc/modules/audio_coding/codecs/isac/main/source/isac.c:1327:10
    #2 0x4f99cd in webrtc::IsacFloat::DecodeInternal third_party/webrtc/modules/audio_coding/codecs/isac/main/source/isac_float_type.h:41:12

Deleted: minimized-from-98fc3354ff8845474021dbccb944fccf4a628d35 37 bytes

minimized-from-98fc3354ff8845474021dbccb944fccf4a628d35 37 bytes View Download

Friendly ping, this is currently a Beta-blocker and needs to get fixed and merged as soon as feasible, as M54 is going to beta this Thursday 9/8

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/d52bef7d6445070532b3c8463859ee4e1f99d70f

commit d52bef7d6445070532b3c8463859ee4e1f99d70f
Author: kwiberg <kwiberg@webrtc.org>
Date: Tue Sep 06 13:16:03 2016

iSAC float: Handle errors in upper band decoding

We hit a fuzzer bug that caused numDecodedBytesLB + numDecodedBytesUB
> lenEncodedBytes, which is obviously bogus. Check for that, and for
the case whhere the UB decoder itself realized that something was
wrong. (The code already makes the corresponding check for the LB
decoder.)

BUG= chromium:637899 

Review-Url: https://codereview.webrtc.org/2315693002
Cr-Commit-Position: refs/heads/master@{#14091}

[modify] https://crrev.com/d52bef7d6445070532b3c8463859ee4e1f99d70f/webrtc/modules/audio_coding/codecs/isac/main/source/isac.c

The CL in comment #16 should fix this bug.

Per #15 this needs merging to M54 to be done. Please update if you think this is incorrect.

Adding Merge-Request-54 for corresponding merge.

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/1605d3a146e894e16975dffaa7c60f7658f2ce97

commit 1605d3a146e894e16975dffaa7c60f7658f2ce97
Author: Karl Wiberg <kwiberg@webrtc.org>
Date: Wed Sep 07 08:15:32 2016

iSAC float: Handle errors in upper band decoding

We hit a fuzzer bug that caused numDecodedBytesLB + numDecodedBytesUB
> lenEncodedBytes, which is obviously bogus. Check for that, and for
the case whhere the UB decoder itself realized that something was
wrong. (The code already makes the corresponding check for the LB
decoder.)

BUG= chromium:637899 

(cherry picked from commit d52bef7d6445070532b3c8463859ee4e1f99d70f)

Review URL: https://codereview.webrtc.org/2316953002 .

Cr-Commit-Position: refs/branch-heads/54@{#6}
Cr-Branched-From: 185ba29a3c0556798158840c2424416d0fd779fe-refs/heads/master@{#13869}

[modify] https://crrev.com/1605d3a146e894e16975dffaa7c60f7658f2ce97/webrtc/modules/audio_coding/codecs/isac/main/source/isac.c

Setting to "fixed" since the CL in comment #19 merges the fix to the M54 branch.

+bustamante@: FYI it looks like the change in #19 was merged into M54 without approval. WebRTC has a tagged branch that we manage ourselves.

Normally merge-request labels need to be approved and you should receive a Merge-Approved-54 label before landing it. The CL looks very safe to me, but just so you know.

ClusterFuzz has detected this issue as fixed in range 417261:417322.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6741033792831488

Fuzzer: libfuzzer_audio_decoder_isac_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60800000dafc
Crash State:
  Decode
  WebRtcIsac_Decode
  webrtc::IsacFloat::DecodeInternal
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=395717:395804
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=417261:417322

Minimized Testcase (0.08 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96-10QhtkySEF_HEF5_2iop_Ngg1VU1y9udeTHFcby7b4l52d33WitTBybNSUpReMkCCEc9pOq21h07-_XXbgdmCvxXhRMbha8RZgY69g070ZFVhpHpvoqpjHZgUYNDoJc8f-0LeQ15nSrt6KAjWW2F6ycfUw?testcase_id=6741033792831488

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 417261:417297.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4578432329711616

Fuzzer: afl_audio_decoder_isac_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x611000008d22
Crash State:
  Decode
  webrtc::AudioDecoderIsacT<webrtc::IsacFloat>::DecodeInternal
  webrtc::AudioDecoder::Decode
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=407731:407784
Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=417261:417297

Minimized Testcase (0.15 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94mQV0y7HHAThu9oQoAtKAp7xZNwfa_IhQAH3CFK7IjpHFKgyPqgCwYHGvGruTB7DI1_wLZkoTBj-HVsJLXmxxVy7wCP76D5tnhfoLHtbQYzA9muVIkeR2sl3gT4QnKttYPAcR8H7IIY_BTGV4nbNj6Lu4-uw?testcase_id=4578432329711616

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 417024:417277.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6378462720032768

Fuzzer: libfuzzer_audio_decoder_isac_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60700000ca9c
Crash State:
  Decode
  DecodeInternal
  webrtc::AudioDecoderIsacT<webrtc::IsacFloat>::DecodeInternal
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=395675:395769
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417024:417277

Minimized Testcase (0.08 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94J0ex_qaHWNo4SKYnANKl1CXlaD5Ac5Q2OgWk4S-zp_ddkTnz1LtkwmKYYaEb4a0TujgWPHMofB1-AgTD_OI8zAZmbr9tNI0GJd3z3MkyUm1ERUvs-L5rtys1lwk7RwCv8-9wJMbdQIZZq_RoZ3ugg2UVf6A?testcase_id=6378462720032768

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot