FTR the problem is in https://cs.chromium.org/chromium/src/third_party/webrtc/api/webrtcsdp.cc?sq=package:chromium&type=cs&l=2591: for non-(data & rtp) channels, there's no application-specific bandwidth limit, and since we store 1000*b, you can overflow for large bandwidths. Suggestion: reject SDPs with bandwidth > maxint/1000, I can't imagine anyone wants that much.

I'd suggest clamping it if it's still a valid SDP.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

@deadbeef -- Could you please provide any update on the issue.
Thank You.

This bug just slipped through the cracks; fixing now.

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/b2362577634de26df7e824f526b40ec623b7abfa

commit b2362577634de26df7e824f526b40ec623b7abfa
Author: deadbeef <deadbeef@webrtc.org>
Date: Wed Dec 14 00:37:06 2016

Fixing integer overflow when parsing bandwidth attribute.

It's still valid SDP so just clamp it at INT_MAX.

BUG= chromium:648071 

Review-Url: https://codereview.webrtc.org/2571073002
Cr-Commit-Position: refs/heads/master@{#15582}

[modify] https://crrev.com/b2362577634de26df7e824f526b40ec623b7abfa/webrtc/api/webrtcsdp.cc
[modify] https://crrev.com/b2362577634de26df7e824f526b40ec623b7abfa/webrtc/api/webrtcsdp_unittest.cc

ClusterFuzz has detected this issue as fixed in range 438480:438523.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6576782847508480

Fuzzer: libfuzzer_sdp_parser_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  webrtc::ParseContent
  ParseContentDescription<cricket::AudioContentDescription>
  ParseMediaDescription
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=419163:419248
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=438480:438523

Minimized Testcase (0.57 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95kOTdjyxEaminnKnziZL2CiyJZxEEIF1-yjlqpX8D4Eopq1R1_s-l0zqVZAx7g4k6Hx_Wh7fMsVDH0yvkZtjqPf1FdfWmXL_90FGzduAv3qMdkEtGiCDLEGqk3KrYwogCvQpEyYX6YhgJ6UVep_xD1I8XkxQ?testcase_id=6576782847508480
v=0
o=- 2013283641453412290 2 IN IP4 127.0.0.1
s=-
t=0 '0
a=group:BUNDLE audio video data
a=msid-semantic: WMS
m=audio 9 UDP/TLS/RTP/SAVPF 111 103 104 9 0 8 106 105 13 126
c=IN 0.0
a=rtcp:9 IN IP4 3:80:7A:DA
a=sv=0
o=- 674406941etup:active
a=mid:audio
a=extmap:1 urn:iet apt=101
a=ktpmap:98 rtx/9000 8 106 105 13 126
c=IN 0.0
a=rtcp:9 IN IP4 3:80:7A:DA
a=setup:active
a=mid:audio
a=extmap:1 urn:iet apt=101
a=rtpmap:98 rtx/90000 0.0.0.0
b=AS:4584320 1840 IN IP4 127.0.0.1
s=-
t=0 0
a=30
a=ice-umsid-semantic: WMS local_stream_1
m=audio 2345 RTP/SAVPF 111 103 104
c=IN IP4 74.1on dumm�fra


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6576782847508480 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.