Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: Debargha Mukherjee
Project: chromium-libvpx
Changelist: https://chromium.googlesource.com/webm/libvpx.git/+/aa90983696548bc808c07bcafa1b6790c3d440af
Time: Wed May 25 19:24:48 2016
The CL last changed line 1364 of file inv_txfm.c, which is stack frame 0.

Author: Jingning Han
Project: chromium-libvpx
Changelist: https://chromium.googlesource.com/webm/libvpx.git/+/08a453b9de37c796f52e439da98364923726d095
Time: Mon Aug 03 21:51:10 2015
The CL last changed line 3538 of file inv_txfm_sse2.c, which is stack frame 1.

Author: James Zern
Project: chromium-libvpx
Changelist: https://chromium.googlesource.com/webm/libvpx.git/+/f64a30acef807141c17f6d8bb7768a46a1bfd46b
Time: Thu Mar 24 03:24:17 2016
The CL last changed line 264 of file vp9_decodeframe.c, which is stack frame 2.

Author: clang-format
Project: chromium-libvpx
Changelist: https://chromium.googlesource.com/webm/libvpx.git/+/08131055e4d55003104c0be787c4870d97b6e86f
Time: Wed Jul 27 03:20:13 2016
The CL last changed line 346 of file vp9_decodeframe.c, which is stack frame 3.

Author: clang-format
Project: chromium-libvpx
Changelist: https://chromium.googlesource.com/webm/libvpx.git/+/08131055e4d55003104c0be787c4870d97b6e86f
Time: Wed Jul 27 03:20:13 2016
The CL last changed line 814 of file vp9_decodeframe.c, which is stack frame 4.

Author: Scott LaVarnway
Project: chromium-libvpx
Changelist: https://chromium.googlesource.com/webm/libvpx.git/+/13a4f14710baf3d6f649978f61ba3c40812704aa
Time: Thu Jul 09 12:30:46 2015
The CL last changed line 939 of file vp9_decodeframe.c, which is stack frame 5.

Author: clang-format
Project: chromium-libvpx
Changelist: https://chromium.googlesource.com/webm/libvpx.git/+/08131055e4d55003104c0be787c4870d97b6e86f
Time: Wed Jul 27 03:20:13 2016
The CL last changed line 1445 of file vp9_decodeframe.c, which is stack frame 6.

Suspected Project: chromium-libvpx

Assigning to the owners of the path //src/third_party/libvpx/OWNERS
tomfinegan@, could you please take a look and help us to find correct owner if it is not related your changes.

Tom is OOO

Angie, this is appearing after your iht change was merged:
https://bugs.chromium.org/p/webm/issues/detail?id=1286

Any idea if it is related?

This could be a similar issue.
vpx_highbd_idct4x4_16_add_sse2 will check if there is an overflow. If there is one, it will call c function.

My previous fix doesn't contain this code flow that's why it happens.

A similar fix can be done if above description is the case.

I will try to fix it ASAP.

The following revision refers to this bug:
  https://chromium.googlesource.com/webm/libvpx/+/5b073c695ba70c87daa1ff843e57ff59f5e3034d

commit 5b073c695ba70c87daa1ff843e57ff59f5e3034d
Author: Angie Chiang <angiebird@google.com>
Date: Fri Sep 30 23:53:20 2016

Move highbd txfm input range check from 2d iht transform to 1d idct/iadst

This change will make the highbd txfm input range check more comprehensive

The 25-bit highbd input range is composed by
12 signal input bits + 7 bits for 2D forward transform amplification + 5 bits for
1D inverse transform amplification + 1 bit for contingency in rounding and quantizing

BUG=https://bugs.chromium.org/p/webm/issues/detail?id=1286
BUG=https://bugs.chromium.org/p/chromium/issues/detail?id=651625

Change-Id: I04c0796edd7653f8d463fba5dc418132986131e7

[modify] https://crrev.com/5b073c695ba70c87daa1ff843e57ff59f5e3034d/vp9/common/vp9_idct.c
[modify] https://crrev.com/5b073c695ba70c87daa1ff843e57ff59f5e3034d/vpx_dsp/inv_txfm.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7dd5d014381033352b45e84b158b317010520251

commit 7dd5d014381033352b45e84b158b317010520251
Author: johannkoenig <johannkoenig@google.com>
Date: Thu Oct 06 03:26:40 2016

Roll src/third_party/libvpx/source/libvpx/ 50b9c467d..897870497 (8 commits).

https://chromium.googlesource.com/webm/libvpx.git/+log/50b9c467da77..897870497024

$ git log 50b9c467d..897870497 --date=short --no-merges --format='%ad %ae %s'
2016-09-21 sarahparker Remove rate deviation metric from vp8
2016-10-03 johannkoenig Connect partial IDCT tests
2016-09-30 angiebird Move highbd txfm input range check from 2d iht transform to 1d idct/iadst
2016-10-03 kaustubh.raste Fix vpx_plane_add_noise_msa functionality bit-mismatch
2016-10-03 marpan Update to vpx_temporal_svc_encoder command line.
2016-04-13 gezalore Fix warning when building with GCC 5.
2016-10-01 jzern invalid_file_test: quiet unused const warning
2016-09-30 jzern cosmetics,*_neon.c: rm redundant return from void fns

BUG= 651625 

Review-Url: https://codereview.chromium.org/2395863002
Cr-Commit-Position: refs/heads/master@{#423420}

[modify] https://crrev.com/7dd5d014381033352b45e84b158b317010520251/DEPS
[modify] https://crrev.com/7dd5d014381033352b45e84b158b317010520251/third_party/libvpx/README.chromium
[modify] https://crrev.com/7dd5d014381033352b45e84b158b317010520251/third_party/libvpx/source/config/vpx_version.h

ClusterFuzz has detected this issue as fixed in range 423416:423453.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6710143586926592

Fuzzer: libfuzzer_media_vpx_video_decoder_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  vpx_highbd_idct4_c
  vpx_highbd_idct4x4_16_add_sse2
  inverse_transform_block_intra
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=420478:420535
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=423416:423453

Minimized Testcase (0.34 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ma3SDE6obsYvnohtO1ETobguk56pldRxNHVeGpRAJ9PWuWS7kpsjqo8_MUd-QOW1I8rjBQoRCJLpelJkz4i-2WPrD5LrJDAjmViJQHlePPr82IcpSln68xK2qlDFQC5y6_RCwFJmFTo7wcDTfABAtwkI3JA?testcase_id=6710143586926592

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7dd5d014381033352b45e84b158b317010520251

commit 7dd5d014381033352b45e84b158b317010520251
Author: johannkoenig <johannkoenig@google.com>
Date: Thu Oct 06 03:26:40 2016

Roll src/third_party/libvpx/source/libvpx/ 50b9c467d..897870497 (8 commits).

https://chromium.googlesource.com/webm/libvpx.git/+log/50b9c467da77..897870497024

$ git log 50b9c467d..897870497 --date=short --no-merges --format='%ad %ae %s'
2016-09-21 sarahparker Remove rate deviation metric from vp8
2016-10-03 johannkoenig Connect partial IDCT tests
2016-09-30 angiebird Move highbd txfm input range check from 2d iht transform to 1d idct/iadst
2016-10-03 kaustubh.raste Fix vpx_plane_add_noise_msa functionality bit-mismatch
2016-10-03 marpan Update to vpx_temporal_svc_encoder command line.
2016-04-13 gezalore Fix warning when building with GCC 5.
2016-10-01 jzern invalid_file_test: quiet unused const warning
2016-09-30 jzern cosmetics,*_neon.c: rm redundant return from void fns

BUG= 651625 

Review-Url: https://codereview.chromium.org/2395863002
Cr-Commit-Position: refs/heads/master@{#423420}

[modify] https://crrev.com/7dd5d014381033352b45e84b158b317010520251/DEPS
[modify] https://crrev.com/7dd5d014381033352b45e84b158b317010520251/third_party/libvpx/README.chromium
[modify] https://crrev.com/7dd5d014381033352b45e84b158b317010520251/third_party/libvpx/source/config/vpx_version.h

[Automated comment] removing mislabelled merge-merged-2840

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot