Looks similar to bug 666769.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I'll take a look along with several others.

I have a local linux repro. Working on a fix...

The regression is from the FFmpeg roll ( issue 591845 ). I have a fix in review currently at https://chromium-review.googlesource.com/#/c/413306/.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/e91355afac548fbc7cc0cb4ecbc06dce6495df80

commit e91355afac548fbc7cc0cb4ecbc06dce6495df80
Author: Matt Wolenetz <wolenetz@chromium.org>
Date: Mon Nov 21 23:54:02 2016

lavf/utils.c Protect against accessing entries[nb_entries]

In ff_index_search_timestamp(), if b == num_entries,
m == num_entries - 1, and entries[m].flags & AVINDEX_DISCARD_FRAME is
true, then the search for the next non-discarded packet could access
entries[nb_entries], exceeding its bounds. This change adds a protection
against that scenario.

BUG= 666770 ,666769
R=dalecurtis@chromium.org

Change-Id: Ib9a84dae74dad1e70a7a0afcf3382fd187152733
Reviewed-on: https://chromium-review.googlesource.com/413306
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>

[modify] https://crrev.com/e91355afac548fbc7cc0cb4ecbc06dce6495df80/libavformat/utils.c
[modify] https://crrev.com/e91355afac548fbc7cc0cb4ecbc06dce6495df80/chromium/patches/README

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b46025db9f4903b694812dbed8d1630c01897e65

commit b46025db9f4903b694812dbed8d1630c01897e65
Author: wolenetz <wolenetz@chromium.org>
Date: Tue Nov 22 01:59:56 2016

Roll src/third_party/ffmpeg/ 92f86a517..e91355afa (1 commit).

https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/92f86a51725e..e91355afac54

$ git log 92f86a517..e91355afa --date=short --no-merges --format='%ad %ae %s'
2016-11-21 wolenetz lavf/utils.c Protect against accessing entries[nb_entries]

TBR=dalecurtis@chromium.org
BUG= 666770 ,666769, 591845 

Review-Url: https://codereview.chromium.org/2521573003
Cr-Commit-Position: refs/heads/master@{#433740}

[modify] https://crrev.com/b46025db9f4903b694812dbed8d1630c01897e65/DEPS

ClusterFuzz has detected this issue as fixed in range 433593:433755.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6061267346522112

Fuzzer: inferno_flicker
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x60e000020278
Crash State:
  ff_index_search_timestamp
  mov_seek_stream
  mov_read_seek
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=433020:433162
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=433593:433755

Minimized Testcase (34.46 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94tYktKARn_sGFUwWIaUand2e-PJ338cBMuGDUpxoneN4YH2hFm8KrWTGXFK_JUzviOdHeHA7qsK_PqOl--CgRdeelfhdhDYCFGgGnG0WVVU-Z4jnDo-9Wz_tq25740KEJQCTEayyPj5KqNxQS_VdY2BPczNn2opWy2UfE_Om9OVZvwm1g?testcase_id=6061267346522112

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

CF verified this is fixed. It fixes a regression introduced in the FFmpeg roll, which is requested to merge to M56, so requesting merge to M56 of the fix (#11).

[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d5322fd1b72bd80d6b23562b3fc286d1db4f27d3

commit d5322fd1b72bd80d6b23562b3fc286d1db4f27d3
Author: Matt Wolenetz <wolenetz@chromium.org>
Date: Tue Nov 29 23:52:04 2016

To M56: Roll src/third_party/ffmpeg/ 92f86a517..e91355afa (1 commit).

https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/92f86a51725e..e91355afac54

$ git log 92f86a517..e91355afa --date=short --no-merges --format='%ad %ae %s'
2016-11-21 wolenetz lavf/utils.c Protect against accessing entries[nb_entries]

TBR=dalecurtis@chromium.org
BUG= 666770 ,666769, 591845 

Review-Url: https://codereview.chromium.org/2521573003
Cr-Commit-Position: refs/heads/master@{#433740}
(cherry picked from commit b46025db9f4903b694812dbed8d1630c01897e65)

Review URL: https://codereview.chromium.org/2541463004 .

Cr-Commit-Position: refs/branch-heads/2924@{#174}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[modify] https://crrev.com/d5322fd1b72bd80d6b23562b3fc286d1db4f27d3/DEPS

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/f4e4b1ff5dbdf3701bed5a709344372780af24d6

commit f4e4b1ff5dbdf3701bed5a709344372780af24d6
Author: Alex Mineer <amineer@google.com>
Date: Wed Nov 30 00:20:17 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0bf26e16060899a224a208cfbc40549fc924f1c0

commit 0bf26e16060899a224a208cfbc40549fc924f1c0
Author: wolenetz <wolenetz@chromium.org>
Date: Thu Dec 08 20:45:39 2016

Add ffmpeg regression tests for multiple issues from M56 roll

Note: Neither I nor chcunningham@ were able to reproduce 666874 with
current msan tooling, though both CF and chcunningham@ confirmed the
fix previously. Perhaps toolchain or sanitizer changes in the interim
have impacted ability to repro this case.

Excepting above, all new tests repro prior to their fix, and no longer
repro on trunk.

For  issue 666770 , a seek to GetStartTime() was insufficient for repro,
so a _SEEKING version of the test macro was added to obtain
repro.

Added 8b80a219364dd4c4baaa9297005218f43dc5c49f to internal repo.

BUG= 666794 , 666874 ,667063, 666770 
R=dalecurtis@chromium.org,chcunningham@chromium.org

Review-Url: https://codereview.chromium.org/2556343002
Cr-Commit-Position: refs/heads/master@{#437331}

[modify] https://crrev.com/0bf26e16060899a224a208cfbc40549fc924f1c0/media/ffmpeg/ffmpeg_regression_tests.cc

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/2db39ae520c90db0db865a6b5d15017f1f9f4d09

commit 2db39ae520c90db0db865a6b5d15017f1f9f4d09
Author: Alex Mineer <amineer@google.com>
Date: Thu Dec 15 22:13:56 2016

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/f2b039af93bf22b422b46af2fb6f7aed10ff4f3e

commit f2b039af93bf22b422b46af2fb6f7aed10ff4f3e
Author: Alex Mineer <amineer@google.com>
Date: Thu Dec 15 23:22:05 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot