xhwang@, can you take a look at this please (as it is in ffmpeg) or send the bug to someone who can?

wolenetz@chromium.org: Is there any chance this is fixed in the M56 FFmpeg roll? If not, feel free to assign to hubbe@ who will do the next roll (I believe).

I think this is caused by the roll :)

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I'll take a look along with several others - I suspect too that it's caused by the M56 ffmpeg roll.

I have a confirmed local linux regression, and this feature area was new in the FFmpeg roll ( issue 591845 ). Working on a fix...

In #7: s/regression/repro/

I have a fix out for review @ https://chromium-review.googlesource.com/#/c/413334/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/141e56ccf7fc56646424484d357b6c74a486d2e2

commit 141e56ccf7fc56646424484d357b6c74a486d2e2
Author: Matt Wolenetz <wolenetz@chromium.org>
Date: Tue Nov 22 01:30:50 2016

lavc/libopusdec.c Fix ff_vorbis_channel_layouts OOB

Similar to existing lavc/vorbisdec.c code which first checks that
avc->channels is valid for accessing ff_vorbis_channel_layouts, this
change adds protection to libopusdec.c to prevent accessing that
array with a negative index.

R=dalecurtis@chromium.org
BUG= 666794 

Change-Id: Id301bd783cb9b826117d41b20b1b05f28d35827c
Reviewed-on: https://chromium-review.googlesource.com/413334
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>

[modify] https://crrev.com/141e56ccf7fc56646424484d357b6c74a486d2e2/libavcodec/libopusdec.c
[modify] https://crrev.com/141e56ccf7fc56646424484d357b6c74a486d2e2/chromium/patches/README

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3431ae5ea798e4ce3b7da6b44bf4dab426114bba

commit 3431ae5ea798e4ce3b7da6b44bf4dab426114bba
Author: wolenetz <wolenetz@chromium.org>
Date: Tue Nov 22 03:12:20 2016

Roll src/third_party/ffmpeg/ e91355afa..141e56ccf (1 commit).

https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/e91355afac54..141e56ccf7fc

$ git log e91355afa..141e56ccf --date=short --no-merges --format='%ad %ae %s'
2016-11-21 wolenetz lavc/libopusdec.c Fix ff_vorbis_channel_layouts OOB

TBR=dalecurtis@chromium.org
BUG= 666794 ,  591845 

Review-Url: https://codereview.chromium.org/2518063003
Cr-Commit-Position: refs/heads/master@{#433766}

[modify] https://crrev.com/3431ae5ea798e4ce3b7da6b44bf4dab426114bba/DEPS

ClusterFuzz has detected this issue as fixed in range 433756:433807.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5062275200450560

Fuzzer: inferno_flicker
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Global-buffer-overflow READ 8
Crash Address: 0x7faea11f9a78
Crash State:
  libopus_decode_init
  avcodec_open2
  avformat_find_stream_info
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=433020:433162
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=433756:433807

Minimized Testcase (10350.83 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97on8wBy7qqZfNKuL_XqHrgNl36dnq6nvwdUftFuw8_EB71aS7-Il4vRcdtkjcCJe9XpGO6YPGJeFwybrYCHPEB_U3VZanmsZ3r3Y178ElwDynxhnbzVB7dM2D1P85a02glCaeJCfpP8lS1VkkEzcDRYypODkjy2NAn2-ujnBFiYSY0wJs?testcase_id=5062275200450560

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

CF verified this is fixed. It fixes a regression introduced in the FFmpeg roll, which is requested to merge to M56, so requesting merge to M56 of the fix (#11).

[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

This change meets the bar and is approved for merge into M56

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/000d02613613f11a197c124fc22ef9cd797b06ff

commit 000d02613613f11a197c124fc22ef9cd797b06ff
Author: Matt Wolenetz <wolenetz@chromium.org>
Date: Wed Nov 30 00:00:47 2016

To M56: Roll src/third_party/ffmpeg/ e91355afa..141e56ccf (1 commit).

https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/e91355afac54..141e56ccf7fc

$ git log e91355afa..141e56ccf --date=short --no-merges --format='%ad %ae %s'
2016-11-21 wolenetz lavc/libopusdec.c Fix ff_vorbis_channel_layouts OOB

TBR=dalecurtis@chromium.org
BUG= 666794 ,  591845 

Review-Url: https://codereview.chromium.org/2518063003
Cr-Commit-Position: refs/heads/master@{#433766}
(cherry picked from commit 3431ae5ea798e4ce3b7da6b44bf4dab426114bba)

Review URL: https://codereview.chromium.org/2537973002 .

Cr-Commit-Position: refs/branch-heads/2924@{#175}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[modify] https://crrev.com/000d02613613f11a197c124fc22ef9cd797b06ff/DEPS

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/f4e4b1ff5dbdf3701bed5a709344372780af24d6

commit f4e4b1ff5dbdf3701bed5a709344372780af24d6
Author: Alex Mineer <amineer@google.com>
Date: Wed Nov 30 00:20:17 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0bf26e16060899a224a208cfbc40549fc924f1c0

commit 0bf26e16060899a224a208cfbc40549fc924f1c0
Author: wolenetz <wolenetz@chromium.org>
Date: Thu Dec 08 20:45:39 2016

Add ffmpeg regression tests for multiple issues from M56 roll

Note: Neither I nor chcunningham@ were able to reproduce 666874 with
current msan tooling, though both CF and chcunningham@ confirmed the
fix previously. Perhaps toolchain or sanitizer changes in the interim
have impacted ability to repro this case.

Excepting above, all new tests repro prior to their fix, and no longer
repro on trunk.

For  issue 666770 , a seek to GetStartTime() was insufficient for repro,
so a _SEEKING version of the test macro was added to obtain
repro.

Added 8b80a219364dd4c4baaa9297005218f43dc5c49f to internal repo.

BUG= 666794 , 666874 ,667063, 666770 
R=dalecurtis@chromium.org,chcunningham@chromium.org

Review-Url: https://codereview.chromium.org/2556343002
Cr-Commit-Position: refs/heads/master@{#437331}

[modify] https://crrev.com/0bf26e16060899a224a208cfbc40549fc924f1c0/media/ffmpeg/ffmpeg_regression_tests.cc

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/2db39ae520c90db0db865a6b5d15017f1f9f4d09

commit 2db39ae520c90db0db865a6b5d15017f1f9f4d09
Author: Alex Mineer <amineer@google.com>
Date: Thu Dec 15 22:13:56 2016

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/f2b039af93bf22b422b46af2fb6f7aed10ff4f3e

commit f2b039af93bf22b422b46af2fb6f7aed10ff4f3e
Author: Alex Mineer <amineer@google.com>
Date: Thu Dec 15 23:22:05 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot