Find it did not provide any possible suspects.
Assigning to the concern owner related to webrtc from the regressed range,
https://chromium.googlesource.com/chromium/src/+log/44d0ad676eaecca9bfdf134d01c0f66582b2d30b..6f4e9e720389853f875c00f31c29062a9cfb9633?pretty=fuller

Suspecting CL --
https://chromium.googlesource.com/chromium/src/+/5cabc7c08b054153479bdacb46cc9aa73531343e

@guidou -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

hlundin@: This looks related to a recent change by you in WebRTC (I think your fuzzer detected this). Can you take a look and reassign if necessary?

This is likely an age-old issue, uncovered by my fairly new fuzzer. I'll take a look.

I'm stealing this one, since I've touched that code quite recently. It looks like the case we're getting is multiple CNG packets in packet_list.

I added some trace printouts and it turns out NetEqImpl::ExtractPackets can return more than one CNG packet, if decoder_frame_length_ is shorter than the number of samples required from it. I'm not sure exactly why neteq believes the packets to be 3 samples long in this case, but it does seem right if looking at their timestamps. The packets have the same sequence number, which is weird in a real-world scenario. Clearly it can happen when fuzzing packets.

I've created a CL here: https://codereview.webrtc.org/2609043002
It simply limits the number of extracted packets to one, if that packet is CN. I think that's the correct way to go about it.

Logs follow:
-- This is from ExtractPackets, hitting the if (packet_duration == 0) check --
Guessed at a packet duration of 3
Extracted 3 of 80 required samples
Guessed at a packet duration of 3
Extracted 6 of 80 required samples

-- This is later in DecodeLoop --
packet_list.size() = 2 at ../../webrtc/modules/audio_coding/neteq/neteq_impl.cc:904
packet_list->size() = 2 at ../../webrtc/modules/audio_coding/neteq/neteq_impl.cc:1433
packet_list->size() = 2; decoded_length=0x7fffb751283c; *decoded_length=0; payload_type=99; CNG?=yes
  payload_type=99; payload size=1280; timestamp=3823363043; sequence_number=58339; priority=(0, 0); frame?=no
  payload_type=99; payload size=1280; timestamp=3823363046; sequence_number=58339; priority=(0, 0); frame?=no

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/cafb497cc14e0f6d1933b8b8814d886081eb8788

commit cafb497cc14e0f6d1933b8b8814d886081eb8788
Author: ossu <ossu@webrtc.org>
Date: Mon Jan 02 15:00:50 2017

Limit NetEqImpl::ExtractPackets to returning one CNG packet

BUG= chromium:668834 

Review-Url: https://codereview.webrtc.org/2609043002
Cr-Commit-Position: refs/heads/master@{#15868}

[modify] https://crrev.com/cafb497cc14e0f6d1933b8b8814d886081eb8788/webrtc/modules/audio_coding/neteq/neteq_impl.cc

ClusterFuzz has detected this issue as fixed in range 441106:441113.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6740356193583104

Fuzzer: libfuzzer_neteq_rtp_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  packet_list->empty() || *decoded_length < 0 || (packet_list->size() == 1 && deco
  webrtc::NetEqImpl::DecodeLoop
  webrtc::NetEqImpl::Decode
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=423119:423135
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=441106:441113

Minimized Testcase (1.39 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9414LAVkhujhlJlCth-wASZDjYt6vAt8bZn5eFKeW844N2ZBMPF1f-qAYHCukmfECHY4Z3W928M4CmDcsi_2OnksbGJ5lvNeT0DPyUv0VYGu9ZNFSwRltWa-VDpoI4xfw1qtSZk2EsC-vDFZ750P-689ffXPA?testcase_id=6740356193583104

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6740356193583104 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.