sprang, could you please take a look or help with assigning this to the right person? Thanks.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/6d314c7a88f9e7e666fb89bbadc6dda22811329d

commit 6d314c7a88f9e7e666fb89bbadc6dda22811329d
Author: sprang <sprang@webrtc.org>
Date: Tue Dec 06 14:08:53 2016

Reject XR TargetBitrate items with unsupported layer indices

Specifically, reject any bitrate allocated for a layer not representable
by the BitrateAllocation struct.

BUG= chromium:671312 

Review-Url: https://codereview.webrtc.org/2549233005
Cr-Commit-Position: refs/heads/master@{#15447}

[modify] https://crrev.com/6d314c7a88f9e7e666fb89bbadc6dda22811329d/webrtc/common_types.cc
[modify] https://crrev.com/6d314c7a88f9e7e666fb89bbadc6dda22811329d/webrtc/modules/rtp_rtcp/source/rtcp_receiver.cc
[modify] https://crrev.com/6d314c7a88f9e7e666fb89bbadc6dda22811329d/webrtc/modules/rtp_rtcp/source/rtcp_receiver_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/6d314c7a88f9e7e666fb89bbadc6dda22811329d

commit 6d314c7a88f9e7e666fb89bbadc6dda22811329d
Author: sprang <sprang@webrtc.org>
Date: Tue Dec 06 14:08:53 2016

Reject XR TargetBitrate items with unsupported layer indices

Specifically, reject any bitrate allocated for a layer not representable
by the BitrateAllocation struct.

BUG= chromium:671312 

Review-Url: https://codereview.webrtc.org/2549233005
Cr-Commit-Position: refs/heads/master@{#15447}

[modify] https://crrev.com/6d314c7a88f9e7e666fb89bbadc6dda22811329d/webrtc/common_types.cc
[modify] https://crrev.com/6d314c7a88f9e7e666fb89bbadc6dda22811329d/webrtc/modules/rtp_rtcp/source/rtcp_receiver.cc
[modify] https://crrev.com/6d314c7a88f9e7e666fb89bbadc6dda22811329d/webrtc/modules/rtp_rtcp/source/rtcp_receiver_unittest.cc

The issue should now be solved in webrtc, awaiting deps roll into chrome.

ClusterFuzz has detected this issue as fixed in range 436619:436689.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5000468700069888

Fuzzer: afl_rtcp_receiver_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Use-after-poison READ 4
Crash Address: 0x7f744c469b00
Crash State:
  webrtc::BitrateAllocation::SetBitrate
  HandleXrTargetBitrate
  webrtc::RTCPReceiver::HandleXr
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=436246:436268
Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=436619:436689

Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97tlIkIXUKaYFIgrOmZIfJ6qPWT6lkQ8KqiqFbJ88v6ilzBvzKEYPyy-ejfwagHS_fIXvsCRlEVctZGaqgUK7YiSoStB3cHDp_OE-yKpWJPRaV__1ixI3Zex-xKlnltm8vPLCA5JgtIgPOKV67JNcY8K8Ch5Q?testcase_id=5000468700069888

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5604629468676096 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Fix was rolled into chrome at r436635, so this should be fixed now.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot