Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4856526356611072

Fuzzer: libfuzzer_sdp_parser_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x03e900007c90
Crash State:
  rtc::FatalMessage::~FatalMessage
  webrtc::ParseContent
  cricket::AudioContentDescription* webrtc::ParseContentDescription<cricket::Audio
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=443565:443630

Minimized Testcase (0.08 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96otR3caHUmitIjGcJjQf56UxfRLUW9gAsGY8PYV9Cl18jpSUbTOqbqnoqd0FETvjo57uz_8Qh_SvfHeXJZXl-IrqxwLZfX_IaXBObXhwugJ-opT3WabE0binPb6ecdcCNHKQeRgDefmaCDDmyG4T9B5WzrlD3yIh9JkvLcKA7kIZeRUC-t51thZJV1gerH-IQPiOB6AffuKPS8Q20t0Xc5vvIeeYEj2ak6GWqLqsaYz7cyAL0Y68XuUIh3b-7dLPUVVTLaKMuw41NQ8K_7URQG1fqssUMp0pOJ9Z3daiL5k7m8BbeiR6iFhZtwN1oJBkPZRNBU9drlHXis4wiI1yfw4XtwpoyO_0-OBeM_1Df1UuvJCEk?testcase_id=4856526356611072
v=0
o=     [
s=-
t=�
m=audio5  0 02::
a=candidate:/0 2 tcp 3  0 typ prflx ufrag [



Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

The result is a list of CLs that change the crashed files. 

Author: nisse
Project: chromium-webrtc
Changelist: https://chromium.googlesource.com/external/webrtc/trunk/webrtc.git/+/a875ff85398782f352ea722be0c74865f2858ad6
Time: Thu Jan 12 13:15:36 2017
Lines 2849-2852 of file webrtcsdp.cc which potentially caused crash are changed in this cl (frame #3, "webrtc::ParseContent").
Minimum distance from crash line to modified line: 0. (file: webrtcsdp.cc, crashed on: 2849, modified: 2849).

Taylor, can you have a look? 

I've changed ASSERT (from the old base/common.h) to RTC_DCHECK, unclear if that change helped uncover an old bug (conditions for enabling ASSERT and RTC_DCHECK are slightly different), or if the problem is related to the ongoing SCTP refactoring.

This doesn't look like a (very) new issue; I think it's just one of the many buried treasures in our SDP parsing code. There's a general purpose "ParseCandidate" function, and the assertion is that it doesn't populate the username/password fields, but at some point those fields were added.

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/7bcdb6995777b282564359df4328328d1a58f78e

commit 7bcdb6995777b282564359df4328328d1a58f78e
Author: deadbeef <deadbeef@webrtc.org>
Date: Fri Jan 20 20:43:58 2017

Ignore ufrag/password in "a=candidate" lines in SDP.

These attributes should be parsed in candidate trickling, but when
parsing a full session description, only "a=ice-ufrag"/"a=ice-pwd"
should be used to communicate the ufrag/password.

BUG= chromium:681286 

Review-Url: https://codereview.webrtc.org/2639183002
Cr-Commit-Position: refs/heads/master@{#16194}

[modify] https://crrev.com/7bcdb6995777b282564359df4328328d1a58f78e/webrtc/api/webrtcsdp.cc
[modify] https://crrev.com/7bcdb6995777b282564359df4328328d1a58f78e/webrtc/api/webrtcsdp_unittest.cc

ClusterFuzz has detected this issue as fixed in range 446341:446455.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4856526356611072

Fuzzer: libfuzzer_sdp_parser_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x03e900001b3b
Crash State:
  rtc::FatalMessage::~FatalMessage
  webrtc::ParseContent
  cricket::AudioContentDescription* webrtc::ParseContentDescription<cricket::Audio
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=443565:443630
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=446341:446455

Minimized Testcase (0.08 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96JrXgfTfOMkIi37SBkaVvbr9AJ59HI1l3GfcWstSvPYH1BElRbP7joZYZ3bedIx5DQC-vmiagAWAE-GuRTKRUefaxU2yk7B0U-W5rEimHQd8y7lke361j3jP9b5vzKpA1n2Ki3f6_HOy6UBp36IpWi8WKVU_SJ0TPyV8OhBoq0Jcn8Wn-7L7HRXYtqkN2ro-NksWBC964FHhLQ1Qke0wDA4aGaKPoHPxYZpCGo1osDDXr491fhgFdNGT4zV97FkopIyb2n-tcFgLM2f0IZJZ0hym5Yc70bXha9MNeEf31lJLgsi7hdQrvhfjKBEoDSmPyiC7LXS_f8c9qTq31eLqybSKjuD6fGbPR5G8JaV9q9c_uc1as?testcase_id=4856526356611072
v=0
o=     [
s=-
t=�
m=audio5  0 02::
a=candidate:/0 2 tcp 3  0 typ prflx ufrag [



See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4856526356611072 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.