This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

A friendly reminder that M57 Beta launch is coming soon on February 2nd! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Dev (before Beta promotion). Thank you!

kwiberg: Could you take a look or help us find an owner for this one?

[Bulk edit]

A friendly reminder that M57 Beta launch is coming soon on February 2nd (in a week)! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Dev (before Beta promotion). Thank you!

This actually appears to impact M55+

Sorry for not responding; I was out sick for a couple of days. Will either start fixing today myself or find someone else to do so.

CL in progress: https://codereview.webrtc.org/2659383002/

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/c14b7ed479b8efb38ca04ea536272bd7a2d4f0ff

commit c14b7ed479b8efb38ca04ea536272bd7a2d4f0ff
Author: kwiberg <kwiberg@webrtc.org>
Date: Mon Jan 30 20:17:05 2017

iSAC float decoder: Don't read past end of initialized part of buffer

We read past the end of the initialized part of the buffer, seemingly
on purpose (no one knows the details of this code anymore). The right
thing to do is probably to zero that part of the buffer.

(The *right* right thing to would be to rewrite this so that it was
easier to see what data was supposed to be where when, but
priorities...)

BUG= chromium:683040 

Review-Url: https://codereview.webrtc.org/2659383002
Cr-Commit-Position: refs/heads/master@{#16365}

[modify] https://crrev.com/c14b7ed479b8efb38ca04ea536272bd7a2d4f0ff/webrtc/modules/audio_coding/codecs/isac/main/source/pitch_filter.c

The CL in comment #12 fixes the fuzzer error for me locally.

ClusterFuzz has detected this issue as fixed in range 447314:447579.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4657291346575360

Fuzzer: libfuzzer_audio_decoder_isac_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  Decode
  webrtc::AudioDecoderIsacT<webrtc::IsacFloat>::DecodeInternal
  webrtc::AudioDecoder::Decode
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=423366:423427
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=447314:447579

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96m-ycF8a95yCe4rKkcwt2wwTc8Yt8V7meOO1M1QSdn9EO-TJo9PsbmHNkxtuverKDm8S1VCG4Mo_WYoDNcjNE4XvqBSzclwy0i4wQeqEnkFKsjIE_KPDvKkulPJefnoWteV5I-txxA2TmuNt81f-XthoFTnQ5Et2HzmFuvbx3J2lvoB2fZiRMuMZ3sn69VOS3615Kc7C4AdZP8Cqnw7yVxdlhtqiqFYtdHnf86QOVGY1TQroe_HMrWOiy4wx3WgULiAjTXUoqUMz4IMSk8B0A9crMT3D5nqpTPROcZSz18QWUqpxgrVmbeI5gABE00-9uNXFdPsJH31UShYC9iXx-uTjN2ToWRjecFwvEBt-yo8cW1_RM?testcase_id=4657291346575360


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Please merge your change to M57 branch 2987 by 4:00 PM PT tomorrow, Tuesday (02/14) so we can pick it up for this week beta release. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/c70bda046642a9c7288fc79bb4d26f67c5b1aacb

commit c70bda046642a9c7288fc79bb4d26f67c5b1aacb
Author: kwiberg <kwiberg@webrtc.org>
Date: Tue Feb 14 13:41:55 2017

iSAC float decoder: Don't read past end of initialized part of buffer

This is a backport to M57 of this CL: https://codereview.webrtc.org/2659383002

We read past the end of the initialized part of the buffer, seemingly
on purpose (no one knows the details of this code anymore). The right
thing to do is probably to zero that part of the buffer.

(The *right* right thing to would be to rewrite this so that it was
easier to see what data was supposed to be where when, but
priorities...)

NOTRY=true
NOPRESUBMIT=true
BUG= chromium:683040 

Review-Url: https://codereview.webrtc.org/2697683003
Cr-Commit-Position: refs/branch-heads/57@{#5}
Cr-Branched-From: e5cbc2019003dbb40e03811d7607feb95757a4ec-refs/heads/master@{#16123}

[modify] https://crrev.com/c70bda046642a9c7288fc79bb4d26f67c5b1aacb/webrtc/modules/audio_coding/codecs/isac/main/source/pitch_filter.c

Per comment #19, this is already merged to M57.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot