This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+guidou: I think you most recently changed the call site that's triggering this.

I'll take a look

So far I have been unable to reproduce this.
Not even with the binary included in the clusterfuzz report.

I triggered a fresh run on ClusterFuzz to see if it thinks it's fixed. It might be related to the other bug I assigned to you last week.

ClusterFuzz doesn't seem to think it's fixed yet.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/46b6e63834ff622224871ea57e95901d59caad8a

commit 46b6e63834ff622224871ea57e95901d59caad8a
Author: guidou <guidou@chromium.org>
Date: Tue Apr 11 12:35:53 2017

Use explicit conversion to base::Optional in MSVS::GetCurrentFormatImpl implementations.

This is a speculative fix for a hard-to-reproduce Clusterfuzz issue with CFI builds. No behavior change intended.

BUG= 709736 

Review-Url: https://codereview.chromium.org/2807203002
Cr-Commit-Position: refs/heads/master@{#463603}

[modify] https://crrev.com/46b6e63834ff622224871ea57e95901d59caad8a/content/renderer/media/media_stream_video_capturer_source.cc
[modify] https://crrev.com/46b6e63834ff622224871ea57e95901d59caad8a/content/renderer/media/mock_media_stream_video_source.cc
[modify] https://crrev.com/46b6e63834ff622224871ea57e95901d59caad8a/content/renderer/pepper/pepper_media_stream_video_track_host.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0cbb4e27d69412dd0f01f2c6583f2b00231c0a38

commit 0cbb4e27d69412dd0f01f2c6583f2b00231c0a38
Author: guidou <guidou@chromium.org>
Date: Tue Apr 11 18:52:51 2017

Check that the source is valid before accessing it in MSVT::GetSettings.

Drive-by: DCHECK that the function is called on the correct thread.

BUG= 709736 

Review-Url: https://codereview.chromium.org/2812623004
Cr-Commit-Position: refs/heads/master@{#463703}

[modify] https://crrev.com/0cbb4e27d69412dd0f01f2c6583f2b00231c0a38/content/renderer/media/media_stream_video_track.cc

ClusterFuzz has detected this issue as fixed in range 463687:463767.

Detailed report: https://clusterfuzz.com/testcase?key=4506729749676032

Fuzzer: phoglund_webrtc_peerconnection
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x7f63ed89a1a0
Crash State:
  Bad-cast to sandbox::bpf_dsl::(anonymous namespace)::ReturnResultExprImpl from invalid vptr
  content::MediaStreamVideoSource::GetCurrentFormat
  content::MediaStreamVideoTrack::getSettings
  
Sanitizer: cfi (CFI)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=460787:460815
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=463687:463767

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96A34hRfODYymWbFFXK64nSt3aVi5UuBKyPOHcA2cm5F08frJud00TVZPKHG-WPNv8ahUJ7xYt-D2Bdi7RnzbOdTdBIbfOMrvOx4uYUlmX88ECTk4jEx01tC7IPgBcUl4dkK3OYJHk3WAXVN1QTiVtZyzHwLioAhfjiMTWhQfAXL_QFUQ2D3R-ryKlsxPfziFHkptClGsJjPR2MhQ85uJR-mZ4ldOTgKenxuoSxq25F3fJJepwr93yQ0j6dOUPq9zx9D8L1WlNncHtXzc8AemJe4IoTQlUH4jEE_Ci-taRangr4r1UacZQGutTs-o_MIq8rLLSmITvCceMHLwoLMzxzB1KlTAoU8Jf1Itk4hBgrQoHDOLA?testcase_id=4506729749676032


Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot