This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

=> jrummell@ (M-60's ffmpeg roller)

This looks like a regression introduced in the M-60 roll. Please take a look.

jrummell: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

jrummell: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

John, have you sent this to ffmpeg already?

This is M-61 only since the roll didn't make it to M60.

It appears that a recent change to FFmpeg fixes this (https://github.com/FFmpeg/FFmpeg/commit/87b08ee6d2a3b0880f0a267c5d51dc7f415e81d7). Will pull that change into Chromium.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/97ebed67951a157f6add59046024bff5fa20f4ae

commit 97ebed67951a157f6add59046024bff5fa20f4ae
Author: John Rummell <jrummell@chromium.org>
Date: Thu Jul 20 22:39:38 2017

avcodec/aacsbr_template: Do not change bs_num_env before its checked

Fixes: 1489/clusterfuzz-testcase-minimized-5075102901207040
Fixes: out of array access

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Cherry-picked from 87b08ee6d2a3b0880f0a267c5d51dc7f415e81d7
BUG= 730446 
TEST=clusterfuzz test no longer complains

Change-Id: Idb1469ebbd013242ac9c0550e049fdf1e23f72a3
Reviewed-on: https://chromium-review.googlesource.com/580209
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>

[modify] https://crrev.com/97ebed67951a157f6add59046024bff5fa20f4ae/libavcodec/aacsbr_template.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/551d83a53c18705373993067423ff4e72cd46eb1

commit 551d83a53c18705373993067423ff4e72cd46eb1
Author: John Rummell <jrummell@chromium.org>
Date: Fri Jul 21 00:24:48 2017

Roll src/third_party/ffmpeg/ d19b0ad9b..97ebed679 (1 commit)

https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/d19b0ad9b26a..97ebed67951a

$ git log d19b0ad9b..97ebed679 --date=short --no-merges --format='%ad %ae %s'
2017-07-20 jrummell avcodec/aacsbr_template: Do not change bs_num_env before its checked

Created with:
  roll-dep src/third_party/ffmpeg

BUG= 730446 

Change-Id: I12d9bec4f13457a3e86743bf53bb66b11e73faba
Reviewed-on: https://chromium-review.googlesource.com/580008
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Commit-Queue: John Rummell <jrummell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#488514}
[modify] https://crrev.com/551d83a53c18705373993067423ff4e72cd46eb1/DEPS

This should be fixed now. I'll wait for the fuzzer to verify before resolving this issue.

Looks like the error doesn't repro with the fuzzer, so marking this as fixed.

ClusterFuzz has detected this issue as fixed in range 488460:488595.

Detailed report: https://clusterfuzz.com/testcase?key=6031882457448448

Fuzzer: libFuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x7fc7837ff440
Crash State:
  sbr_x_gen
  ff_sbr_apply
  spectral_to_sample
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=477310:477399
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=488460:488595

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6031882457448448


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6031882457448448 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+ awhalley@ (Security TPM) for M61 merge review.

This was merged to 61 in #16

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot