-> jrummell@ (current ffmpeg roller)

While it doesn't look like the M60 roll is to blame, the bisect in the report looks like it might have timed out or couldn't find a working build for this case. John, please take a closer look. Depending on the problem/fix, this might also need to get merged back (please update the milestone label, accordingly, I've minimally put M-60 for now.)

I am able to reproduce the problem locally. Adding logging in oggparsecelt.c:

Replacing (nil) with 0x605000000160 for idx 2
Replacing 0x605000000160 with 0x605000000200 for idx 2
Replacing 0x605000000160 with 0x6050000007a0 for idx 2
==23856==ERROR: AddressSanitizer: attempting double-free on 0x605000000160 in thread T0:

jrummell: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

jrummell: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 490022:490184.

Detailed report: https://clusterfuzz.com/testcase?key=6254616911282176

Fuzzer: libFuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-double-free
Crash Address: 0x6060000013a0
Crash State:
  celt_header
  ogg_packet
  ogg_read_packet
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=490022:490184

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6254616911282176


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6254616911282176 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

dalecurtis@, it looks like this was fixed by your cherry-pick in  bug 742380  (https://bugs.chromium.org/p/chromium/issues/detail?id=742380#c10)

This bug requires manual review: M61 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+ awhalley@ (Security TPM) for M61 merge review.

Fix already in 61 per #11

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot