This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Assign to dalecurtis@. Could you please take a look into this issue? It seems caused by https://chromium.googlesource.com/chromium/src/+/2f7fc637e426f4d432e35bae82609280add316fd%5E%21/.

I think this is the same root cause as issue 738295, but will verify.

Turns out this is a different issue; libvpx may try to drop refs on the same frame multiple times; so the ref_cnt system we've had forever is wrong. Previously it didn't matter since we don't delete buffers until the scoped_refptr count was zero. Now we're relying on the internal count to be accurate.

Will fix it along with issue 738295.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1510710c6a4b06430723a6b90f74c09888a0009b

commit 1510710c6a4b06430723a6b90f74c09888a0009b
Author: Dale Curtis <dalecurtis@chromium.org>
Date: Sat Jul 01 01:28:11 2017

Fix thread safety and ref counting issues with VpxVideoDecoder.

We were running the memory pool and shutdown code on the wrong
threads. Shutdown() and the memory pool must be invoked on the
offload thread when it's used.

Additionally libvpx has apparently never been accurate with
its ref counts... so it might try to release a ref for the same
frame twice, this replaces the numeric ref counting system with
a boolean based one. Possibly there is a libvpx bug here as well
that I will report to them.

BUG= 737889 ,738295
TEST=none

Change-Id: If4c60b37be3f805b1cc2aacfe0834e01374b1413
Reviewed-on: https://chromium-review.googlesource.com/557883
Commit-Queue: Dale Curtis <dalecurtis@chromium.org>
Reviewed-by: Dan Sanders <sandersd@chromium.org>
Cr-Commit-Position: refs/heads/master@{#483888}
[modify] https://crrev.com/1510710c6a4b06430723a6b90f74c09888a0009b/media/filters/vpx_video_decoder.cc

ClusterFuzz has detected this issue as fixed in range 483870:483893.

Detailed report: https://clusterfuzz.com/testcase?key=6170949832671232

Fuzzer: ochang_media_mutator
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x0728ece8
Crash State:
  media::VpxVideoDecoder::MemoryPool::OnVideoFrameDestroyed
  base::internal::Invoker<base::internal::BindState<void
  base::debug::TaskAnnotator::RunTask
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=483186:483256
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=483870:483893

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6170949832671232


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6170949832671232 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot