This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Nice find! I guess it's a result of new corpus added by Matt + some blocking issues fixed by him.

Looks like a duplicate of  issue 755501  (found using different job types, and stacktraces looks *different*, so these have been filed separately).

This is probably just a race - the affected code is probably part of the fuzzer TIMEOUT mitigation test-only path (added recently in https://chromium-review.googlesource.com/c/614318). I'll still look into deduping/fixing this along with  bug 755499 .

Confirmed duplicate of  bug 755499  (both files trigger same UAF of the raw AudioRendererImpl* in PipelineIntegrationTestBase added in https://chromium-review.googlesource.com/c/614318). This is a test-only issue, specific to media_pipeline_integration_fuzzer; removing RBS.

Thanks for the quick look!

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b40b2ee2aae490a7c9daff046e130901dafc8fa6

commit b40b2ee2aae490a7c9daff046e130901dafc8fa6
Author: Matt Wolenetz <wolenetz@chromium.org>
Date: Fri Aug 18 01:38:18 2017

Fix test-only UAF/uninitialized value/bad-cast from invalid vptr in fuzzer timeout mitigation

Fixes PipelineIntegrationTestBase's UAF and bad-cast from invalid vptr
of |audio_renderer_| and similar use of uninitialized
audio_renderer_->first_packet_timestamp_ value in the
media_pipeline_integration_fuzzer timeout mitigation code from 219c7500.

Instead of waiting for (thread-trampolined) buffering state change
notifications to inspect the audio renderer's |first_packet_timestamp_|
(risking race of its destruction), this change adds a test-only callback
for directly telling the test about any positive |play_delay| in
AudioRendererImpl::Render(). (Using play_delay instead of
|first_packet_timestamp_| will also help a future MSE pipeline fuzzer
abort early after seeking hits a large audio play delay.) This new
test-only callback also must trampoline from audio thread to the
fuzzer's main thread, but it precludes the need to then ask the
(potentially already destructed) AudioRendererImpl for info.

BUG= 755501 , 755499 , 755619 , 754500 , 756412 

Change-Id: I9ab2987aa120c21a30463951c75e51838614d62f
Reviewed-on: https://chromium-review.googlesource.com/616064
Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org>
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#495414}
[modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/renderers/audio_renderer_impl.cc
[modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/renderers/audio_renderer_impl.h
[modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/test/pipeline_integration_fuzzertest.cc
[modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/test/pipeline_integration_test_base.cc
[modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/test/pipeline_integration_test_base.h

ClusterFuzz has detected this issue as fixed in range 495377:495428.

Detailed report: https://clusterfuzz.com/testcase?key=6147971304652800

Fuzzer: libFuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6150000022a8
Crash State:
  media::PipelineIntegrationTestBase::CheckFirstAudioPacketTimestamp
  void testing::internal::InvokeHelper<void, std::__1::tuple<media::BufferingState
  void testing::internal::InvokeMethodAction<media::PipelineIntegrationTestBase, v
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=494191:494276
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=495377:495428

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6147971304652800

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5128046461059072 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot