Dupe of  Issue 755501 ?

Yes - different symptom (due to different sanitizer) for same problem: PipelineIntegrationTestBase's |audio_renderer_| is invalid. Test-only code used only in media_pipeline_integration_fuzzer is impacted.

(Also, running this case against asan_debug linux media_pipeline_integration_fuzzer locally yields same UAF as in 755501.)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b40b2ee2aae490a7c9daff046e130901dafc8fa6

commit b40b2ee2aae490a7c9daff046e130901dafc8fa6
Author: Matt Wolenetz <wolenetz@chromium.org>
Date: Fri Aug 18 01:38:18 2017

Fix test-only UAF/uninitialized value/bad-cast from invalid vptr in fuzzer timeout mitigation

Fixes PipelineIntegrationTestBase's UAF and bad-cast from invalid vptr
of |audio_renderer_| and similar use of uninitialized
audio_renderer_->first_packet_timestamp_ value in the
media_pipeline_integration_fuzzer timeout mitigation code from 219c7500.

Instead of waiting for (thread-trampolined) buffering state change
notifications to inspect the audio renderer's |first_packet_timestamp_|
(risking race of its destruction), this change adds a test-only callback
for directly telling the test about any positive |play_delay| in
AudioRendererImpl::Render(). (Using play_delay instead of
|first_packet_timestamp_| will also help a future MSE pipeline fuzzer
abort early after seeking hits a large audio play delay.) This new
test-only callback also must trampoline from audio thread to the
fuzzer's main thread, but it precludes the need to then ask the
(potentially already destructed) AudioRendererImpl for info.

BUG= 755501 , 755499 , 755619 , 754500 , 756412 

Change-Id: I9ab2987aa120c21a30463951c75e51838614d62f
Reviewed-on: https://chromium-review.googlesource.com/616064
Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org>
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#495414}
[modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/renderers/audio_renderer_impl.cc
[modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/renderers/audio_renderer_impl.h
[modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/test/pipeline_integration_fuzzertest.cc
[modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/test/pipeline_integration_test_base.cc
[modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/test/pipeline_integration_test_base.h

ClusterFuzz has detected this issue as fixed in range 495390:495430.

Detailed report: https://clusterfuzz.com/testcase?key=6446950823231488

Fuzzer: libFuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  OnCheckFirstAudioPacketTimestamp
  base::Callback<void
  testing::Action<void
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=494190:494271
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=495390:495430

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6446950823231488

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot