This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Confirmed another duplicate of  bug 755501  (UAF of the raw AudioRendererImpl* in PipelineIntegrationTestBases added in https://chromium-review.googlesource.com/c/614318). This is a test-only issue, specific to media_pipeline_integration_fuzzer; removing RBS.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b40b2ee2aae490a7c9daff046e130901dafc8fa6

commit b40b2ee2aae490a7c9daff046e130901dafc8fa6
Author: Matt Wolenetz <wolenetz@chromium.org>
Date: Fri Aug 18 01:38:18 2017

Fix test-only UAF/uninitialized value/bad-cast from invalid vptr in fuzzer timeout mitigation

Fixes PipelineIntegrationTestBase's UAF and bad-cast from invalid vptr
of |audio_renderer_| and similar use of uninitialized
audio_renderer_->first_packet_timestamp_ value in the
media_pipeline_integration_fuzzer timeout mitigation code from 219c7500.

Instead of waiting for (thread-trampolined) buffering state change
notifications to inspect the audio renderer's |first_packet_timestamp_|
(risking race of its destruction), this change adds a test-only callback
for directly telling the test about any positive |play_delay| in
AudioRendererImpl::Render(). (Using play_delay instead of
|first_packet_timestamp_| will also help a future MSE pipeline fuzzer
abort early after seeking hits a large audio play delay.) This new
test-only callback also must trampoline from audio thread to the
fuzzer's main thread, but it precludes the need to then ask the
(potentially already destructed) AudioRendererImpl for info.

BUG= 755501 , 755499 , 755619 , 754500 , 756412 

Change-Id: I9ab2987aa120c21a30463951c75e51838614d62f
Reviewed-on: https://chromium-review.googlesource.com/616064
Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org>
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#495414}
[modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/renderers/audio_renderer_impl.cc
[modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/renderers/audio_renderer_impl.h
[modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/test/pipeline_integration_fuzzertest.cc
[modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/test/pipeline_integration_test_base.cc
[modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/test/pipeline_integration_test_base.h

ClusterFuzz has detected this issue as fixed in range 495403:495452.

Detailed report: https://clusterfuzz.com/testcase?key=5128046461059072

Fuzzer: libFuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x0e82b5426c40
Crash State:
  Bad-cast to media::AudioRendererImpl from invalid vptr
  media::PipelineIntegrationTestBase::CheckFirstAudioPacketTimestamp
  testing::Action<void
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=494161:494246
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=495403:495452

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5128046461059072

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot