This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

wolenetz@, I wonder if you are the right person to fix this.

Yep. I'll take a look soon. I added these new fuzzers last week and have a bit of a stack I'm digging through now :)

I have a confirmed local repro with extra debugging on a debug asan fuzz build. Investigating...

kqyang@ - please take a look ASAP. I landed some new MSE fuzzers last week that have been finding all sorts of issues. This one looks related to your code changes to mp4_stream_parser's track_run_iterator and encryption.

(I confirmed hand-off of this in chat with kqyang@ earlier today.)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d932417fc75bf2d07e1009268e1765a8992c01af

commit d932417fc75bf2d07e1009268e1765a8992c01af
Author: KongQun Yang <kqyang@chromium.org>
Date: Tue Aug 29 23:09:30 2017

Fix sample description index check off by one error

Bug:  759294 
Bug:  760049 
Change-Id: I4008650d6c2aac3be0c0fc9b39e4e8a4e5fc9779
Reviewed-on: https://chromium-review.googlesource.com/641405
Reviewed-by: Matthew Wolenetz <wolenetz@chromium.org>
Commit-Queue: Kongqun Yang <kqyang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#498274}
[modify] https://crrev.com/d932417fc75bf2d07e1009268e1765a8992c01af/media/formats/mp4/track_run_iterator.cc

The bug should be fixed. I verified locally that it is no longer reproducible. Can we force clusterfuzz.com to rerun the test to confirm it is really fixed?

Yes - but it takes a little while (a few hours sometimes) for the clusterfuzz-builder to catch up and produce a new version of the fuzzer. From the top left of the CF report page, select "REDO" -> "FIXED" and it will then automate an attempt to see if the issue is fixed. Otherwise, it'll run such attempts roughly every 24hrs IIUC. mmoroz@, please correct me if I'm wrong.

Also - (as I noted in  bug 760049  too):

IMHO, this will be needed ASAP in M61 too.
kqyang@, please plan, request (after CF confirms fixed and bakes in Canary 24hrs) and do the merge (assuming it gets approved).
cc+=govind@ accordingly

+ awhalley@ (Security TPM for review)

ClusterFuzz has detected this issue as fixed in range 498221:498291.

Detailed report: https://clusterfuzz.com/testcase?key=4895659672207360

Fuzzer: libFuzzer_mediasource_MP4_FLAC_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x610000048048
Crash State:
  media::mp4::TrackRunIterator::IsSampleEncrypted
  media::mp4::TrackRunIterator::AuxInfoNeedsToBeCached
  media::mp4::MP4StreamParser::EnqueueSample
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=497063:497144
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=498221:498291

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4895659672207360

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4895659672207360 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: We are only 5 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Once #11 has had > 48hours in Canary this is good to take in 61.

The NextAction date has arrived: 2017-08-31

govind@ - good for 61

Approving merge to M61 branch 3163 based on comment #23. Please merge ASAP. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2a13f4e301f18dac91405b628d82d0d4c4a5d5b0

commit 2a13f4e301f18dac91405b628d82d0d4c4a5d5b0
Author: KongQun Yang <kqyang@chromium.org>
Date: Thu Aug 31 17:52:15 2017

Fix sample description index check off by one error

TBR=kqyang@chromium.org

(cherry picked from commit d932417fc75bf2d07e1009268e1765a8992c01af)

Bug:  759294 
Bug:  760049 
Change-Id: I4008650d6c2aac3be0c0fc9b39e4e8a4e5fc9779
Reviewed-on: https://chromium-review.googlesource.com/641405
Reviewed-by: Matthew Wolenetz <wolenetz@chromium.org>
Commit-Queue: Kongqun Yang <kqyang@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#498274}
Reviewed-on: https://chromium-review.googlesource.com/646079
Reviewed-by: Kongqun Yang <kqyang@chromium.org>
Cr-Commit-Position: refs/branch-heads/3163@{#1034}
Cr-Branched-From: ff259bab28b35d242e10186cd63af7ed404fae0d-refs/heads/master@{#488528}
[modify] https://crrev.com/2a13f4e301f18dac91405b628d82d0d4c4a5d5b0/media/formats/mp4/track_run_iterator.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot