This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

chcunningham: looks like your CL https://chromium.googlesource.com/chromium/src/+/d9df58ee5bc9a54f80a59dc1945e5996c5ac86d6 introduced this ASAN issue. Can you please investigate?

will do

Fix in review: https://chromium-review.googlesource.com/c/chromium/src/+/642129

 Issue 760064  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/86069cb27b8cd46700f1d7a3e78f4e82df1b8c2b

commit 86069cb27b8cd46700f1d7a3e78f4e82df1b8c2b
Author: Chris Cunningham <chcunningham@chromium.org>
Date: Tue Aug 29 22:35:33 2017

VideoDecodeStatsReporter - Fix overflow read

GetFpsBucket() did not account for the case where the upper_bound =
std::end(kFramerateBuckets); This lead to OOB reads.

This fix detects the above condition and simply chooses the largest
bucket. Also the list of buckets is now much larger to account for
higher playback rates.

BUG= 760035 
TEST=fuzzer case passes

Change-Id: Idf978cb15443ef4bcedd5c6f5f1a3b958d2863b7
Reviewed-on: https://chromium-review.googlesource.com/642129
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Commit-Queue: Chrome Cunningham <chcunningham@chromium.org>
Cr-Commit-Position: refs/heads/master@{#498260}
[modify] https://crrev.com/86069cb27b8cd46700f1d7a3e78f4e82df1b8c2b/media/blink/video_decode_stats_reporter.cc

ClusterFuzz testcase 5162886766002176 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 498140:498349.

Detailed report: https://clusterfuzz.com/testcase?key=5166288392683520

Fuzzer: inferno_flicker
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Global-buffer-overflow READ 4
Crash Address: 0x7fa768f61b64
Crash State:
  media::VideoDecodeStatsReporter::UpdateFrameRateStability
  media::VideoDecodeStatsReporter::UpdateStats
  base::Timer::RunScheduledTask
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=497874:497964
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=498140:498349

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5166288392683520

See https://github.com/google/clusterfuzz-tools for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. If the fix resolved the issue, please close the bug by marking as Fixed.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot