Predator has provided has 4 possible suspects

1. mov: fix decode of fragments that overlap in time by jstebbins@jetheaddev.com
2. mov: Do not try to parse multiple stsd for the same track by lu_zero@gentoo.org
3. lavf/mov: Allow reading very large files. by melkor@odyssey.com.uy
4. mov: Rework stsc index validation by vittorio.giovara@gmail.com

Since the suspected owners are not chromium members, adding CF-NeedsTriage label for further triage from FFMPEG dev team.

I have a local repro in ToT Chromium. Getting a repro in upstream ffplay is proving difficult, since the logic in the case is conditioned on the AVIOContext's current position (which differs in Chromium's FFmpegGlue custom Read/Seek/etc operations versus ffplay's).

I'll consider fixing this one myself rather than upstreaming the case.

I found a way to repro this on upstream ffplay, with --toolchain=clang-usan: use the async ffmpeg protocol to get the IO behavior to be more like what is needed to repro the problem with this repro media.  e.g. ffplay async:repro_media_file
Specific UBSAN options (see the report, minus suppressions and symbolization options) are helpful to obtain the stack trace.

I've sent the case upstream to Michael today.

With my review, Michael landed fix upstream last Friday: 

https://github.com/FFmpeg/FFmpeg/commit/2f37082827a405430c40408ee2db19ea2866ce64

It'll get pulled into the M67 ffmpeg roll (no cherry-pick should be needed for M67).

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720

commit 3a1d00c3ef1de6fcc959696e2a1ff11f901e4720
Author: Matt Wolenetz <wolenetz@chromium.org>
Date: Thu Mar 15 22:54:10 2018

Roll src/third_party/ffmpeg/ 4468d4967..02ec9ce5a (389 commits)

https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/4468d4967f5d..02ec9ce5a9bc

$ git log 4468d4967..02ec9ce5a --date=short --no-merges --format='%ad %ae %s'
2018-03-13 wolenetz Updating build configs for M67 roll.
2018-03-13 wolenetz Update build_ffmpeg.py's sysroot name for M67
2018-03-13 wolenetz Remove deprecated av_register_all from ffmpeg.sigs
2018-03-13 wolenetz Copy [de]muxer, codec and parser lists into configs
2018-03-12 wolenetz Update chromium patches README
2018-03-12 vdixit avformat/hlsenc: fix for zero EXTINF tag duration
2018-03-12 matthieu.bouron avcodec/mediacodecdec_common: make INFO_TRY_AGAIN trace messages more consistent
2018-03-10 aman avcodec/mediacodecdec: add debug logging around hw buffer lifecycle
2018-02-27 michael avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it
2018-02-27 michael avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg
(...)

Created with:
  roll-dep src/third_party/ffmpeg

Includes removal of FFmpegGlue::InitializeFFmpeg() because
av_register_all is no longer needed (and is deprecated in FFmpeg).

BUG= 803898 ,  772699 ,  786793 ,  791237 ,  791349 ,  795653 ,  796778 ,  800123 ,  817338 

Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: I94ccecab95831174a3bae6e9a8422e10bfec8e85
Reviewed-on: https://chromium-review.googlesource.com/964248
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Reviewed-by: Xiaohan Wang <xhwang@chromium.org>
Reviewed-by: Sergey Ulanov <sergeyu@chromium.org>
Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#543531}
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/DEPS
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/content/renderer/media/webrtc/peer_connection_dependency_factory.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/cdm/library_cdm/clear_key_cdm/clear_key_cdm.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/ffmpeg/ffmpeg_common_unittest.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_audio_decoder.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_glue.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_glue.h
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_video_decoder.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/filters/ffmpeg_video_decoder_unittest.cc
[modify] https://crrev.com/3a1d00c3ef1de6fcc959696e2a1ff11f901e4720/media/gpu/video_encode_accelerator_unittest.cc

ClusterFuzz has detected this issue as fixed in range 543518:543534.

Detailed report: https://clusterfuzz.com/testcase?key=6652862951325696

Fuzzer: libFuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  mov_read_stts
  mov_read_default
  ff_mov_read_stsd_entries
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=515364:515426
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=543518:543534

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6652862951325696

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6652862951325696 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.