Automatically adding ccs based on suspected regression changelists:

AudioCodingModule: Specify decoders using SdpAudioFormat by kwiberg@webrtc.org - https://chromium.googlesource.com/external/webrtc/trunk/webrtc/+/b9a5d2a304565d81be4a562deabd8397cc9a818a

Relanding "Setting up an RTP input fuzzer for NetEq" by henrik.lundin@webrtc.org - https://chromium.googlesource.com/external/webrtc/trunk/webrtc/+/ebb2828fb18da20df1bbc78604f82d3e32669ece

If this is incorrect, please apply the Test-Predator-Wrong-CLs label.

kwiberg: Can you please take a look? Thanks.

kwiberg: Uh oh! This issue still open and hasn't been updated in the last 20 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Took a quick look. It's easy to reproduce and looks like a legit problem, but I didn't manage to make any real headway in solving it in 30 minutes. It looks like the sort of problem where you have to start by reverse engineering exactly how large the arrays are supposed to be that are being passed around.

Tossing the bug to hlundin@, in the hope that he'll be able to make a call about how highly to prioritize this.

hlundin: Uh oh! This issue still open and hasn't been updated in the last 34 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

hlundin@, did you get a chance to take a look. Since you landed the fuzzer, we expect that you can also fix the vulnerabilities it finds :)

I will get the issue fixed. Thanks for reminding me.

The following revision refers to this bug:
  https://webrtc.googlesource.com/src.git/+/8b84365c81df734d29fe724cd6e1ec3807fe2926

commit 8b84365c81df734d29fe724cd6e1ec3807fe2926
Author: Henrik Lundin <henrik.lundin@webrtc.org>
Date: Mon Feb 26 09:30:00 2018

NetEq: Guarding against reading outside of memory

In rare and pathological circumstances, it could happen that the input
length to the merge function is very short. This CL will avoid one of
the problems with out-of-bounds read that could result from this.

Bug:  chromium:799499 
Change-Id: I6bde105ae88f9d130764b6dfb3d25443d07e214b
Reviewed-on: https://webrtc-review.googlesource.com/57582
Reviewed-by: Ivo Creusen <ivoc@webrtc.org>
Commit-Queue: Henrik Lundin <henrik.lundin@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#22180}
[modify] https://crrev.com/8b84365c81df734d29fe724cd6e1ec3807fe2926/modules/audio_coding/neteq/merge.cc

ClusterFuzz has detected this issue as fixed in range 539137:539145.

Detailed report: https://clusterfuzz.com/testcase?key=5055871855099904

Fuzzer: libFuzzer_neteq_rtp_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 2
Crash Address: 0x60300007aed4
Crash State:
  WebRtcSpl_DownsampleFastC
  webrtc::Merge::Downsample
  webrtc::Merge::Process
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=423124:423149
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=539137:539145

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5055871855099904

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5055871855099904 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot