Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

dalecurtis -- Can you triage and assign an owner? Thanks!

It looks like this came in during sandersd@'s M65 ffmpeg roll.
=> xhwang@ for clearing up during M66 ffmpeg roll, unless Dale wants to take it back sooner :)

We'll need to backport this fix to M65 once found.

xhwang: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

M65 Stable promotion is coming VERY soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge  into the release branch ASAP. Thank you.

Uploaded test cases to linux bots to see if we can get a repro there:

https://clusterfuzz.com/v2/testcase-detail/6250929595351040
https://clusterfuzz.com/v2/testcase-detail/6024294237470720

Detailed report: https://clusterfuzz.com/testcase?key=6250929595351040

Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x7f2ba3bad820
Crash State:
  mov_read_stts
  mov_read_default
  mov_read_default
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6250929595351040

See https://github.com/google/clusterfuzz-tools for more information.

Detailed report: https://clusterfuzz.com/testcase?key=6024294237470720

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x7f7e4ffa0820
Crash State:
  mov_read_stts
  mov_read_default
  mov_read_default
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6024294237470720

See https://github.com/google/clusterfuzz-tools for more information.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/08644b7df2c9a9134deb01b16d3ba94f08dc293e

commit 08644b7df2c9a9134deb01b16d3ba94f08dc293e
Author: Xiaohan Wang <xhwang@chromium.org>
Date: Tue Feb 13 23:03:28 2018

ffmpeg: Fix stts_data memory allocation

In this loop, |i| is the "index". And the memory allocated should be at
least the current "count", which is |i + 1|.

BUG= 801821 

Change-Id: I92aef9cc15cab5821a96ad859e2152656d2a22ac
Reviewed-on: https://chromium-review.googlesource.com/917217
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>

[modify] https://crrev.com/08644b7df2c9a9134deb01b16d3ba94f08dc293e/libavformat/mov.c
[modify] https://crrev.com/08644b7df2c9a9134deb01b16d3ba94f08dc293e/chromium/patches/README

Detailed report: https://clusterfuzz.com/testcase?key=6250929595351040

Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x7f2ba3bad820
Crash State:
  mov_read_stts
  mov_read_default
  mov_read_default
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=529000:529005

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6250929595351040

See https://github.com/google/clusterfuzz-tools for more information.

Merges should be tracked by merge label, moving this to status=Fixed.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e19b85dee7f81bcce2c2af2ad1688c725ab85960

commit e19b85dee7f81bcce2c2af2ad1688c725ab85960
Author: Xiaohan Wang <xhwang@chromium.org>
Date: Wed Feb 14 23:37:39 2018

Roll src/third_party/ffmpeg/ 58a80d155..9ed334093 (4 commits)

https://chromium.googlesource.com/chromium/third_party/ffmpeg.git/+log/58a80d15568f..9ed334093692

$ git log 58a80d155..9ed334093 --date=short --no-merges --format='%ad %ae %s'
2018-02-13 sandersd Prevent NULL dereference in mov_seek_fragment()
2018-02-13 xhwang ffmpeg: Fix integer overflow in decode_cabac_residual_internal()
2018-02-13 xhwang ffmpeg: Fix stts_data memory allocation
2018-02-13 sandersd Prevent NULL dereference in mov_read_sidx()

Created with:
  roll-dep src/third_party/ffmpeg

BUG= 804070 , 806580 , 801821 , 802335 

Change-Id: Iae66a2c0ac4443b8ef04fffa630a925308dfdd04
Reviewed-on: https://chromium-review.googlesource.com/919863
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Commit-Queue: Xiaohan Wang <xhwang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#536884}
[modify] https://crrev.com/e19b85dee7f81bcce2c2af2ad1688c725ab85960/DEPS

ClusterFuzz has detected this issue as fixed in range 536883:536888.

Detailed report: https://clusterfuzz.com/testcase?key=6250929595351040

Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x7f2ba3bad820
Crash State:
  mov_read_stts
  mov_read_default
  mov_read_default
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=529000:529005
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=536883:536888

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6250929595351040

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 536855:536926.

Detailed report: https://clusterfuzz.com/testcase?key=4716293621284864

Fuzzer: inferno_flicker
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x000132c03820
Crash State:
  mov_read_stts
  mov_read_default
  mov_read_default
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=528992:529041
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=536855:536926

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4716293621284864

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4716293621284864 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The actual fix is at https://chromium-review.googlesource.com/917217, which is a one line fix. The risk is very low.

Request to merge to M65.

This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+ awhalley@ for M65 merge review.

Tracking ffmpeg roll on  issue 804097  

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/adbd83a88ab3aaf9aeb72cfc0b7e2c7e37922f40

commit adbd83a88ab3aaf9aeb72cfc0b7e2c7e37922f40
Author: Xiaohan Wang <xhwang@chromium.org>
Date: Tue Feb 20 19:43:51 2018

For the record, the merge to M65 in #31 is covered by the merge approval in  issue 804097 .

For the record, upstream patch is at https://patchwork.ffmpeg.org/patch/7587/

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot