Automatically adding ccs based on suspected regression changelists:

AEC-m and AEC-2 fuzzing. by aleloi@webrtc.org - https://webrtc.googlesource.com/src/+/ab20a6016c5d0798a00dd566c78f5f49065a9492

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.

Can somebody please make 'aleloi@chromium.org' owner? Otherwise I can't access the test case and reproduce this.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://webrtc.googlesource.com/src.git/+/bc5c69f8e7a5b4b8b9dcfc979d8bff09ffb78daa

commit bc5c69f8e7a5b4b8b9dcfc979d8bff09ffb78daa
Author: Alex Loiko <aleloi@webrtc.org>
Date: Thu Jan 25 15:09:14 2018

Use of unititialized value in AECM.

The AecMobile struct contains a ::farendOld field. It's type is 'short [2][80]'.
The field was initialized by

  memset(&aecm->farendOld[0][0], 0, 160);

But sizeof(short) is not guaranteed to be 1. This causes use of
unititialized memory on some platforms. According to MSAN, it can
affect the output of the echo canceller.

The issue was found by the MSAN  fuzzer.

This change initializes the array properly.

Bug:  chromium:805396 
Change-Id: Ibcaca2185cfa153e8fd826e9addfc04d7b65e417
Reviewed-on: https://webrtc-review.googlesource.com/43860
Reviewed-by: Sam Zackrisson <saza@webrtc.org>
Commit-Queue: Alex Loiko <aleloi@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#21764}
[modify] https://crrev.com/bc5c69f8e7a5b4b8b9dcfc979d8bff09ffb78daa/modules/audio_processing/aecm/echo_control_mobile.cc

ClusterFuzz has detected this issue as fixed in range 532169:532198.

Detailed report: https://clusterfuzz.com/testcase?key=4764508420833280

Fuzzer: libFuzzer_audio_processing_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  WebRtcSpl_MaxAbsValueW16C
  TimeToFrequencyDomain
  WebRtcAecm_ProcessBlock
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=529621:529651
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=532169:532198

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4764508420833280

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4764508420833280 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Looks like https://webrtc.googlesource.com/src.git/+/bc5c69f8e7a5b4b8b9dcfc979d8bff09ffb78daa came after the 65 branch.

This bug requires manual review: M65 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+awhalley@, is this good to take in for M65 per comment #12?

Approving merge to M65 branch per comment #12 and offline chat with awhalley@. Pls merge ASAP so we can pick it up for this week Beta release. Thank you.

Ping on M65 Merge, pls merge ASAP. Thank you.

+ tommi@, would it be possible for you to help with this merge to M65 branch?

Henrik, can you help?

Thank you tommi@. 
+hbos@, pls help with M65 merge. Thank you.

Sorry, I meant cc-ing hlundin@. However, hbos could also help of course :)

The following revision refers to this bug:
  https://webrtc.googlesource.com/src.git/+/dc31232fe5a8ebb3364e052aebbda0b30a9a7e7c

commit dc31232fe5a8ebb3364e052aebbda0b30a9a7e7c
Author: Henrik Lundin <henrik.lundin@webrtc.org>
Date: Thu Feb 15 20:34:23 2018

[MERGE TO M65] Use of unititialized value in AECM.

The AecMobile struct contains a ::farendOld field. It's type is 'short [2][80]'.
The field was initialized by

  memset(&aecm->farendOld[0][0], 0, 160);

But sizeof(short) is not guaranteed to be 1. This causes use of
unititialized memory on some platforms. According to MSAN, it can
affect the output of the echo canceller.

The issue was found by the MSAN  fuzzer.

This change initializes the array properly.

TBR=aleloi@webrtc.org

(cherry picked from commit bc5c69f8e7a5b4b8b9dcfc979d8bff09ffb78daa)

Bug:  chromium:805396 
Change-Id: Ibcaca2185cfa153e8fd826e9addfc04d7b65e417
Reviewed-on: https://webrtc-review.googlesource.com/43860
Reviewed-by: Sam Zackrisson <saza@webrtc.org>
Commit-Queue: Alex Loiko <aleloi@webrtc.org>
Cr-Original-Commit-Position: refs/heads/master@{#21764}
Reviewed-on: https://webrtc-review.googlesource.com/54120
Reviewed-by: Henrik Lundin <henrik.lundin@webrtc.org>
Cr-Commit-Position: refs/branch-heads/65@{#20}
Cr-Branched-From: 3ac67a736bb200ecf7c116a88b2f8d5c542973c8-refs/heads/master@{#21637}
[modify] https://crrev.com/dc31232fe5a8ebb3364e052aebbda0b30a9a7e7c/modules/audio_processing/aecm/echo_control_mobile.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot