kwiberg@: The last blame info for the line in isac.c:1270 from the stack trace is a bit old (2014?) but your name popped up. Could you please take a look? Thanks!

I attempted to make a fix [https://webrtc-review.googlesource.com/c/src/+/66361], which doesn't break the test suite, and seems like it ought to catch the buffer overrun. But I can't reproduce the clusterfuzz error; I did

  /google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce 6293289825992704

in a fresh Chromium checkout, but it just said that the test executed successfully. And I'm unfamiliar enough with this code that a machine confirmation that the CL actually fixes the bug would be very nice.

I built a fresh ASAN build of audio_decoder_isac_fuzzer on TOT chromium, and replicated the crash.

First, I ran `gn args out/asan`, and set:

enable_nacl = false
ffmpeg_branding = "ChromeOS"
is_asan = true
is_debug = false
optimize_for_fuzzing = true
pdf_enable_xfa = true
proprietary_codecs = true
use_afl = true

And build the target:

ninja -C out/asan -j 2000 audio_decoder_isac_fuzzer

Then I set the ASAN options environment variable:

ASAN_OPTIONS="redzone=16:strict_string_check=1:strict_memcmp=1:allow_user_segv_handler=0:allocator_may_return_null=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=1:alloc_dealloc_mismatch=0:print_scariness=1:max_uar_stack_size_log=16:quarantine_size_mb=10:detect_odr_violation=0:handle_sigill=1:allocator_release_to_os_interval_ms=500:coverage=0:use_sigaltstack=1:fast_unwind_on_fatal=1:detect_leaks=1:print_summary=1:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=1:symbolize=0:handle_segv=1"

Then I ran the fuzzer binary on the minimized test case:

out/asan/audio_decoder_isac_fuzzer ~/clusterfuzz-testcase-audio_decoder_isac_fuzzer-6293289825992704

And got the AddressSanitizer: heap-buffer-overflow error.

Then, applying your patch to WebRTC to isac.c, re-built, and re-ran, and it appears to still reproduce. I might have missed a step to get the changes integrated, not sure (I just copy+pasted from the CL and re-ran the build command).

That isn't giving me symbolized stack traces, but I can check on how to get symbolized traces and get back to you. Hopefully that can help you repro and test on your end though.

Passing the outputed stacktrace to tools/valgrind/asan/asan_symbolize.py (on stdin), I get the symbolized stacktrace:

==41937==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b0000002b9 at pc 0x0000006a8ea8 bp 0x7ffde3101430 sp 0x7ffde3101428
READ of size 1 at 0x60b0000002b9 thread T0
    #0 0x6a8ea7 in Decode /usr/local/google/home/cthomp/chromium/src/out/asan/../../third_party/webrtc/modules/audio_coding/codecs/isac/main/source/i
sac.c:1272:19
    #1 0x6a6d56 in WebRtcIsac_Decode /usr/local/google/home/cthomp/chromium/src/out/asan/../../third_party/webrtc/modules/audio_coding/codecs/isac/ma
in/source/isac.c:1340:10
    #2 0x60d61b in webrtc::IsacFloat::DecodeInternal(WebRtcISACStruct*, unsigned char const*, unsigned long, short*, short*) /usr/local/google/home/c
thomp/chromium/src/out/asan/../../third_party/webrtc/modules/audio_coding/codecs/isac/main/source/isac_float_type.h:41:12
    #3 0x60d44a in webrtc::AudioDecoderIsacT<webrtc::IsacFloat>::DecodeInternal(unsigned char const*, unsigned long, int, short*, webrtc::AudioDecode
r::SpeechType*) /usr/local/google/home/cthomp/chromium/src/out/asan/../../third_party/webrtc/modules/audio_coding/codecs/isac/audio_decoder_isac_t_im
pl.h:53:7
    #4 0x3cf061 in webrtc::AudioDecoder::Decode(unsigned char const*, unsigned long, int, unsigned long, short*, webrtc::AudioDecoder::SpeechType*) /
usr/local/google/home/cthomp/chromium/src/out/asan/../../third_party/webrtc/api/audio_codecs/audio_decoder.cc:91:10
    #5 0x60a0e1 in webrtc::FuzzAudioDecoder(webrtc::DecoderFunctionType, unsigned char const*, unsigned long, webrtc::AudioDecoder*, int, unsigned lo
ng, short*) /usr/local/google/home/cthomp/chromium/src/out/asan/../../third_party/webrtc/test/fuzzers/audio_decoder_fuzzer.cc:59:18
    #6 0x390ecd in webrtc::FuzzOneInput(unsigned char const*, unsigned long) /usr/local/google/home/cthomp/chromium/src/out/asan/../../third_party/we
brtc/test/fuzzers/audio_decoder_isac_fuzzer.cc:20:3
    #7 0x60e320 in LLVMFuzzerTestOneInput /usr/local/google/home/cthomp/chromium/src/out/asan/../../third_party/webrtc/test/fuzzers/webrtc_fuzzer_mai
n.cc:39:3
    #8 0x392042 in ExecuteFilesOnyByOne(int, char**) /usr/local/google/home/cthomp/chromium/src/out/asan/../../third_party/libFuzzer/src/afl/afl_driv
er.cpp:271:5
    #9 0x392912 in main /usr/local/google/home/cthomp/chromium/src/out/asan/../../third_party/libFuzzer/src/afl/afl_driver.cpp:308:12
    #10 0x7f6fc60192b0 in __libc_start_main ??:0:0

Thanks! Your walkthrough worked perfectly, except that piping the output through asan_symbolize.py didn't actually make it symbolized. But I managed to get the symbols by changing "symbolize=0" to "symbolize=1" in $ASAN_OPTIONS.

Now to figure out why my patch didn't work...

Aha. I was checking for an invalid offset with offset > length, but obviously (in hindsight) it needs to be offset >= length. The new version of the CL fixes the problem locally for me, and I'm running it through the try bots now.

The following revision refers to this bug:
  https://webrtc.googlesource.com/src.git/+/338f58d95ce6ac19b851c85e74fa780231b2a3aa

commit 338f58d95ce6ac19b851c85e74fa780231b2a3aa
Author: Karl Wiberg <kwiberg@webrtc.org>
Date: Thu Apr 05 13:22:53 2018

iSAC decoder: Don't read past the end of the buffer of encoded bytes

Bug:  chromium:825524 
Change-Id: Iff40a9fd62a34474af71b51dd3831a16412fbf3b
Reviewed-on: https://webrtc-review.googlesource.com/66361
Reviewed-by: Henrik Lundin <henrik.lundin@webrtc.org>
Commit-Queue: Karl Wiberg <kwiberg@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#22748}
[modify] https://crrev.com/338f58d95ce6ac19b851c85e74fa780231b2a3aa/modules/audio_coding/codecs/isac/main/source/isac.c

That CL fixed the bug for me locally, so let's hope the fuzzbots agree.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4123a5e9892f0353f62fe5b80a00f634ca891839

commit 4123a5e9892f0353f62fe5b80a00f634ca891839
Author: webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Date: Fri Apr 06 06:32:58 2018

Roll src/third_party/webrtc/ 4c9b3c840..19aab2ee7 (16 commits)

https://webrtc.googlesource.com/src.git/+log/4c9b3c840df3..19aab2ee7c6b

$ git log 4c9b3c840..19aab2ee7 --date=short --no-merges --format='%ad %ae %s'

Created with:
  roll-dep src/third_party/webrtc
BUG=chromium:None,chromium:812974,chromium:827080,chromium:None,chromium:794210,chromium:825524


The AutoRoll server is located here: https://webrtc-chromium-roll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.


CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_chromium_archive_rel_ng;master.tryserver.chromium.mac:mac_chromium_archive_rel_ng;master.tryserver.chromium.win:win-msvc-dbg
TBR=webrtc-chromium-sheriffs-robots@google.com

Change-Id: If6b26fb8305b2e0d8c796358684d52a63d181a77
Reviewed-on: https://chromium-review.googlesource.com/999352
Reviewed-by: webrtc-chromium-autoroll <webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Commit-Queue: webrtc-chromium-autoroll <webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#548696}
[modify] https://crrev.com/4123a5e9892f0353f62fe5b80a00f634ca891839/DEPS

ClusterFuzz has detected this issue as fixed in range 548694:548699.

Detailed report: https://clusterfuzz.com/testcase?key=6293289825992704

Fuzzer: afl_audio_decoder_isac_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60b0000002b9
Crash State:
  Decode
  webrtc::AudioDecoderIsacT<webrtc::IsacFloat>::DecodeInternal
  webrtc::AudioDecoder::Decode
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=506047:506068
Fixed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=548694:548699

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6293289825992704

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6293289825992704 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 548694:548699.

Detailed report: https://clusterfuzz.com/testcase?key=6293289825992704

Fuzzer: afl_audio_decoder_isac_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60b0000002b9
Crash State:
  Decode
  webrtc::AudioDecoderIsacT<webrtc::IsacFloat>::DecodeInternal
  webrtc::AudioDecoder::Decode
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=506047:506068
Fixed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=548694:548699

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6293289825992704

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot