Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/4b5068a99a84ff2edb34aa0549afc89aa751ccb4 (Add audio_decoder_fuzzer fuzz target.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

i repro'd this locally.  flac_parse gets into a state where it:

- has buffered 11 (> FLAC_MIN_HEADERS) headers
- still has data left in the input buffer
  -- these cause it not to try to read more headers
- doesn't score any of the headers > 0

it takes no action, waiting for it to be called with better headers that it's not bothering to read.  i sent this over to michael for advice.

increasing FLAC_MIN_HEADERS causes it to continue, but it enters flac_parse with a negative input buffer size sometimes.  that seems like a different, and possibly worse, bug.

 Issue 840339  has been merged into this issue.

Any updates from Michael here?

The following patch fixes this, but defer to Michael:

diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c
index 84da23f327..753b6c6c7a 100644
--- a/libavcodec/flac_parser.c
+++ b/libavcodec/flac_parser.c
@@ -715,7 +715,11 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx,
 handle_error:
     *poutbuf      = NULL;
     *poutbuf_size = 0;
-    return buf_size ? read_end - buf : 0;
+    if (!buf_size)
+        return 0;
+    if (read_end - buf)
+        return read_end - buf;
+    return buf_size;
 }
 
 static av_cold int flac_parse_init(AVCodecParserContext *c)

Looks like upstream has a fix too, https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/15a2e35e9e74bba5a27e39c26da5be2361f27945

ClusterFuzz has detected this issue as fixed in range 565364:565379.

Detailed report: https://clusterfuzz.com/testcase?key=5815491357310976

Fuzzer: libFuzzer_audio_decoder_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Timeout (exceeds 25 secs)
Crash Address: 
Crash State:
  audio_decoder_fuzzer
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=546309:546321
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=565364:565379

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5815491357310976

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5815491357310976 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.