Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/1e53b4ec05f2485450a177c372e38b6215341a1c (GMBVFPool: support I420A VideoFrames).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The problem uncovered by Asan, which I can repro on my machine, is that
we have a bunch of I420A videoframes, as expected, and then we get the
very last frame I420.  We don't expect that, and just try to access the
alpha channel and bam.

Attaching the webm that causes the failure (nothing mysterious with it,
it's out friendly bear).

Deleted: clusterfuzz-testcase-6542630163578880.webm 89.5 KB

	clusterfuzz-testcase-6542630163578880.webm 89.5 KB View Download

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ecd725db6011e2b5a6f8f569e8585c7eb0ab38f2

commit ecd725db6011e2b5a6f8f569e8585c7eb0ab38f2
Author: Miguel Casas <mcasas@chromium.org>
Date: Mon Aug 20 22:10:46 2018

GMBVFPool: bail if VideoFrame format forces change of OutputFormat

ClusterFuzz encountered an issue if a given VideoFrame comes and
causes a change of OutputFormat: in the bug below, an I420 VF
was received after a series of I420A ones, and caused a crash
when the alpha channel was accessed. This might happen more
generally if the received VideoFrames cause a change of
OutputFormat and we access what we don't have.

This CL addresses that by comparing the current |output_format_|
with what is derived out of the incoming VideoFrame. If they
differ, we just bail.

Bug:  875158 ,  875670 
Change-Id: I961b5bf95651a3888482957ee0b7acd48149d467
Reviewed-on: https://chromium-review.googlesource.com/1180543
Commit-Queue: Miguel Casas <mcasas@chromium.org>
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#584574}
[modify] https://crrev.com/ecd725db6011e2b5a6f8f569e8585c7eb0ab38f2/media/video/gpu_memory_buffer_video_frame_pool.cc
[modify] https://crrev.com/ecd725db6011e2b5a6f8f569e8585c7eb0ab38f2/media/video/gpu_memory_buffer_video_frame_pool_unittest.cc

ClusterFuzz has detected this issue as fixed in range 584573:584574.

Detailed report: https://clusterfuzz.com/testcase?key=6542630163578880

Fuzzer: attekett_surku_fuzzer
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x603000134ccc
Crash State:
  media::VideoFrame::visible_data
  media::CopyRowsToRGBABuffer
  base::internal::Invoker<base::internal::BindState<void
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=583622:583623
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=584573:584574

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6542630163578880

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6542630163578880 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Nice one! The VRP panel decided to award $1,000 for this, plus a $500 clusterfuzz bonus.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot