Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/3de2c595b5371e887ffe4aff2428ddea0842027b ([layoutng] Handle overflow: auto more correctly).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

My change is nowhere near vp8_decode_mb_tokens, and in fact is in code that's not enabled by default

marpan: Can you take a look at this issue and assign a proper owner, looks like it might be related to the libvpx roll in https://chromium.googlesource.com/webm/libvpx/+/6c62530c666fc0bcf4385a35a7c49e44c9f38cf5. Thanks

Have a fix here:
https://chromium-review.googlesource.com/c/webm/libvpx/+/1165791/3

With the above fix, it's hanging at
https://chromium.googlesource.com/webm/libvpx/+/6c62530c666fc0bcf4385a35a7c49e44c9f38cf5/vp8/decoder/threading.c#365

I'll take another look.

The following revision refers to this bug:
  https://chromium.googlesource.com/webm/libvpx/+/ca9ab3fc46b2d3d839ff1e09660e83f146dd9a0b

commit ca9ab3fc46b2d3d839ff1e09660e83f146dd9a0b
Author: Jerome Jiang <jianj@google.com>
Date: Wed Aug 22 18:03:32 2018

Revert "vp8: Fix memory address overflow in decoder."

This reverts commit 45cf384738ad261de7d00769c19b9b2842af06a7.

BUG= 875626 , 875680 ,webm:1496

Change-Id: I78037b5e57dbf6cfe326b29beaad1128868f09f2

[modify] https://crrev.com/ca9ab3fc46b2d3d839ff1e09660e83f146dd9a0b/vp8/decoder/threading.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8abf422373a5f872de1d91e16102ed908049fb5b

commit 8abf422373a5f872de1d91e16102ed908049fb5b
Author: Jerome Jiang <jianj@google.com>
Date: Wed Aug 22 23:14:23 2018

Roll src/third_party/libvpx/source/libvpx/ 6c62530c6..dbcb89be2 (28 commits)

https://chromium.googlesource.com/webm/libvpx.git/+log/6c62530c666f..dbcb89be244e

$ git log 6c62530c6..dbcb89be2 --date=short --no-merges --format='%ad %ae %s'
2018-08-22 jianj Revert "vp8: Fix memory address overflow in decoder."
2018-08-22 jingning Set refresh_frame_context flag off in show_existing_frame mode
2018-08-21 jingning Drop empty line in vp9_get_compressed_data()
2018-08-21 jingning Allow codec to skip temporal filter for intermediate ARFs
2018-08-21 jingning Control reference frame refresh flags for USE_BUF_FRAME
2018-08-21 jingning Safely swap the show frame buffer pointer in show_existing mode
2018-08-21 jingning Skip loop filter operation in show_existing_frame mode
2018-08-21 jingning Point show frame buffer towards existing frame buffer
2018-08-21 jingning Skip frame encoding when show_existing_frame is on
2018-08-21 jingning Add USE_BUF_FRAME enum to FRAME_UPDATE_TYPE
2018-08-20 jingning Unify set_arf_sign_bias function
2018-08-20 jingning Remove unneeded frame_till_gf_update_due assignment
2018-08-20 jingning Add multi_layer_arf flag
2018-08-20 jingning Add a comment in init_gop_frames()
2018-06-12 supradeep.tr Loopfilter MultiThread Optimization
2018-08-17 jingning Skip frame bit-stream writing for show-existing frame
2018-08-17 jingning Support code show_existing_frame in bit-stream header
2018-08-17 jingning Refactor init_gop_frame()
2018-08-17 jingning Clean up var define in apply_temporal_filter()
2018-08-17 jingning Add inline to mod_index()
(...)

Created with:
  roll-dep src/third_party/libvpx/source/libvpx
R=johannkoenig@google.com
BUG= 875626 , 875680 

Change-Id: I4d395733d13462e248119791f9483396c0614f5b
Reviewed-on: https://chromium-review.googlesource.com/1185797
Reviewed-by: Johann Koenig <johannkoenig@google.com>
Commit-Queue: Jerome Jiang <jianj@google.com>
Cr-Commit-Position: refs/heads/master@{#585297}
[modify] https://crrev.com/8abf422373a5f872de1d91e16102ed908049fb5b/DEPS
[modify] https://crrev.com/8abf422373a5f872de1d91e16102ed908049fb5b/third_party/libvpx/README.chromium
[modify] https://crrev.com/8abf422373a5f872de1d91e16102ed908049fb5b/third_party/libvpx/libvpx_srcs.gni
[modify] https://crrev.com/8abf422373a5f872de1d91e16102ed908049fb5b/third_party/libvpx/source/config/vpx_version.h

ClusterFuzz testcase 5158965311438848 appears to be flaky, updating reproducibility label.

The CL causing the crash has been reverted.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot