This crash occurs very frequently on windows platform and is likely preventing the fuzzer media_vp9_parser_fuzzer from making much progress. Fixing this will allow more bugs to be found.

Marking this bug as a blocker for next Beta release.

If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

M71 Beta promotion is coming VERY soon. Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and request a merge into the release branch ASAP. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fd1b40954eec2e50f861deb8b8f50a20099ff76b

commit fd1b40954eec2e50f861deb8b8f50a20099ff76b
Author: Ted Meyer <tmathmeyer@chromium.org>
Date: Tue Oct 16 03:29:44 2018

Dont crash on integer overflow

Simply return an empty buffer and log an error.

Bug:  894941 
Cq-Include-Trybots: luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel
Change-Id: I02a70afb3f326c1a9a8b845f7bc8d1aa84cb5dad
Reviewed-on: https://chromium-review.googlesource.com/c/1281692
Commit-Queue: Ted Meyer <tmathmeyer@chromium.org>
Reviewed-by: Frank Liberato <liberato@chromium.org>
Cr-Commit-Position: refs/heads/master@{#599833}
[modify] https://crrev.com/fd1b40954eec2e50f861deb8b8f50a20099ff76b/media/filters/vp9_parser.cc

Pls update bug with canary result tomorrow morning. 

The NextAction date has arrived: 2018-10-16

ClusterFuzz has detected this issue as fixed in range 599827:599848.

Detailed report: https://clusterfuzz.com/testcase?key=5736943617572864

Fuzzer: libFuzzer_media_vp9_parser_fuzzer
Job Type: windows_libfuzzer_chrome_asan
Platform Id: windows

Crash Type: Breakpoint
Crash Address: 0xffffb20a5f0d2800
Crash State:
  media::Vp9Parser::ParseSuperframe
  media::Vp9Parser::ParseNextFrame
  vp9_parser_fuzzertest.cc
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=599827:599848

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5736943617572864

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 599827:599848.

Detailed report: https://clusterfuzz.com/testcase?key=5736943617572864

Fuzzer: libFuzzer_media_vp9_parser_fuzzer
Job Type: windows_libfuzzer_chrome_asan
Platform Id: windows

Crash Type: Breakpoint
Crash Address: 0xffffb20a5f0d2800
Crash State:
  media::Vp9Parser::ParseSuperframe
  media::Vp9Parser::ParseNextFrame
  vp9_parser_fuzzertest.cc
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=599827:599848

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5736943617572864

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5736943617572864 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

[Auto-generated comment by a script] We noticed that this issue is targeted for M-71; it appears the fix may have landed after branch point, meaning a merge might be required. Please confirm if a merge is required here - if so add Merge-Request-71 label, otherwise remove Merge-TBD label. Thanks.

ClusterFuzz has detected this issue as fixed in range 599827:599848.

Detailed report: https://clusterfuzz.com/testcase?key=5736943617572864

Fuzzer: libFuzzer_media_vp9_parser_fuzzer
Job Type: windows_libfuzzer_chrome_asan
Platform Id: windows

Crash Type: Breakpoint
Crash Address: 0xffffb20a5f0d2800
Crash State:
  media::Vp9Parser::ParseSuperframe
  media::Vp9Parser::ParseNextFrame
  vp9_parser_fuzzertest.cc
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=599827:599848

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5736943617572864

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Is this change looking good in canary and safe to merge? If yes, pls request a merge to M71 ASAP so we can pick it up for tomorrow's release. Thank you.

should be pretty safe.

Approved for M71 branch 3578.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0dadf32147311819fe504227825b35e593258867

commit 0dadf32147311819fe504227825b35e593258867
Author: Ted Meyer <tmathmeyer@chromium.org>
Date: Tue Oct 16 18:23:58 2018

Dont crash on integer overflow

Simply return an empty buffer and log an error.

Bug:  894941 
Cq-Include-Trybots: luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel
Change-Id: I02a70afb3f326c1a9a8b845f7bc8d1aa84cb5dad
Reviewed-on: https://chromium-review.googlesource.com/c/1281692
Commit-Queue: Ted Meyer <tmathmeyer@chromium.org>
Reviewed-by: Frank Liberato <liberato@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#599833}(cherry picked from commit fd1b40954eec2e50f861deb8b8f50a20099ff76b)
Reviewed-on: https://chromium-review.googlesource.com/c/1283935
Reviewed-by: Ted Meyer <tmathmeyer@chromium.org>
Cr-Commit-Position: refs/branch-heads/3578@{#47}
Cr-Branched-From: 4226ddf99103e493d7afb23a4c7902ee496108b6-refs/heads/master@{#599034}
[modify] https://crrev.com/0dadf32147311819fe504227825b35e593258867/media/filters/vp9_parser.cc

Already merged to M71 at #18.

The following revision refers to this bug: 
https://chromium.googlesource.com/chromium/src.git/+/0dadf32147311819fe504227825b35e593258867

Commit: 0dadf32147311819fe504227825b35e593258867
Author: tmathmeyer@chromium.org
Commiter: tmathmeyer@chromium.org
Date: 2018-10-16 18:23:58 +0000 UTC

Dont crash on integer overflow

Simply return an empty buffer and log an error.

Bug:  894941 
Cq-Include-Trybots: luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel
Change-Id: I02a70afb3f326c1a9a8b845f7bc8d1aa84cb5dad
Reviewed-on: https://chromium-review.googlesource.com/c/1281692
Commit-Queue: Ted Meyer <tmathmeyer@chromium.org>
Reviewed-by: Frank Liberato <liberato@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#599833}(cherry picked from commit fd1b40954eec2e50f861deb8b8f50a20099ff76b)
Reviewed-on: https://chromium-review.googlesource.com/c/1283935
Reviewed-by: Ted Meyer <tmathmeyer@chromium.org>
Cr-Commit-Position: refs/branch-heads/3578@{#47}
Cr-Branched-From: 4226ddf99103e493d7afb23a4c7902ee496108b6-refs/heads/master@{#599034}