This crash was found using decoders new libfuzzer media fuzzing interface (bug 1465407)

==8634==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000d01bc at pc 0x7fe323a76b0d bp 0x7fe27dc317d0 sp 0x7fe27dc317c8
READ of size 4 at 0x6110000d01bc thread T18 (MediaPD~oder #1)
    #0 0x7fe323a76b0c in mozilla::WaveDataDecoder::ProcessDecode(mozilla::MediaRawData*) dom/media/platforms/agnostic/WAVDecoder.cpp:70:40
    #1 0x7fe323ab83c0 in applyImpl<mozilla::WaveDataDecoder, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::WaveDataDecoder::*)(mozilla::MediaRawData *), StoreRefPtrPassByPtr<mozilla::MediaRawData> , 0> objdir-ff-fuzzing/dist/include/nsThreadUtils.h:1124:12
    #2 0x7fe323ab83c0 in apply<mozilla::WaveDataDecoder, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::WaveDataDecoder::*)(mozilla::MediaRawData *)> objdir-ff-fuzzing/dist/include/nsThreadUtils.h:1130
    #3 0x7fe323ab83c0 in Invoke objdir-ff-fuzzing/dist/include/mozilla/MozPromise.h:1293
    #4 0x7fe323ab83c0 in mozilla::detail::ProxyRunnable<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true>, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::WaveDataDecoder::*)(mozilla::MediaRawData*), mozilla::WaveDataDecoder, mozilla::MediaRawData*>::Run() objdir-ff-fuzzing/dist/include/mozilla/MozPromise.h:1313
    #5 0x7fe31a60c7ab in mozilla::TaskQueue::Runner::Run() xpcom/threads/TaskQueue.cpp:199:12
    #6 0x7fe31a6500f4 in nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:244:14
    #7 0x7fe31a6510a4 in non-virtual thunk to nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp
    #8 0x7fe31a643d40 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1225:14
    #9 0x7fe31a64b644 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:486:10
    #10 0x7fe31bc9379e in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:303:20
    #11 0x7fe31bb02b9e in RunInternal ipc/chromium/src/base/message_loop.cc:315:10
    #12 0x7fe31bb02b9e in RunHandler ipc/chromium/src/base/message_loop.cc:308
    #13 0x7fe31bb02b9e in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:290
    #14 0x7fe31a63b718 in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:459:11
    #15 0x7fe341c2ef48 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:201:5
    #16 0x7fe34185f6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #17 0x7fe34083d88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

This file will likely not reproduce the crash on a regular build. The libfuzzer fuzzing interface should be used to verify this bug. Feel free to ping me if needed.

The size indicates it may be a data read, but AudioInfo has virtual functions so guessing it could be sec-high if there are other accesses of this freed object.

Alastor can you please have a look at this bug?

(In reply to Daniel Veditz [:dveditz] from comment #2)

The size indicates it may be a data read, but AudioInfo has virtual functions so guessing it could be sec-high if there are other accesses of this freed object.

looks to me more like an incorrect use of the MediaDataDecoder interface from this fuzzing interface. The MediaDataDecoder states clearly that the MediaInfo object provided to a MediaDataDecoder must be valid for the entire duration of the MediaDataDecoder.
https://searchfox.org/mozilla-central/source/dom/media/platforms/PlatformDecoderModule.h#234 It is safe for a MediaDataDecoder to store a reference to the original MediaInfo

Where is that fuzzing code?