Found while fuzzing m-c 20230808-b19ed5a6579d (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

The test case is packaged as a zip for bugmon.

Hit MOZ_CRASH(ElementAt(aIndex = 7, aLength = 0)) at /builds/worker/checkouts/gecko/mfbt/Assertions.cpp:51

#0 0x55d2be12b37f in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3
#1 0x55d2be12b37f in mozilla::detail::InvalidArrayIndex_CRASH(unsigned long, unsigned long) /gecko/mfbt/Assertions.cpp:50:3
#2 0x7fa11c2634aa in ElementAt /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1217:7
#3 0x7fa11c2634aa in operator[] /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1248:12
#4 0x7fa11c2634aa in mozilla::FormatChunk::SampleRate() const /gecko/dom/media/wave/WaveDemuxer.cpp:665:33
#5 0x7fa11c25ded7 in mozilla::WAVTrackDemuxer::Init() /gecko/dom/media/wave/WaveDemuxer.cpp:141:33
#6 0x7fa11c25cf3e in mozilla::WAVDemuxer::InitInternal() /gecko/dom/media/wave/WaveDemuxer.cpp:35:25
#7 0x7fa11c25ec88 in mozilla::WAVDemuxer::Init() /gecko/dom/media/wave/WaveDemuxer.cpp:39:8
#8 0x7fa11b6ffc06 in operator() /gecko/dom/media/MediaFormatReader.cpp:788:47
#9 0x7fa11b6ffc06 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_2, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1690:29
#10 0x7fa1133cb78c in mozilla::TaskQueue::Runner::Run() /gecko/xpcom/threads/TaskQueue.cpp:257:20
#11 0x7fa1134205fb in nsThreadPool::Run() /gecko/xpcom/threads/nsThreadPool.cpp:343:14
#12 0x7fa11340e93f in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1193:16
#13 0x7fa11341c2a4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#14 0x7fa115017719 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:330:5
#15 0x7fa114e40e1a in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:370:10
#16 0x7fa114e40e1a in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:363:3
#17 0x7fa114e40e1a in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:345:3
#18 0x7fa11340597a in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:391:10
#19 0x7fa13a5eab3f in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#20 0x7fa13ad7cb42 in start_thread nptl/pthread_create.c:442:8
#21 0x7fa13ae0dbb3 in __clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:100

Verified bug as reproducible on mozilla-central 20230808212319-b19ed5a6579d.
The bug appears to have been introduced in the following build range:

Start: d1fbe6c1f87656fb4f55677904f55f6df433ea9a (20230808155443)
End: 062a5e5729067f579bd6d1ab2f1a3021d7fd291a (20230808122031)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d1fbe6c1f87656fb4f55677904f55f6df433ea9a&tochange=062a5e5729067f579bd6d1ab2f1a3021d7fd291a

Set release status flags based on info from the regressing bug 1839391

:padenot, since you are the author of the regressor, bug 1839391, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

https://hg.mozilla.org/mozilla-central/rev/7ea4796c78f5

Verified bug as fixed on rev mozilla-central 20230811095324-efb44db563b1.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.