Closed
Bug 1048517
Opened 10 years ago
Closed 10 years ago
[libstagefright] |MPEG4Source::read| has several potential uninitialized variable errors
Categories
(Core :: Audio/Video, defect)
Core
Audio/Video
Tracking
()
RESOLVED
FIXED
mozilla34
People
(Reporter: erahm, Assigned: ajones)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, sec-moderate, Whiteboard: [CID 1221246] [CID 1221247] [CID 1221248] [CID 1221249] [CID 1221250] [CID 1225496][adv-main34+])
Attachments
(6 files)
Coverity has flagged at least five potential uninitialized variable issues in |MPEG4Source::read| [1].
#1 - |offset| can be used uninitialized in buffer reads [2],[3]
#2 - |size| can be used uninitialized in buffer reads [2],[3]
#3 - |cts| can be used uninitialized when setting buffer metadata [4]
#4 - |duration| can be used uninitialized when setting buffer metadata [5]
#5 - |isSyncSample| can be used uninitialized in an if statement [6]
I will attach the Coverity analysis as well, it's somewhat convoluted but generally the issues arise if we take the false branch of |if (!mIsAVC || mWantsNALFragments)| [7].
[1] - http://hg.mozilla.org/mozilla-central/annotate/71497ed2e0db/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l3079
[2] - http://hg.mozilla.org/mozilla-central/annotate/71497ed2e0db/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l3288
[3] - http://hg.mozilla.org/mozilla-central/annotate/71497ed2e0db/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l3290
[4] - http://hg.mozilla.org/mozilla-central/annotate/71497ed2e0db/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l3349
[5] - http://hg.mozilla.org/mozilla-central/annotate/71497ed2e0db/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l3351
[6] - http://hg.mozilla.org/mozilla-central/annotate/71497ed2e0db/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l3358
[7] - http://hg.mozilla.org/mozilla-central/annotate/71497ed2e0db/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l3280
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
Reporter | ||
Comment 3•10 years ago
|
||
Reporter | ||
Comment 4•10 years ago
|
||
Reporter | ||
Comment 5•10 years ago
|
||
Reporter | ||
Updated•10 years ago
|
Whiteboard: [CID 1221247] [CID 1221248] [CID 1221249] [CID 1221250] [CID 1225496] → [CID 1221246] [CID 1221247] [CID 1221248] [CID 1221249] [CID 1221250] [CID 1225496]
Assignee | ||
Comment 6•10 years ago
|
||
Attachment #8467364 -
Flags: review?(erahm)
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → ajones
Status: NEW → ASSIGNED
Updated•10 years ago
|
Keywords: sec-moderate
Assignee | ||
Updated•10 years ago
|
Attachment #8467364 -
Flags: review?(erahm) → review?(cpearce)
Updated•10 years ago
|
Attachment #8467364 -
Flags: review?(cpearce) → review+
Assignee | ||
Comment 7•10 years ago
|
||
Comment 8•10 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox34:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Comment 9•10 years ago
|
||
How far back does this issue go?
Assignee | ||
Comment 10•10 years ago
|
||
(In reply to Al Billings [:abillings] from comment #9)
> How far back does this issue go?
It has always been pref'ed off in Firefox but this code is used on all Android phones in their system libraries. If this bug is exploitable then Fennec is exposed to it until we move away from using the system libstagefright MP4 demuxer.
Updated•10 years ago
|
status-firefox-esr31:
--- → ?
tracking-firefox-esr31:
--- → -
Updated•10 years ago
|
tracking-firefox-esr31:
- → ---
Whiteboard: [CID 1221246] [CID 1221247] [CID 1221248] [CID 1221249] [CID 1221250] [CID 1225496] → [CID 1221246] [CID 1221247] [CID 1221248] [CID 1221249] [CID 1221250] [CID 1225496][adv-main34+]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
Updated•6 years ago
|
Blocks: coverity-analysis
You need to log in
before you can comment on or make changes to this bug.
Description
•