Closed Bug 1049309 Opened 10 years ago Closed 10 years ago

Crash in libstagefright demuxer

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Version:
29 Branch
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla34

People

(Reporter: cpearce, Assigned: cpearce)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Remove no-op code
1.21 KB, patch
ajones
: review+
Details | Diff | Splinter Review 
I managed to get a fatal assert:

xul.dll!__android_log_assert(const char * cond=0x13bf29e0, const char * tag=0x00000000, const char * fmt=0x13bf29fc, ...) Line 278	C
xul.dll!stagefright::Vector<stagefright::MPEG4Source::Sample>::operator[](unsigned int index=4294967295) Line 270	C++
xul.dll!stagefright::MPEG4Source::fragmentedRead(stagefright::MediaBuffer * * out=0x07c18e20, const stagefright::MediaSource::ReadOptions * options=0x0aee4d30) Line 3433	C++
xul.dll!stagefright::MPEG4Source::read(stagefright::MediaBuffer * * out=0x07c18e20, const stagefright::MediaSource::ReadOptions * options=0x0aee4d30) Line 3086	C++
xul.dll!mp4_demuxer::MP4Demuxer::DemuxVideoSample() Line 185	C++
xul.dll!mozilla::MP4Reader::PopSample(mp4_demuxer::TrackType aTrack=kVideo) Line 423	C++
xul.dll!mozilla::MP4Reader::Seek(__int64 aTime=168980000, __int64 aStartTime=0, __int64 aEndTime=181389622, __int64 aCurrentTime=3920890) Line 699	C++
xul.dll!mozilla::MediaDecoderStateMachine::DecodeSeek() Line 2071	C++
xul.dll!nsRunnableMethodImpl<void (__thiscall mozilla::MediaDecoderStateMachine::*)(void),void,1>::Run() Line 393	C++
xul.dll!mozilla::MediaTaskQueue::Runner::Run() Line 174	C++

Bug is in MPEG4Extractor.cpp:3433:

 Sample lastSample = mCurrentSamples[mCurrentSamples.size() - 1];

mCurrentSamples.size()==0, so the array index is out of bounds.
Looks like we can just remove that line, it looks like a no-op.
I'd already removed that somewhere. Obviously never landed the patch.
AFAICT this line of code has no side effects, other than crashing when mCurrentSamples.size() == 0.
Assignee: nobody → cpearce
Status: NEW → ASSIGNED
Attachment #8468222 - Flags: review?(ajones)
Attachment #8468222 - Flags: review?(ajones) → review+
https://hg.mozilla.org/mozilla-central/rev/519eac773cda
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: