Closed Bug 1066319 Opened 10 years ago Closed 10 years ago

crash in OOM | large | mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | stagefright::MPEG4Source::start(stagefright::MetaData*)

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Version:
34 Branch
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla35
Tracking Flags:
Tracking Status
firefox32 --- unaffected
firefox33 --- unaffected
firefox34 + verified
firefox35 + verified

People

(Reporter: lizzard, Assigned: rillian)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file, 3 obsolete files)

Reject samples with unreasonable sizes. v4
3.39 KB, patch
ajones
: review+
lmandel
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-8c6c9625-d0fe-4238-8a8c-c1e702140905.
=============================================================
This crash signature first appeared on 2014-08-29 with the 2014082803 build. It's showing up on Firefox 34 and 35. Most of the urls for the crashes are for YouTube videos. 

Regression window from mozilla-central: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0753f7b93ab7&tochange=3be45b58fc47


Crashing thread:
0 	mozalloc.dll 	mozalloc_abort(char const* const) 	memory/mozalloc/mozalloc_abort.cpp
1 	mozalloc.dll 	mozalloc_handle_oom(unsigned int) 	memory/mozalloc/mozalloc_oom.cpp
2 	mozalloc.dll 	moz_xmalloc 	memory/mozalloc/mozalloc.cpp
3 	xul.dll 	stagefright::MPEG4Source::start(stagefright::MetaData*) 	media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
4 	xul.dll 	mp4_demuxer::MP4Demuxer::Init() 	media/libstagefright/binding/mp4_demuxer.cpp
5 	xul.dll 	mozilla::MP4Reader::ReadMetadata(mozilla::MediaInfo*, nsDataHashtable<nsCStringHashKey, nsCString>**) 	content/media/fmp4/MP4Reader.cpp
6 	xul.dll 	mozilla::MediaDecoderStateMachine::DecodeMetadata() 	content/media/MediaDecoderStateMachine.cpp
7 	xul.dll 	mozilla::MediaDecoderStateMachine::CallDecodeMetadata() 	content/media/MediaDecoderStateMachine.cpp
8 	xul.dll 	nsRunnableMethodImpl<tag_nsresult ( nsMemoryReporterManager::*)(void), void, 1>::Run() 	xpcom/glue/nsThreadUtils.h
9 	xul.dll 	mozilla::MediaTaskQueue::Runner::Run() 	content/media/MediaTaskQueue.cpp
10 	xul.dll 	nsThreadPool::Run() 	xpcom/threads/nsThreadPool.cpp
11 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
12 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
13 	xul.dll 	_SEH_epilog4
There are also some similar signatures showing up on the same day on Android.
Crash Signature: [@ OOM | large | mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | stagefright::MPEG4Source::start(stagefright::MetaData*)] → [@ OOM | large | mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | stagefright::MPEG4Source::start(stagefright::MetaData*)] [@ abort | abort | __android_log_assert | stagefright::MPEG4Source::start(stagefright::MetaDa…
Probably MPEG4Extractor.cpp:2504

    mSrcBuffer = new uint8_t[max_size];

We read max_size from the file, or estimate it if it's zero. It's possible files with corrupt values are asking for too large a buffer.
Assignee: nobody → giles

        Attachment #8488883 -
        Flags: review?(ajones)

    
    

    
  


  
Also handle overflow.

        Attachment #8488883 -
        Attachment is obsolete: true

        Attachment #8488883 -
        Flags: review?(ajones)

        Attachment #8488888 -
        Flags: review?(ajones)

    
    

    
  
Comment on attachment 8488888 [details] [diff] [review]
Reject samples with unreasonable sizes. v2

Review of attachment 8488888 [details] [diff] [review]:
-----------------------------------------------------------------

::: media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
@@ +41,5 @@
>  namespace stagefright {
>  
> +// Reject samples with unreasonable size table entries.
> +#define INPUT_SIZE_LIMIT (4*3110400)
> +#define INPUT_SIZE_INVALID(size) (size <= 0 || size >= INPUT_SIZE_LIMIT)

This should be a function rather than a #define. Make it inline if you prefer. Either add a comment about where the number comes from or show it as something like 4 * (1080 * 1920) * 3 / 2 to at least give some kind of hint.

Suggestions: I wouldn't bother defining a constant separately. Consider that INPUT_SIZE_LIMIT doesn't add any information compared to INPUT_SIZE_INVALID. Additionally I'd prefer we give things affirmative names such as ValidInputSize() and then !ValidInputSize().

        Attachment #8488888 -
        Flags: review?(ajones) → review+

    
    

    
  


  
Make validation check a function, and document size constant inline.

> Either add a comment about where the number comes from or show it as
> something like 4 * (1080 * 1920) * 3 / 2 to at least give some kind of hint.

I was just following local style. :-)

v2 patch was green on try. https://tbpl.mozilla.org/?tree=Try&rev=e0604057d776

        Attachment #8488888 -
        Attachment is obsolete: true

        Attachment #8489022 -
        Flags: review?(ajones)

    
    

    
  


  
Fix typo, conform to more local style.

        Attachment #8489022 -
        Attachment is obsolete: true

        Attachment #8489022 -
        Flags: review?(ajones)

        Attachment #8489027 -
        Flags: review?(ajones)

    
    

    
  
(In reply to Ralph Giles (:rillian) from comment #6)
> I was just following local style. :-)

Stupid stagefright.

        Attachment #8489027 -
        Flags: review?(ajones) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/2a7fe756a652
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35

    
    

    
  
Liz, can you verify this fixes the crash, or provide STR so I can?
Flags: needinfo?(lhenry)

    
    

    
  
Hi Ralph! I will follow up by checking crash stats over the next few days. I don't have good STR so will verify off of crash-stats to see if any crashes happen in later builds from this list : 

https://crash-stats.mozilla.com/report/list?product=Firefox&signature=OOM+|+large+|+mozalloc_abort%28char+const*+const%29+|+mozalloc_handle_oom%28unsigned+int%29+|+moz_xmalloc+|+stagefright%3A%3AMPEG4Source%3A%3Astart%28stagefright%3A%3AMetaData*%29#tab-table

Do you want to try uplifting it to Aurora as well?
Flags: needinfo?(lhenry) → needinfo?(giles)

    
    

    
  
Great, thanks. Yes, we should uplift.
Flags: needinfo?(giles)

    
    

    
  
Comment on attachment 8489027 [details] [diff] [review]
Reject samples with unreasonable sizes. v4

Approval Request Comment

[Feature/regressing bug #]: 1043696

[User impact if declined]: Viewing some videos will crash the browser.

[Describe test coverage new/current, TBPL]: Landed on m-c. Manual testing. No automated coverage.

[Risks and why]: Risk is low. This is a clean change to better handle errors. We don't have good steps-to-reproduce, so this may not address the complete problem, but the code is clearly better with the patch. 

[String/UUID change made/needed]: none.

        Attachment #8489027 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Do we have enough data from crash-stats to verify this fix yet?
Flags: needinfo?(lhenry)

    
    

    
  
Yes, I can verify this for 35, and there are still a few crashes on Aurora in the 2014091700 and 2014091600 builds.

          status-firefox35:
          fixedverified
Flags: needinfo?(lhenry)

    
    

    
  
Thanks, Liz!

    
    

    
  
Comment on attachment 8489027 [details] [diff] [review]
Reject samples with unreasonable sizes. v4

Now that this has been verified on m-c, Aurora+.

        Attachment #8489027 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

    
    

    
  
Looking in Socorro I see the following data:

1. OOM | large | mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | stagefright::MPEG4Source::start(stagefright::MetaData*)
- NO crashes in versions 35 or 34 for builds after 19.09

2. abort | abort | __android_log_assert | stagefright::MPEG4Source::start(stagefright::MetaData*)
- 156 crashes in version 34 for builds after 19.09

3. abort | abort | __android_log_assert | stagefright::VectorImpl::itemLocation(unsigned int)
- 275 in versions 35 or 34 for builds after 19.09

Any thoughts?

    
    

    
  
I think there is more to do here, but this seems to have had a positive effect. 
We should report the 2nd and 3rd crash sigs in a different bug. 
Ralph, does that sound reasonable?
Flags: needinfo?(giles)

    
    

    
  
Please do. That number 2 is 34-specific suggests there's something we need to backport. Number 3 looks like an unknown bug.
Flags: needinfo?(giles)

    
    

    
  
Filled 2 bugs for the two signatures. Marking this as Verified.
Status: RESOLVED → VERIFIED

          status-firefox34:
          fixedverified

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: