If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

opening a wav file mistakenly named as mp3, instantly crashes FF

RESOLVED DUPLICATE of bug 976023

Status

()

Firefox
Untriaged
RESOLVED DUPLICATE of bug 976023
3 years ago
3 years ago

People

(Reporter: Andrea Gronchi, Unassigned)

Tracking

31 Branch
x86
Mac OS X
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Created attachment 8488719 [details]
this_is_a_wav.mp3

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0) Gecko/20100101 Firefox/31.0
Build ID: 20140716183446

Steps to reproduce:

Just have the browser load the resource. This happens by opening the file directly or by loading it via javascript, or <audio> tag in a web page. This has only been verified by loading the file locally, therefore with not mime info sent via headers.


Actual results:

Instant crash. 

This is readable in the dmesg (OSX): 

firefox (map: 0xffffff80161afde8) triggered DYLD shared region unnest for map: 0xffffff80161afde8, region 0x7fff83000000->0x7fff83200000. While not abnormal for debuggers, this increases system memory footprint until the target exits.




Expected results:

Figure out the deduced file is not a mp3 but a WAV containing a PCM track, and play it.

Comment 1

3 years ago
Is the Mozilla crash reporter triggered? If so please use about:crashes to link us to the crash report.
Flags: needinfo?(neta)

Comment 2

3 years ago
Trying this in Windows Nightly I get "Video can't be played because file is corrupt."
(Reporter)

Comment 3

3 years ago
Apparently the crash reporter did not trigger, however I am able to see the streak of reports in about:crashes.

Here is a clean one:
https://crash-stats.mozilla.com/report/index/938df792-e0bc-449c-a3d5-4006b2140912
Flags: needinfo?(neta)

Comment 4

3 years ago
Thank you! This is not an exploitable crash (it's a null-dereference), and it's specific to mac MP3 code. I'm going to mark this bug duplicate of an existing bug tracking this crash signature, and let them know that you have reliable STR.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 976023
You need to log in before you can comment on or make changes to this bug.