Mismatched free() / delete / delete [] in webrtc::RTPPacketHistory::Free()

RESOLVED INVALID

Status

()

defect
RESOLVED INVALID
5 years ago
5 years ago

People

(Reporter: mitchwharper, Unassigned)

Tracking

({valgrind})

34 Branch
x86_64
Windows 8
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Reporter

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 20141126041045



Actual results:

==6262== Mismatched free() / delete / delete []
==6262==    at 0x4C2C2BC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6262==    by 0x96F99F8: webrtc::RTPPacketHistory::Free() (new_allocator.h:110)
==6262==    by 0x96F9A8D: webrtc::RTPPacketHistory::~RTPPacketHistory() (rtp_packet_history.cc:36)
==6262==    by 0x97051F2: webrtc::RTPSender::~RTPSender() (rtp_sender.cc:112)
==6262==    by 0x970134A: webrtc::ModuleRtpRtcpImpl::~ModuleRtpRtcpImpl() (rtp_rtcp_impl.cc:117)
==6262==    by 0x9701364: webrtc::ModuleRtpRtcpImpl::~ModuleRtpRtcpImpl() (rtp_rtcp_impl.cc:134)
==6262==    by 0x96D18B8: webrtc::ViEChannel::~ViEChannel() (scoped_ptr.h:154)
==6262==    by 0x96D19E6: webrtc::ViEChannel::~ViEChannel() (vie_channel.cc:258)
==6262==    by 0x96D331D: webrtc::ViEChannelManager::DeleteChannel(int) (vie_channel_manager.cc:284)
==6262==    by 0x96C69B3: webrtc::ViEBaseImpl::DeleteChannel(int) (vie_base_impl.cc:216)
==6262==    by 0x845460D: mozilla::WebrtcVideoConduit::~WebrtcVideoConduit() (VideoConduit.cpp:140)
==6262==    by 0x845494C: mozilla::WebrtcVideoConduit::~WebrtcVideoConduit() (VideoConduit.cpp:173)
==6262==  Address 0x4970c5e0 is 0 bytes inside a block of size 1,172 alloc'd
==6262==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6262==    by 0x40334E6: moz_xmalloc (mozalloc.cpp:52)
==6262==    by 0x8551F7D: std::vector<unsigned char, std::allocator<unsigned char> >::_M_default_append(unsigned long) (mozalloc.h:201)
==6262==    by 0x96FA4BA: webrtc::RTPPacketHistory::VerifyAndAllocatePacketLength(unsigned short) (stl_vector.h:667)
==6262==    by 0x96FA543: webrtc::RTPPacketHistory::PutRTPPacket(unsigned char const*, unsigned short, unsigned short, long, webrtc::StorageType) (rtp_packet_history.cc:130)
==6262==    by 0x9705001: webrtc::RTPSender::SendToNetwork(unsigned char*, int, int, long, webrtc::StorageType, webrtc::PacedSender::Priority) (rtp_sender.cc:946)
==6262==    by 0x970670D: webrtc::RTPSenderVideo::SendVideoPacket(unsigned char*, unsigned short, unsigned short, unsigned int, long, webrtc::StorageType, bool) (rtp_sender_video.cc:199)
==6262==    by 0x9707267: webrtc::RTPSenderVideo::SendVP8(webrtc::FrameType, signed char, unsigned int, long, unsigned char const*, unsigned int, webrtc::RTPFragmentationHeader const*, webrtc::RTPVideoTypeHeader const*) (rtp_sender_video.cc:487)
==6262==    by 0x970769E: webrtc::RTPSenderVideo::SendVideo(webrtc::RtpVideoCodecTypes, webrtc::FrameType, signed char, unsigned int, long, unsigned char const*, unsigned int, webrtc::RTPFragmentationHeader const*, webrtc::VideoCodecInformation*, webrtc::RTPVideoTypeHeader const*) (rtp_sender_video.cc:322)
==6262==    by 0x9704A2A: webrtc::RTPSender::SendOutgoingData(webrtc::FrameType, signed char, unsigned int, long, unsigned char const*, unsigned int, webrtc::RTPFragmentationHeader const*, webrtc::VideoCodecInformation*, webrtc::RTPVideoTypeHeader const*) (rtp_sender.cc:432)
==6262==    by 0x9700E2C: webrtc::ModuleRtpRtcpImpl::SendOutgoingData(webrtc::FrameType, signed char, unsigned int, long, unsigned char const*, unsigned int, webrtc::RTPFragmentationHeader const*, webrtc::RTPVideoHeader const*) (rtp_rtcp_impl.cc:595)
==6262==    by 0x9700EE0: webrtc::ModuleRtpRtcpImpl::SendOutgoingData(webrtc::FrameType, signed char, unsigned int, long, unsigned char const*, unsigned int, webrtc::RTPFragmentationHeader const*, webrtc::RTPVideoHeader const*) (rtp_rtcp_impl.cc:647)

Updated

5 years ago
Component: Untriaged → WebRTC
Product: Firefox → Core
Keywords: valgrind
Reporter

Comment 1

5 years ago
Valgrind command: `G_SLICE=always-malloc valgrind --tool=memcheck --vex-iropt-register-updates=allregs-at-mem-access --smc-check=all-non-file ./firefox` on 34.0.5 release built for valgrind

Steps taken:
1. Start the browser
2. Open a new tab
3. Visit https://www.webrtc-experiment.com/RTCMultiConnection/MultiRTC/ in two separate tabs
4. Input the same room ID for both instances
5. Enable video and audio on the second tab, and allow access
6. Share my microphone and camera
7. Switch to other tab
8. Enable video and audio on first tab
9. Share camera and microphone
10. Preview camera from second user (this is where the first jump on uninitialized memory occured)
11. Preview microphone from second user
12. Switch tabs
13. Preview camera and mic from first user
14. Exit browser
Invalid, caused by differential inlining of new vs delete.
Please use --show-mismatched-frees=no for the time being.
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
Group: core-security
You need to log in before you can comment on or make changes to this bug.