Closed
Bug 1157551
Opened 9 years ago
Closed 9 years ago
AddressSanitizer: heap-use-after-free dom/media/test/test_eme_playback.html
Categories
(Core :: Audio/Video, defect)
Tracking
()
RESOLVED
FIXED
mozilla40
Tracking | Status | |
---|---|---|
firefox40 | --- | fixed |
People
(Reporter: jwwang, Assigned: jwwang)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-uaf)
Attachments
(2 files)
233.01 KB,
text/plain
|
Details | |
893 bytes,
patch
|
eflores
:
review+
|
Details | Diff | Splinter Review |
Found this bug when enabling FFmpegH264Decoder in test_eme_playback.html. https://treeherder.mozilla.org/logviewer.html#?job_id=6838952&repo=try See the attachment for the detail.
Assignee | ||
Comment 1•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/file/570bb53a3e7b/dom/media/fmp4/ffmpeg/FFmpegH264Decoder.cpp#l157 The root cause is the image is released again after it is freed and modification of the ref counter results in UAF.
Assignee | ||
Comment 2•9 years ago
|
||
Per [1], pic.data[*] must be set to NULL in release_buffer(). [1] https://hg.mozilla.org/mozilla-central/file/570bb53a3e7b/dom/media/fmp4/ffmpeg/libav53/include/libavcodec/avcodec.h#l1731
Attachment #8596327 -
Flags: review?(edwin) → review+
Assignee | ||
Comment 3•9 years ago
|
||
Thanks.
Comment 5•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/ed2ff16c4826
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox40:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
Updated•7 years ago
|
Keywords: csectype-uaf
Updated•4 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•