Closed Bug 1181223 Opened 9 years ago Closed 9 years ago

Stagefright: CHECK(data_offset == data_end) failed in SampleTable.cpp

Categories

(Core :: Audio/Video: Playback, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla45
Tracking Status
firefox45 --- fixed

People

(Reporter: tsmith, Assigned: mozbugz)

References

Details

(Keywords: crash, testcase, Whiteboard: checkin after 1181719 but before 1181220, 1181215, 1181213)

Attachments

(3 files, 2 obsolete files)

Attached video test_case.mp4
A/SampleTable(34431): /builds/slave/m-cen-l64-asan-d-ntly-00000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp:604 CHECK(data_offset == data_end) failed.
Summary: CHECK(data_offset == data_end) failed in SampleTable.cpp → Stagefright: CHECK(data_offset == data_end) failed in SampleTable.cpp
Component: Audio/Video → Audio/Video: Playback
Gerald, here's another Stagefright bug.
Assignee: nobody → gsquelart
Priority: -- → P1
Attached patch 1181223-gtest.patch (obsolete) — Splinter Review
Part 1: Added gtest case.
Attachment #8683539 - Flags: review?(giles)
Part 2: Handle wrong saio/saiz size instead of assuming it is correct.
Attachment #8683543 - Flags: review?(giles)
I should probably have explained why the proposed fix just warns about the issue but continues processing past the oversized 'saio'/'saiz' box. I initially tried to treat it as an "ERROR_MALFORMED", which would stop processing and reject the file completely. But this made one particular test (test_eme_non_mse_fails.html) fail on almost all platforms: https://treeherder.mozilla.org/#/jobs?repo=try&revision=29ff724b97e9 My guess is that the test file might have a corrupt (but still usable) saio/saiz box, though the fact that it doesn't fail on Mac (my dev platform of course, making debugging "interesting") is worrying. Anyway, I decided to just warn&continue, because the box being larger than what its content needs is not a big problem (it shouldn't crash or expose an exploitable vulnerability). Also libstagefright should become obsolete soon, so trying to fix this properly could be a waste of time. But we should keep this in mind, in case the new mp4 metadata parser also makes test_eme_non_mse_fails.html fail because of a wrong saio/saiz size. Ralph, what do you think? Investigate now; open a bug; something else?
Flags: needinfo?(giles)
I'd open a new bug if you have time to investigate whether the test file is corrupt, but land this fix in the meantime. It's always good to clear up issues with the test. Or at least document if it's a broken file we need to support.
Flags: needinfo?(giles)
Attachment #8683539 - Flags: review?(giles) → review+
Comment on attachment 8683543 [details] [diff] [review] 1181223-handle-wrong-saio-saiz-size.patch Review of attachment 8683543 [details] [diff] [review]: ----------------------------------------------------------------- I assume the parser recovers by starting the next box at the declared boundary rather than being confused by the partial consumption.
Attachment #8683543 - Flags: review?(giles) → review+
(In reply to Ralph Giles (:rillian) from comment #6) Thank you for all the reviews today. > Comment on attachment 8683543 [details] [diff] [review] > 1181223-handle-wrong-saio-saiz-size.patch > > Review of attachment 8683543 [details] [diff] [review]: > ----------------------------------------------------------------- > > I assume the parser recovers by starting the next box at the declared > boundary rather than being confused by the partial consumption. Correct.
Clarified check-in comment, no actual changes; carrying r+.
Attachment #8683539 - Attachment is obsolete: true
Attachment #8683996 - Flags: review+
Added comment to explain that the parser will skip over the oversized box; no actual code changes; carrying r+.
Attachment #8683543 - Attachment is obsolete: true
Attachment #8683999 - Flags: review+
Keywords: checkin-needed
Whiteboard: checkin after 1181719 but before 1181220, 1181215, 1181213
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: