Closed Bug 1186716 Opened 5 years ago Closed 5 years ago

Stagefright: NULL deref crash in DecodeSPSFromExtraData

Categories

(Core :: Audio/Video: Playback, defect, P1)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla43
Tracking Status
firefox42 --- fixed
firefox43 --- fixed

People

(Reporter: tsmith, Assigned: rillian)

References

Details

(Keywords: crash, csectype-nullptr)

Attachments

(2 files)

==22339==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa2afea5aeb sp 0x7fa2551e5940 bp 0x7fa2551e5a30 T190)
    #0 0x7fa2afea5aea in Hdr /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/media/libstagefright/../../dist/include/nsTArray.h:488
    #1 0x7fa2afea85b1 in DecodeSPSFromExtraData /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/binding/H264.cpp:500
    #2 0x7fa2b4a806ba in AccumulateSPSTelemetry /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/fmp4/MP4Demuxer.cpp:38
    #3 0x7fa2b4a82f06 in MP4TrackDemuxer /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/fmp4/MP4Demuxer.cpp:227
    #4 0x7fa2b4a817a1 in GetTrackDemuxer /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/fmp4/MP4Demuxer.cpp:145
    #5 0x7fa2b4657a26 in OnDemuxerInitDone /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/MediaFormatReader.cpp:309
    #6 0x7fa2b46cd1f6 in RejectValue /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:433
    #7 0x7fa2b46cadd2 in DoResolveOrReject /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:383
    #8 0x7fa2b46ca77f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:316
    #9 0x7fa2b45cdd0a in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:180
    #10 0x7fa2b4765995 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/TaskQueue.cpp:257
    #11 0x7fa2b00853d1 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:228
    #12 0x7fa2b008578c in _ZThn8_N12nsThreadPool3RunEv /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:242
    #13 0x7fa2b007f2d7 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
    #14 0x7fa2b00edf1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #15 0x7fa2b095755f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:326
    #16 0x7fa2b08e345c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #17 0x7fa2b007b6f5 in ThreadFunc /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:360
    #18 0x7fa2be8a8135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #19 0x7fa2c1dcfe99 in start_thread /build/buildd/eglibc-2.15/nptl/pthread_create.c:308
    #20 0x7fa2c0ecc31c in ?? /build/buildd/eglibc-2.15/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:112

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
Thread T190 (MediaPl~back #4) created by T185 (MediaPl~back #2) here:
    #0 0x45eae5 in __interceptor_pthread_create _asan_rtl_
    #1 0x7fa2be8a4abd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7fa2be8a463a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7fa2b007cced in Init /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:470
    #4 0x7fa2b0082cee in NewThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:249
    #5 0x7fa2b00843be in PutEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:109
    #6 0x7fa2b0085c97 in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:276
    #7 0x7fa2b4765d30 in operator nsIEventTarget * /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsIEventTarget.h:37
    #8 0x7fa2b00853d1 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:228
    #9 0x7fa2b008578c in _ZThn8_N12nsThreadPool3RunEv /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:242
    #10 0x7fa2b007f2d7 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
    #11 0x7fa2b00edf1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #12 0x7fa2b095755f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:326
    #13 0x7fa2b08e345c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #14 0x7fa2b007b6f5 in ThreadFunc /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:360
    #15 0x7fa2be8a8135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #16 0x7fa2c1dcfe99 in start_thread /build/buildd/eglibc-2.15/nptl/pthread_create.c:308

Thread T185 (MediaPl~back #2) created by T0 here:
    #0 0x45eae5 in __interceptor_pthread_create _asan_rtl_
    #1 0x7fa2be8a4abd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7fa2be8a463a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7fa2b007cced in Init /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:470
    #4 0x7fa2b0082cee in NewThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:249
    #5 0x7fa2b00843be in PutEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:109
    #6 0x7fa2b0085c97 in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:276
    #7 0x7fa2b47640f9 in operator nsIEventTarget * /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsIEventTarget.h:37
    #8 0x7fa2b4728bec in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/platforms/../../../dist/include/mozilla/TaskQueue.h:47
    #9 0x7fa2b45cd67c in DispatchTaskGroup /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:232
    #10 0x7fa2b45cc322 in ~AutoTaskDispatcher /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:87
    #11 0x7fa2b45cb471 in reset /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/Maybe.h:373
    #12 0x7fa2b45cb610 in apply<mozilla::XPCOMThreadWrapper, void (mozilla::XPCOMThreadWrapper::*)()> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsThreadUtils.h:621
    #13 0x7fa2b5625125 in assign_assuming_AddRef /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/widget/../dist/include/nsCOMPtr.h:336
    #14 0x7fa2b5625ccd in AfterProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.h:95
    #15 0x7fa2b007f7a0 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:881
    #16 0x7fa2b00edf1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #17 0x7fa2b09565e9 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:95
    #18 0x7fa2b08e345c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #19 0x7fa2b56238d7 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:165
    #20 0x7fa2b73800f8 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:280
    #21 0x7fa2b7488e17 in XRE_mainRun /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4288
    #22 0x7fa2b7489e75 in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4385
    #23 0x7fa2b748acf5 in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4474
    #24 0x48a6e4 in do_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:212
    #25 0x7fa2c0df976c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226

==22339==ABORTING
Attached video test_case.mp4
Assignee: nobody → giles
Priority: -- → P1
Attachment #8659237 - Flags: review?(giles) → review+
https://hg.mozilla.org/mozilla-central/rev/c08859c58682
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
Comment on attachment 8659237 [details] [diff] [review]
Error if SPS NAL parsing failed.

Approval Request Comment
[Feature/regressing bug #]: 1111328
[User impact if declined]: Crash on badly formed h264 content
[Describe test coverage new/current, TreeHerder]: Local test, in central
[Risks and why]: Very low; just checking for null value
[String/UUID change made/needed]: None
Attachment #8659237 - Flags: approval-mozilla-aurora?
Comment on attachment 8659237 [details] [diff] [review]
Error if SPS NAL parsing failed.

Fix a crash,taking it.
Attachment #8659237 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.