Closed
Bug 1186716
Opened 10 years ago
Closed 9 years ago
Stagefright: NULL deref crash in DecodeSPSFromExtraData
Categories
(Core :: Audio/Video: Playback, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla43
People
(Reporter: tsmith, Assigned: rillian)
References
Details
(Keywords: crash, csectype-nullptr)
Attachments
(2 files)
37.32 KB,
video/mp4
|
Details | |
963 bytes,
patch
|
rillian
:
review+
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
==22339==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa2afea5aeb sp 0x7fa2551e5940 bp 0x7fa2551e5a30 T190)
#0 0x7fa2afea5aea in Hdr /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/media/libstagefright/../../dist/include/nsTArray.h:488
#1 0x7fa2afea85b1 in DecodeSPSFromExtraData /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/binding/H264.cpp:500
#2 0x7fa2b4a806ba in AccumulateSPSTelemetry /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/fmp4/MP4Demuxer.cpp:38
#3 0x7fa2b4a82f06 in MP4TrackDemuxer /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/fmp4/MP4Demuxer.cpp:227
#4 0x7fa2b4a817a1 in GetTrackDemuxer /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/fmp4/MP4Demuxer.cpp:145
#5 0x7fa2b4657a26 in OnDemuxerInitDone /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/MediaFormatReader.cpp:309
#6 0x7fa2b46cd1f6 in RejectValue /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:433
#7 0x7fa2b46cadd2 in DoResolveOrReject /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:383
#8 0x7fa2b46ca77f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:316
#9 0x7fa2b45cdd0a in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:180
#10 0x7fa2b4765995 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/TaskQueue.cpp:257
#11 0x7fa2b00853d1 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:228
#12 0x7fa2b008578c in _ZThn8_N12nsThreadPool3RunEv /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:242
#13 0x7fa2b007f2d7 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
#14 0x7fa2b00edf1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
#15 0x7fa2b095755f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:326
#16 0x7fa2b08e345c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
#17 0x7fa2b007b6f5 in ThreadFunc /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:360
#18 0x7fa2be8a8135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
#19 0x7fa2c1dcfe99 in start_thread /build/buildd/eglibc-2.15/nptl/pthread_create.c:308
#20 0x7fa2c0ecc31c in ?? /build/buildd/eglibc-2.15/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:112
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
Thread T190 (MediaPl~back #4) created by T185 (MediaPl~back #2) here:
#0 0x45eae5 in __interceptor_pthread_create _asan_rtl_
#1 0x7fa2be8a4abd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
#2 0x7fa2be8a463a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
#3 0x7fa2b007cced in Init /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:470
#4 0x7fa2b0082cee in NewThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:249
#5 0x7fa2b00843be in PutEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:109
#6 0x7fa2b0085c97 in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:276
#7 0x7fa2b4765d30 in operator nsIEventTarget * /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsIEventTarget.h:37
#8 0x7fa2b00853d1 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:228
#9 0x7fa2b008578c in _ZThn8_N12nsThreadPool3RunEv /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:242
#10 0x7fa2b007f2d7 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
#11 0x7fa2b00edf1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
#12 0x7fa2b095755f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:326
#13 0x7fa2b08e345c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
#14 0x7fa2b007b6f5 in ThreadFunc /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:360
#15 0x7fa2be8a8135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
#16 0x7fa2c1dcfe99 in start_thread /build/buildd/eglibc-2.15/nptl/pthread_create.c:308
Thread T185 (MediaPl~back #2) created by T0 here:
#0 0x45eae5 in __interceptor_pthread_create _asan_rtl_
#1 0x7fa2be8a4abd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
#2 0x7fa2be8a463a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
#3 0x7fa2b007cced in Init /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:470
#4 0x7fa2b0082cee in NewThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:249
#5 0x7fa2b00843be in PutEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:109
#6 0x7fa2b0085c97 in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:276
#7 0x7fa2b47640f9 in operator nsIEventTarget * /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsIEventTarget.h:37
#8 0x7fa2b4728bec in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/platforms/../../../dist/include/mozilla/TaskQueue.h:47
#9 0x7fa2b45cd67c in DispatchTaskGroup /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:232
#10 0x7fa2b45cc322 in ~AutoTaskDispatcher /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:87
#11 0x7fa2b45cb471 in reset /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/Maybe.h:373
#12 0x7fa2b45cb610 in apply<mozilla::XPCOMThreadWrapper, void (mozilla::XPCOMThreadWrapper::*)()> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsThreadUtils.h:621
#13 0x7fa2b5625125 in assign_assuming_AddRef /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/widget/../dist/include/nsCOMPtr.h:336
#14 0x7fa2b5625ccd in AfterProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.h:95
#15 0x7fa2b007f7a0 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:881
#16 0x7fa2b00edf1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
#17 0x7fa2b09565e9 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:95
#18 0x7fa2b08e345c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
#19 0x7fa2b56238d7 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:165
#20 0x7fa2b73800f8 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:280
#21 0x7fa2b7488e17 in XRE_mainRun /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4288
#22 0x7fa2b7489e75 in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4385
#23 0x7fa2b748acf5 in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4474
#24 0x48a6e4 in do_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:212
#25 0x7fa2c0df976c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
==22339==ABORTING
Reporter | ||
Comment 1•10 years ago
|
||
Updated•9 years ago
|
Assignee: nobody → giles
Priority: -- → P1
Comment 2•9 years ago
|
||
Attachment #8659237 -
Flags: review?(giles)
Assignee | ||
Updated•9 years ago
|
Attachment #8659237 -
Flags: review?(giles) → review+
Comment 4•9 years ago
|
||
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox43:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
Comment 5•9 years ago
|
||
Comment on attachment 8659237 [details] [diff] [review]
Error if SPS NAL parsing failed.
Approval Request Comment
[Feature/regressing bug #]: 1111328
[User impact if declined]: Crash on badly formed h264 content
[Describe test coverage new/current, TreeHerder]: Local test, in central
[Risks and why]: Very low; just checking for null value
[String/UUID change made/needed]: None
Attachment #8659237 -
Flags: approval-mozilla-aurora?
Updated•9 years ago
|
status-firefox42:
--- → affected
Comment 6•9 years ago
|
||
Comment on attachment 8659237 [details] [diff] [review]
Error if SPS NAL parsing failed.
Fix a crash,taking it.
Attachment #8659237 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 7•9 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•