Closed Bug 1186716 Opened 10 years ago Closed 9 years ago

Stagefright: NULL deref crash in DecodeSPSFromExtraData

Categories

(Core :: Audio/Video: Playback, defect, P1)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla43
Tracking Status
firefox42 --- fixed
firefox43 --- fixed

People

(Reporter: tsmith, Assigned: rillian)

References

Details

(Keywords: crash, csectype-nullptr)

Attachments

(2 files)

==22339==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa2afea5aeb sp 0x7fa2551e5940 bp 0x7fa2551e5a30 T190) #0 0x7fa2afea5aea in Hdr /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/media/libstagefright/../../dist/include/nsTArray.h:488 #1 0x7fa2afea85b1 in DecodeSPSFromExtraData /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/binding/H264.cpp:500 #2 0x7fa2b4a806ba in AccumulateSPSTelemetry /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/fmp4/MP4Demuxer.cpp:38 #3 0x7fa2b4a82f06 in MP4TrackDemuxer /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/fmp4/MP4Demuxer.cpp:227 #4 0x7fa2b4a817a1 in GetTrackDemuxer /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/fmp4/MP4Demuxer.cpp:145 #5 0x7fa2b4657a26 in OnDemuxerInitDone /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/MediaFormatReader.cpp:309 #6 0x7fa2b46cd1f6 in RejectValue /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:433 #7 0x7fa2b46cadd2 in DoResolveOrReject /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:383 #8 0x7fa2b46ca77f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:316 #9 0x7fa2b45cdd0a in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:180 #10 0x7fa2b4765995 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/TaskQueue.cpp:257 #11 0x7fa2b00853d1 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:228 #12 0x7fa2b008578c in _ZThn8_N12nsThreadPool3RunEv /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:242 #13 0x7fa2b007f2d7 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867 #14 0x7fa2b00edf1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277 #15 0x7fa2b095755f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:326 #16 0x7fa2b08e345c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #17 0x7fa2b007b6f5 in ThreadFunc /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:360 #18 0x7fa2be8a8135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212 #19 0x7fa2c1dcfe99 in start_thread /build/buildd/eglibc-2.15/nptl/pthread_create.c:308 #20 0x7fa2c0ecc31c in ?? /build/buildd/eglibc-2.15/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:112 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 ?? Thread T190 (MediaPl~back #4) created by T185 (MediaPl~back #2) here: #0 0x45eae5 in __interceptor_pthread_create _asan_rtl_ #1 0x7fa2be8a4abd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453 #2 0x7fa2be8a463a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544 #3 0x7fa2b007cced in Init /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:470 #4 0x7fa2b0082cee in NewThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:249 #5 0x7fa2b00843be in PutEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:109 #6 0x7fa2b0085c97 in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:276 #7 0x7fa2b4765d30 in operator nsIEventTarget * /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsIEventTarget.h:37 #8 0x7fa2b00853d1 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:228 #9 0x7fa2b008578c in _ZThn8_N12nsThreadPool3RunEv /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:242 #10 0x7fa2b007f2d7 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867 #11 0x7fa2b00edf1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277 #12 0x7fa2b095755f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:326 #13 0x7fa2b08e345c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #14 0x7fa2b007b6f5 in ThreadFunc /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:360 #15 0x7fa2be8a8135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212 #16 0x7fa2c1dcfe99 in start_thread /build/buildd/eglibc-2.15/nptl/pthread_create.c:308 Thread T185 (MediaPl~back #2) created by T0 here: #0 0x45eae5 in __interceptor_pthread_create _asan_rtl_ #1 0x7fa2be8a4abd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453 #2 0x7fa2be8a463a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544 #3 0x7fa2b007cced in Init /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:470 #4 0x7fa2b0082cee in NewThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:249 #5 0x7fa2b00843be in PutEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:109 #6 0x7fa2b0085c97 in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:276 #7 0x7fa2b47640f9 in operator nsIEventTarget * /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsIEventTarget.h:37 #8 0x7fa2b4728bec in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/platforms/../../../dist/include/mozilla/TaskQueue.h:47 #9 0x7fa2b45cd67c in DispatchTaskGroup /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:232 #10 0x7fa2b45cc322 in ~AutoTaskDispatcher /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:87 #11 0x7fa2b45cb471 in reset /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/Maybe.h:373 #12 0x7fa2b45cb610 in apply<mozilla::XPCOMThreadWrapper, void (mozilla::XPCOMThreadWrapper::*)()> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsThreadUtils.h:621 #13 0x7fa2b5625125 in assign_assuming_AddRef /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/widget/../dist/include/nsCOMPtr.h:336 #14 0x7fa2b5625ccd in AfterProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.h:95 #15 0x7fa2b007f7a0 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:881 #16 0x7fa2b00edf1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277 #17 0x7fa2b09565e9 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:95 #18 0x7fa2b08e345c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #19 0x7fa2b56238d7 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:165 #20 0x7fa2b73800f8 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:280 #21 0x7fa2b7488e17 in XRE_mainRun /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4288 #22 0x7fa2b7489e75 in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4385 #23 0x7fa2b748acf5 in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4474 #24 0x48a6e4 in do_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:212 #25 0x7fa2c0df976c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226 ==22339==ABORTING
Attached video test_case.mp4
Assignee: nobody → giles
Priority: -- → P1
Attachment #8659237 - Flags: review?(giles) → review+
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
Comment on attachment 8659237 [details] [diff] [review] Error if SPS NAL parsing failed. Approval Request Comment [Feature/regressing bug #]: 1111328 [User impact if declined]: Crash on badly formed h264 content [Describe test coverage new/current, TreeHerder]: Local test, in central [Risks and why]: Very low; just checking for null value [String/UUID change made/needed]: None
Attachment #8659237 - Flags: approval-mozilla-aurora?
Comment on attachment 8659237 [details] [diff] [review] Error if SPS NAL parsing failed. Fix a crash,taking it.
Attachment #8659237 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: