Closed Bug 1229134 Opened 4 years ago Closed 4 years ago
Crash at memcpy in xul!mp4
_demuxer::Buffer Stream::Read At
User Agent: Mozilla/5.0 (Windows NT 10.0; rv:45.0) Gecko/20100101 Firefox/45.0 Build ID: 20151130030228 Steps to reproduce: Open min.mp4 or fuzz.mp4 with firefox nightly 45.0a1 (2015-11-30). Actual results: - Crash at memcpy in xul!mp4_demuxer::BufferStream::ReadAt when fuzz.mp4 is opened. - Assertion crash at xul!stagefright::SampleIterator::seekTo when min.mp4 is opened. Expected results: No crash
This is the stacktrace when min.mp4 is opened
This is the stacktrace when fuzz.mp4 is opened
The samples are larger than 10MB so there go the links to download: Origin sample -> http://s000.tinyupload.com/index.php?file_id=96139784625952224122 Fuzz sample -> http://s000.tinyupload.com/index.php?file_id=47507808226486453964 Min sample -> http://s000.tinyupload.com/?file_id=90071512635225670108 Between min.mp4 and origin.mp4 there is only one different byte at position 51444/0xc8f4: Origin => 20/0x14. Crash => 141/0x8d
Jean-Yves, can you take a look or forward to someone else within the audio/video team? Thanks!
Group: firefox-core-security → core-security
Component: Untriaged → Audio/Video
Product: Firefox → Core
Assignee: nobody → jyavenard
Comment on attachment 8693847 [details] [diff] [review] Check that memory allocation actually succeeded. This isn't a security issue, writing to null address. But just in case we need a security rating...
Comment on attachment 8693847 [details] [diff] [review] Check that memory allocation actually succeeded. Review of attachment 8693847 [details] [diff] [review]: ----------------------------------------------------------------- Thank you for cleaning up after me.
Attachment #8693847 - Flags: review?(gsquelart) → review+
Can this write be at an arbitrary offset from null? In which case it would be worse than just a null deref.
no. It can't be. the problem can be summarised as: char* foo = malloc(2GB); memcpy(foo, origin, 2GB); it will crash instantly
Thanks for the explanation.
Status: UNCONFIRMED → NEW
Ever confirmed: true
You need to log in before you can comment on or make changes to this bug.