Closed Bug 1229134 Opened 4 years ago Closed 4 years ago

Crash at memcpy in xul!mp4_demuxer::BufferStream::ReadAt

Categories

(Core :: Audio/Video, defect)

45 Branch
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla45
Tracking Status
firefox45 --- fixed

People

(Reporter: fuzzers.con.amor, Assigned: jya)

References

Details

(Keywords: csectype-dos)

Attachments

(3 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20151130030228

Steps to reproduce:

Open min.mp4 or fuzz.mp4 with firefox nightly 45.0a1 (2015-11-30).


Actual results:

- Crash at memcpy in xul!mp4_demuxer::BufferStream::ReadAt when fuzz.mp4 is opened.
- Assertion crash at xul!stagefright::SampleIterator::seekTo when min.mp4 is opened.


Expected results:

No crash
Attached file Stacktrace for min.mp4
This is the stacktrace when min.mp4 is opened
This is the stacktrace when fuzz.mp4 is opened
The samples are larger than 10MB so there go the links to download:
Origin sample -> http://s000.tinyupload.com/index.php?file_id=96139784625952224122
Fuzz sample -> http://s000.tinyupload.com/index.php?file_id=47507808226486453964
Min sample -> http://s000.tinyupload.com/?file_id=90071512635225670108

Between min.mp4 and origin.mp4 there is only one different byte at position 51444/0xc8f4: Origin => 20/0x14. Crash => 141/0x8d
Jean-Yves, can you take a look or forward to someone else within the audio/video team? Thanks!
Group: firefox-core-security → core-security
Component: Untriaged → Audio/Video
Flags: needinfo?(jyavenard)
Product: Firefox → Core
Assignee: nobody → jyavenard
Flags: needinfo?(jyavenard)
The seek issue is handled in bug 1226842
Depends on: 1226842
Comment on attachment 8693847 [details] [diff] [review]
Check that memory allocation actually succeeded.

This isn't a security issue, writing to null address. But just in case we need a security rating...
Flags: needinfo?(dveditz)
Comment on attachment 8693847 [details] [diff] [review]
Check that memory allocation actually succeeded.

Review of attachment 8693847 [details] [diff] [review]:
-----------------------------------------------------------------

Thank you for cleaning up after me.
Attachment #8693847 - Flags: review?(gsquelart) → review+
Can this write be at an arbitrary offset from null? In which case it would be worse than just a null deref.
no. It can't be.

the problem can be summarised as:
char* foo = malloc(2GB);
memcpy(foo, origin, 2GB);

it will crash instantly
Thanks for the explanation.
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(dveditz)
Keywords: csectype-dos
https://hg.mozilla.org/mozilla-central/rev/76b10dad2e3d
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in before you can comment on or make changes to this bug.