Closed Bug 1232330 Opened 8 years ago Closed 8 years ago

VPX: heap-buffer-overflow crash [@mozilla::layers::MappedYCbCrChannelData::CopyInto]

Categories

(Core :: Audio/Video: Playback, defect, P1)

x86_64
macOS
defect

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: posidron, Unassigned)

References

Details

(4 keywords)

Crash Data

Attachments

(1 file)

The following testcase crashes on en-us.linux-x86_64-asan.tar.bz2 revision 3fff31499837124b86091a7f87217f3fbbbf2b75

See attachment.

Backtrace:

==24436==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62e001013ed7 at pc 0x7f56f90845db bp 0x7f568c722750 sp 0x7f568c722748
READ of size 8104 at 0x62e001013ed7 thread T2652 (MediaPD~oder #3)
    #0 0x7f56f90845da in mozilla::layers::MappedYCbCrChannelData::CopyInto(mozilla::layers::MappedYCbCrChannelData&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/layers/client/TextureClient.cpp:1024
    #1 0x7f56f9078a1c in CopyInto /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/gfx/layers/../../dist/include/mozilla/layers/TextureClient.h:168
    #2 0x7f56f9078a1c in mozilla::layers::UpdateYCbCrTextureClient(mozilla::layers::TextureClient*, mozilla::layers::PlanarYCbCrData const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/layers/client/TextureClient.cpp:969
    #3 0x7f56f9194af9 in mozilla::layers::SharedPlanarYCbCrImage::SetData(mozilla::layers::PlanarYCbCrData const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/layers/ipc/SharedPlanarYCbCrImage.cpp:101
    #4 0x7f56fbcbb241 in mozilla::VideoData::SetVideoDataToImage(mozilla::layers::PlanarYCbCrImage*, mozilla::VideoInfo const&, mozilla::VideoData::YCbCrBuffer const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaData.cpp:235
    #5 0x7f56fbcbc1f4 in mozilla::VideoData::Create(mozilla::VideoInfo const&, mozilla::layers::ImageContainer*, mozilla::layers::Image*, long, long, long, mozilla::VideoData::YCbCrBuffer const&, bool, long, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaData.cpp:336
    #6 0x7f56fbcbc3cc in mozilla::VideoData::Create(mozilla::VideoInfo const&, mozilla::layers::ImageContainer*, long, long, long, mozilla::VideoData::YCbCrBuffer const&, bool, long, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaData.cpp:370
    #7 0x7f56fbfb8382 in mozilla::VPXDecoder::DoDecodeFrame(mozilla::MediaRawData*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/platforms/agnostic/VPXDecoder.cpp:141
    #8 0x7f56fbfb8a1d in mozilla::VPXDecoder::DecodeFrame(mozilla::MediaRawData*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/platforms/agnostic/VPXDecoder.cpp:165
    #9 0x7f56fbfcaf97 in apply<mozilla::VPXDecoder, void (mozilla::VPXDecoder::*)(mozilla::MediaRawData *)> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/media/platforms/../../../dist/include/nsThreadUtils.h:676
    #10 0x7f56fbfcaf97 in nsRunnableMethodImpl<void (mozilla::VPXDecoder::*)(mozilla::MediaRawData*), true, RefPtr<mozilla::MediaRawData> >::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/media/platforms/../../../dist/include/nsThreadUtils.h:870
    #11 0x7f56f72c60ec in mozilla::TaskQueue::Runner::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/TaskQueue.cpp:170
    #12 0x7f56f72db20c in nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:221
    #13 0x7f56f72db7ac in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:235
    #14 0x7f56f72d4a84 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:964
    #15 0x7f56f734fcca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #16 0x7f56f7c7aa2f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:326
    #17 0x7f56f7be720c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #18 0x7f56f7be720c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #19 0x7f56f7be720c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #20 0x7f56f72d05d0 in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:376
    #21 0x7f5704c0c4b5 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #22 0x7f570524b181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

0x62e001013ed7 is located 1712 bytes to the right of 46119-byte region [0x62e001008400,0x62e001013827)
allocated by thread T2650 (MediaPD~oder #2) here:
    #0 0x4750d1 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x7f56ff31d662 in vpx_memalign /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libvpx/vpx_mem/vpx_mem.c:25
    #2 0x7f56ff320485 in vp8_yv12_realloc_frame_buffer /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libvpx/vpx_scale/generic/yv12config.c:63
    #3 0x7f56ff019ce7 in vp8_alloc_frame_buffers /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libvpx/vp8/common/alloccommon.c:66
    #4 0x7f56ff10d10a in vp8_decode /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libvpx/vp8/vp8_dx_iface.c:445
    #5 0x7f56ff310221 in vpx_codec_decode /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libvpx/vpx/src/vpx_decoder.c:122
    #6 0x7f56fbfb7ab7 in mozilla::VPXDecoder::DoDecodeFrame(mozilla::MediaRawData*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/platforms/agnostic/VPXDecoder.cpp:108
    #7 0x7f56fbfb8a1d in mozilla::VPXDecoder::DecodeFrame(mozilla::MediaRawData*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/platforms/agnostic/VPXDecoder.cpp:165
    #8 0x7f56fbfcaf97 in apply<mozilla::VPXDecoder, void (mozilla::VPXDecoder::*)(mozilla::MediaRawData *)> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/media/platforms/../../../dist/include/nsThreadUtils.h:676
    #9 0x7f56fbfcaf97 in nsRunnableMethodImpl<void (mozilla::VPXDecoder::*)(mozilla::MediaRawData*), true, RefPtr<mozilla::MediaRawData> >::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/media/platforms/../../../dist/include/nsThreadUtils.h:870
    #10 0x7f56f72c60ec in mozilla::TaskQueue::Runner::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/TaskQueue.cpp:170
    #11 0x7f56f72db20c in nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:221
    #12 0x7f56f72db7ac in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:235
    #13 0x7f56f72d4a84 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:964
    #14 0x7f56f734fcca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #15 0x7f56f7c7aa2f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:326
    #16 0x7f56f7be720c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #17 0x7f56f7be720c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #18 0x7f56f7be720c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #19 0x7f56f72d05d0 in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:376
    #20 0x7f5704c0c4b5 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #21 0x7f570524b181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

Thread T2652 (MediaPD~oder #3) created by T2650 (MediaPD~oder #2) here:
    #0 0x461945 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f5704c08e3d in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7f5704c089ba in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7f56f72d1d0d in nsThread::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:496
    #4 0x7f56f72d84fe in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:249
    #5 0x7f56f72d9e73 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>&&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:105
    #6 0x7f56f72dbcc3 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>&&, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:269
    #7 0x7f56f72c6603 in operator nsIEventTarget * /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/../../dist/include/nsIEventTarget.h:37
    #8 0x7f56f72c6603 in operator-> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/../../dist/include/mozilla/SharedThreadPool.h:60
    #9 0x7f56f72c6603 in mozilla::TaskQueue::Runner::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/TaskQueue.cpp:196
    #10 0x7f56f72db20c in nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:221
    #11 0x7f56f72db7ac in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:235
    #12 0x7f56f72d4a84 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:964
    #13 0x7f56f734fcca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #14 0x7f56f7c7aa2f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:326
    #15 0x7f56f7be720c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #16 0x7f56f7be720c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #17 0x7f56f7be720c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #18 0x7f56f72d05d0 in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:376
    #19 0x7f5704c0c4b5 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #20 0x7f570524b181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

Thread T2650 (MediaPD~oder #2) created by T2644 (MediaPl~back #1) here:
    #0 0x461945 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f5704c08e3d in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7f5704c089ba in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7f56f72d1d0d in nsThread::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:496
    #4 0x7f56f72d84fe in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:249
    #5 0x7f56f72d9e73 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>&&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:105
    #6 0x7f56f72dbcc3 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>&&, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:269
    #7 0x7f56f72c4ada in mozilla::TaskQueue::DispatchLocked(already_AddRefed<nsIRunnable>, mozilla::TaskQueue::DispatchMode, mozilla::AbstractThread::DispatchFailureHandling, mozilla::AbstractThread::DispatchReason) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/TaskQueue.cpp:66
    #8 0x7f56f72dd9ac in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchFailureHandling, mozilla::AbstractThread::DispatchReason) /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskQueue.h:47
    #9 0x7f56fbfb8d34 in mozilla::VPXDecoder::Input(mozilla::MediaRawData*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/platforms/agnostic/VPXDecoder.cpp:179
    #10 0x7f56fbd27d06 in DecodeDemuxedSamples /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaFormatReader.cpp:828
    #11 0x7f56fbd27d06 in mozilla::MediaFormatReader::HandleDemuxedSamples(mozilla::TrackInfo::TrackType, mozilla::AbstractMediaDecoder::AutoNotifyDecoded&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaFormatReader.cpp:942
    #12 0x7f56fbd25dee in mozilla::MediaFormatReader::Update(mozilla::TrackInfo::TrackType) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaFormatReader.cpp:1093
    #13 0x7f56fbd7d42a in apply<mozilla::MediaFormatReader, void (mozilla::MediaFormatReader::*)(mozilla::TrackInfo::TrackType)> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsThreadUtils.h:676
    #14 0x7f56fbd7d42a in nsRunnableMethodImpl<void (mozilla::MediaFormatReader::*)(mozilla::TrackInfo::TrackType), true, mozilla::TrackInfo::TrackType>::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsThreadUtils.h:870
    #15 0x7f56f72e5ffa in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/../../dist/include/mozilla/TaskDispatcher.h:180
    #16 0x7f56f72c60ec in mozilla::TaskQueue::Runner::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/TaskQueue.cpp:170
    #17 0x7f56f72db20c in nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:221
    #18 0x7f56f72db7ac in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:235
    #19 0x7f56f72d4a84 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:964
    #20 0x7f56f734fcca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #21 0x7f56f7c7aa2f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:326
    #22 0x7f56f7be720c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #23 0x7f56f7be720c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #24 0x7f56f7be720c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #25 0x7f56f72d05d0 in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:376
    #26 0x7f5704c0c4b5 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #27 0x7f570524b181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

Thread T2644 (MediaPl~back #1) created by T0 (Web Content) here:
    #0 0x461945 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f5704c08e3d in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7f5704c089ba in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7f56f72d1d0d in nsThread::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:496
    #4 0x7f56f72d84fe in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:249
    #5 0x7f56f72d9e73 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>&&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:105
    #6 0x7f56f72dbcc3 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>&&, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:269
    #7 0x7f56f72c4ada in mozilla::TaskQueue::DispatchLocked(already_AddRefed<nsIRunnable>, mozilla::TaskQueue::DispatchMode, mozilla::AbstractThread::DispatchFailureHandling, mozilla::AbstractThread::DispatchReason) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/TaskQueue.cpp:66
    #8 0x7f56f72dd9ac in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchFailureHandling, mozilla::AbstractThread::DispatchReason) /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskQueue.h:47
    #9 0x7f56f72e596c in mozilla::AutoTaskDispatcher::DispatchTaskGroup(mozilla::UniquePtr<mozilla::AutoTaskDispatcher::PerThreadTaskGroup, mozilla::DefaultDelete<mozilla::AutoTaskDispatcher::PerThreadTaskGroup> >) /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/../../dist/include/mozilla/TaskDispatcher.h:232
    #10 0x7f56f72e6872 in mozilla::AutoTaskDispatcher::~AutoTaskDispatcher() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/../../dist/include/mozilla/TaskDispatcher.h:87
    #11 0x7f56f72ea301 in reset /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/../../dist/include/mozilla/Maybe.h:373
    #12 0x7f56f72ea301 in mozilla::XPCOMThreadWrapper::FireTailDispatcher() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/AbstractThread.cpp:81
    #13 0x7f56f72ea4a0 in apply<mozilla::XPCOMThreadWrapper, void (mozilla::XPCOMThreadWrapper::*)()> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/../../dist/include/nsThreadUtils.h:663
    #14 0x7f56f72ea4a0 in nsRunnableMethodImpl<void (mozilla::XPCOMThreadWrapper::*)(), true>::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/../../dist/include/nsThreadUtils.h:870
    #15 0x7f56f71acc89 in mozilla::CycleCollectedJSRuntime::ProcessStableStateQueue() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1047
    #16 0x7f56f870536d in XPCJSRuntime::AfterProcessTask(unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/xpconnect/src/XPCJSRuntime.cpp:3646
    #17 0x7f56f72d4f39 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:979
    #18 0x7f56f734fcca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #19 0x7f56f72d3a2a in nsThread::Shutdown() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:774
    #20 0x7f56f72dc34a in nsThreadPool::Shutdown() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:316
    #21 0x7f56f72df420 in apply<nsIThreadPool, nsresult (nsIThreadPool::*)()> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/../../dist/include/nsThreadUtils.h:663
    #22 0x7f56f72df420 in nsRunnableMethodImpl<nsresult (nsIThreadPool::*)(), true>::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/../../dist/include/nsThreadUtils.h:870
    #23 0x7f56f72d4a84 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:964
    #24 0x7f56f734fcca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #25 0x7f56f72d3a2a in nsThread::Shutdown() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:774
    #26 0x7f56f72dc34a in nsThreadPool::Shutdown() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:316
    #27 0x7f56f72df420 in apply<nsIThreadPool, nsresult (nsIThreadPool::*)()> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/../../dist/include/nsThreadUtils.h:663
    #28 0x7f56f72df420 in nsRunnableMethodImpl<nsresult (nsIThreadPool::*)(), true>::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/../../dist/include/nsThreadUtils.h:870
    #29 0x7f56f72d4a84 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:964
    #30 0x7f56f734fcca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #31 0x7f56f7c79aa9 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:95
    #32 0x7f56f7be720c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #33 0x7f56f7be720c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #34 0x7f56f7be720c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #35 0x7f56fce5d1c7 in nsBaseAppShell::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/widget/nsBaseAppShell.cpp:156
    #36 0x7f56fed895b2 in XRE_RunAppShell /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:787
    #37 0x7f56f7be720c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #38 0x7f56f7be720c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #39 0x7f56f7be720c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #40 0x7f56fed88c9c in XRE_InitChildProcess /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:623
    #41 0x48d760 in content_process_main(int, char**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:237
    #42 0x7f56f4be9ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/layers/client/TextureClient.cpp:1024 mozilla::layers::MappedYCbCrChannelData::CopyInto(mozilla::layers::MappedYCbCrChannelData&)
Shadow bytes around the buggy address:
  0x0c5c801fa780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c801fa790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c801fa7a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c801fa7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c801fa7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c5c801fa7d0: fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa
  0x0c5c801fa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c801fa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c801fa800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c801fa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c801fa820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
Attached file Testcase
Summary: VPX: [@mozilla::layers::MappedYCbCrChannelData::CopyInto] → VPX: heap-buffer-overflow crash [@mozilla::layers::MappedYCbCrChannelData::CopyInto]
No longer blocks: fuzzing-ipc-ipdl
Group: core-security → gfx-core-security
This looks like a bug in libvpx causing it to output an incorrectly sized frame.
Component: Graphics: Layers → Audio/Video: Playback
Priority: -- → P1
Group: gfx-core-security → media-core-security
I haven't been able to reproduce this issue on both Mac and Linux.
I've tried printfs, debugging, and finally a recent ASAN build (20160201064125, both https://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64-asan/1454337685/ and https://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64-asan-debug/1454337685/ ).

Christoph, could you please try again when possible?
Flags: needinfo?(cdiehl)
The issue has not popped up again on our cluster.
Flags: needinfo?(cdiehl)
Tried one last time with an ASAN build from the time this bug was reported, still can't reproduce, so I'll just call "works for me". Of course please reopen if this ever happens again.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: