Open
Bug 1278975
Opened 8 years ago
Updated 2 years ago
Crash on RTPPayloadRegistry shutdown
Categories
(Core :: WebRTC, defect, P3)
Tracking
()
NEW
backlog | webrtc/webaudio+ |
People
(Reporter: pellenbogen, Unassigned)
Details
(Keywords: csectype-nullptr)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0 Build ID: 20160604131506 Steps to reproduce: https://crash-stats.mozilla.com/report/index/9cdf5cb8-40d9-4918-b3ad-672e52160608
Reporter | ||
Updated•8 years ago
|
Group: firefox-core-security → core-security
Component: Untriaged → WebRTC
Product: Firefox → Core
Reporter | ||
Updated•8 years ago
|
Priority: -- → P1
Updated•8 years ago
|
backlog: --- → webrtc/webaudio+
Rank: 15
Updated•8 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Reporter | ||
Comment 1•8 years ago
|
||
I ran into an assertion error when running the same thing against a local build: * frame #0: 0x00007fff97124f06 libsystem_kernel.dylib`__pthread_kill + 10 frame #1: 0x00007fff9acbc4ec libsystem_pthread.dylib`pthread_kill + 90 frame #2: 0x00007fff8a8236e7 libsystem_c.dylib`abort + 129 frame #3: 0x00007fff8a7eadf8 libsystem_c.dylib`__assert_rtn + 321 frame #4: 0x0000000105b99c93 XUL`webrtc::RTPPayloadRegistry::DeRegisterReceivePayload(this=<unavailable>, payload_type=<unavailable>) + 275 at rtp_payload_registry.cc:129 frame #5: 0x0000000105b9b839 XUL`webrtc::RtpReceiverImpl::DeRegisterReceivePayload(this=0x000000011680ae20, payload_type=<unavailable>) + 41 at rtp_receiver_impl.cc:128 frame #6: 0x0000000105af0a81 XUL`webrtc::voe::Channel::SetRecPayloadType(this=0x0000000114225000, codec=0x00007fff5fbfad60) + 321 at channel.cc:1466 frame #7: 0x0000000105b0859d XUL`webrtc::VoECodecImpl::SetRecPayloadType(this=0x00000001176b9000, channel=<unavailable>, codec=0x00007fff5fbfad60) + 397 at voe_codec_impl.cc:237 frame #8: 0x0000000103153922 XUL`mozilla::WebrtcAudioConduit::ConfigureRecvMediaCodecs(this=0x000000011f99aec0, codecConfigList=0x00007fff5fbfaf20) + 466 at AudioConduit.cpp:489 frame #9: 0x000000010317e9de XUL`mozilla::MediaPipelineFactory::GetOrCreateAudioConduit(this=<unavailable>, aTrackPair=0x00007fff5fbfb400, aTrack=0x000000012b63efc0, aConduitp=0x00007fff5fbfb210) + 2062 at MediaPipelineFactory.cpp:699 frame #10: 0x000000010317cb82 XUL`mozilla::MediaPipelineFactory::CreateOrUpdateMediaPipeline(this=<unavailable>, aTrackPair=<unavailable>, aTrack=<unavailable>) + 354 at MediaPipelineFactory.cpp:453 frame #11: 0x00000001031aa1a1 XUL`mozilla::PeerConnectionMedia::UpdateMediaPipelines(this=0x0000000112e808c0, session=<unavailable>) + 289 at PeerConnectionMedia.cpp:570 frame #12: 0x000000010319a6dd XUL`mozilla::PeerConnectionImpl::SetSignalingState_m(this=0x000000011fc6a7c0, aSignalingState=<unavailable>, rollback=<unavailable>) + 285 at PeerConnectionImpl.cpp:2941 frame #13: 0x0000000103193c00 XUL`mozilla::PeerConnectionImpl::SetLocalDescription(this=0x000000011fc6a7c0, aAction=1, aSDP=<unavailable>) + 288 at PeerConnectionImpl.cpp:1732
Comment 2•8 years ago
|
||
THat's deregistering a payload that's not in the list. How does this get invoked? I think this is safe (sec-wise); I think worst case 'it' is null and it's a null-deref (which is in general 'safe'). delete(nullptr) is also safe, and I imagine erase(...map_.end()) is also safe even if it's non-null. That said - this implies a higher level bug
Updated•8 years ago
|
Keywords: csectype-nullptr
Comment 3•8 years ago
|
||
Paul managed to crash release by replacing the payload 109 for 75. Release crashes with the given soccrow signature. Local builds hit a couple of assertions, so it does not reach the same crash point.
Updated•8 years ago
|
Group: core-security → media-core-security
Reporter | ||
Comment 4•8 years ago
|
||
Given that this crash was produced by tampering with values in the offer string, I wonder if fuzz testing the offer strings and ice candidate strings would be prudent. Not sure if this bug is the right place to bring that up though.
Comment 5•8 years ago
|
||
We did fuzz a bunch of stuff (cdiehl did it, you could ask), but I'm not sure how much was fuzzed - and the fuzzing was a while ago (pre-JSEP-rewrite for example).
Updated•8 years ago
|
Group: media-core-security
Comment 6•8 years ago
|
||
This is caused by editing the CreateOffer SDP before setting it; this is not generally supported except for a few exceptions (though it shouldn't crash).
Rank: 15 → 27
Priority: P1 → P2
Comment 7•7 years ago
|
||
Mass change P2->P3 to align with new Mozilla triage process.
Priority: P2 → P3
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•