Closed
Bug 1286272
Opened 8 years ago
Closed 8 years ago
int32_t read_file(const char*): Assertion `rv2 == MP4PARSE_OK' failed
Categories
(Core :: Audio/Video: Playback, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: ugobejishvili, Assigned: rillian)
Details
Attachments
(2 files)
2.52 KB,
video/mp4
|
Details | |
2.71 KB,
patch
|
kinetik
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0 Build ID: 20160606113944 Steps to reproduce: Hello guys, just tried to fuzz new product rust mp4 parser, after couple of second i got this crash. Build instruction copy from here: https://travis-ci.org/mozilla/mp4parse-rust/jobs/141199847 Run the testcase. Actual results: test: test.cc:239: int32_t read_file(const char*): Assertion `rv2 == MP4PARSE_OK' failed. Program received signal SIGABRT, Aborted. 0x00007ffff6b79418 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 0x00007ffff6b79418 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 #1 0x00007ffff6b7b01a in __GI_abort () at abort.c:89 #2 0x00007ffff6b71bd7 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x4d3dbf "rv2 == MP4PARSE_OK", file=file@entry=0x4d3ba4 "test.cc", line=line@entry=239, function=function@entry=0x4d3f90 <read_file(char const*)::__PRETTY_FUNCTION__> "int32_t read_file(const char*)") at assert.c:92 #3 0x00007ffff6b71c82 in __GI___assert_fail (assertion=assertion@entry=0x4d3dbf "rv2 == MP4PARSE_OK", file=file@entry=0x4d3ba4 "test.cc", line=line@entry=239, function=function@entry=0x4d3f90 <read_file(char const*)::__PRETTY_FUNCTION__> "int32_t read_file(const char*)") at assert.c:101 #4 0x0000000000408661 in read_file (filename=<optimized out>) at test.cc:239 #5 0x0000000000404e0e in main (argc=<optimized out>, argv=0x7fffffffdc08) at test.cc:264 (gdb) i r rax 0x0 0 rbx 0x7ffff7ff5000 140737354092544 rcx 0x7ffff6b79418 140737332614168 rdx 0x6 6 rsi 0x3ad4 15060 rdi 0x3ad4 15060 rbp 0x4d3dbf 0x4d3dbf rsp 0x7fffffffd888 0x7fffffffd888 r8 0x7524d0 7677136 r9 0xffffffffff000000 -16777216 r10 0x8 8 r11 0x206 518 r12 0xef 239 r13 0x4d3f90 5062544 r14 0x7fffffffdc10 140737488346128 r15 0x0 0 rip 0x7ffff6b79418 0x7ffff6b79418 <__GI_raise+56> eflags 0x206 [ PF IF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0
Comment 1•8 years ago
|
||
:rillian, I'm told you might know more about this and where it should live?
Flags: needinfo?(giles)
Assignee | ||
Comment 2•8 years ago
|
||
Thanks for fuzzing. Just to confirm, this is test.cc from the upstream github repo, not code we have in firefox? I guess for fuzzing we should convert all those asserts to error returns?
Group: firefox-core-security → core-security
Component: Untriaged → Audio/Video: Playback
Flags: needinfo?(giles) → needinfo?(ugobejishvili)
Product: Firefox → Core
Version: 47 Branch → Other Branch
Assignee | ||
Comment 3•8 years ago
|
||
I can't reproduce the assert with the testcase, I just get an parse failure with unexpected EOF. Does the attached patch let the fuzzer run further?
Assignee: nobody → giles
Attachment #8770209 -
Flags: review?(kinetik)
Reporter | ||
Comment 4•8 years ago
|
||
(In reply to Ralph Giles (:rillian) needinfo me from comment #2) > Thanks for fuzzing. Just to confirm, this is test.cc from the upstream > github repo, not code we have in firefox? > > I guess for fuzzing we should convert all those asserts to error returns? Yes it's just test.cc, was easier for me to fuzz.
Flags: needinfo?(ugobejishvili)
Comment 5•8 years ago
|
||
Comment on attachment 8770209 [details] [diff] [review] Convert asserts to error returns I guess converting the asserts is fine but please make it fatally exit on parse failure. This is for testing/development, it's not a fuzzing harness and I don't want to support it was one. We already have examples/afl-capi.rs and examples/afl.rs for this purpose.
Attachment #8770209 -
Flags: review?(kinetik) → review+
Assignee | ||
Comment 6•8 years ago
|
||
Ok, I'll not land the patch upstream. As Matthew pointed out, there's nothing afl-specific about the afl harnesses, so those are a better choice to use. You may want to compile with `cargo test --features=abort_on_panic` to get a crash closer to failing code, depending on the fuzzing technology you're using. This bug can be made public public since there is no security issue and no affect on users.
Reporter | ||
Comment 7•8 years ago
|
||
(In reply to Ralph Giles (:rillian) needinfo me from comment #6) > Ok, I'll not land the patch upstream. As Matthew pointed out, there's > nothing afl-specific about the afl harnesses, so those are a better choice > to use. You may want to compile with `cargo test --features=abort_on_panic` > to get a crash closer to failing code, depending on the fuzzing technology > you're using. > > This bug can be made public public since there is no security issue and no > affect on users. Agree
Updated•8 years ago
|
Group: core-security
Assignee | ||
Comment 8•8 years ago
|
||
Ok, closing. We believe the assert is working as intended for quick-failure testing. Please use either the other example code intended for fuzzing (comment #5), or the attached patch for further work. Thanks for the report!
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•