1289282 - FFMPEG: heap-buffer-overflow read in [@av_packet_ref]

Status: RESOLVED DUPLICATE of bug 1289280

(Core :: Audio/Video: Playback, defect, P1)

Description

[Tyson Smith [:tsmith]]

Attachment: log.txt

I found this while fuzzing a nightly build of the browser not a standalone ffmpeg build.

This is using the same test case that found bug 1289280 but this crash is less frequent.

==6734==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900177b8e3 at pc 0x00000049b00a bp 0x7f2dd59fbbb0 sp 0x7f2dd59fb370
READ of size 4044 at 0x61900177b8e3 thread T57 (MediaPD~oder #1)
    #0 0x49b009 in __asan_memcpy /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393:3
    #1 0x7f2ddcfd5a8e in av_packet_ref /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/ffvpx/libavcodec/avpacket.c:568:9
    #2 0x7f2ddd086301 in submit_packet /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/ffvpx/libavcodec/pthread_frame.c:341:5
    #3 0x7f2ddd086301 in ff_thread_decode_frame /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/ffvpx/libavcodec/pthread_frame.c:403
    #4 0x7f2ddd099eda in avcodec_decode_video2 /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/ffvpx/libavcodec/utils.c:2125:19
    #5 0x7f2e119fd60f in mozilla::FFmpegVideoDecoder<46465650>::DoDecode(mozilla::MediaRawData*, unsigned char*, int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/platforms/ffmpeg/FFmpegVideoDecoder.cpp:235:5
    #6 0x7f2e119fcfe1 in mozilla::FFmpegVideoDecoder<46465650>::DoDecode(mozilla::MediaRawData*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/platforms/ffmpeg/FFmpegVideoDecoder.cpp:187:17
    #7 0x7f2e119fa9af in mozilla::FFmpegDataDecoder<46465650>::ProcessDecode(mozilla::MediaRawData*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/platforms/ffmpeg/FFmpegDataDecoder.cpp:122:11
    #8 0x7f2e119ff6be in applyImpl<mozilla::FFmpegDataDecoder<LIBAV_VER>, void (mozilla::FFmpegDataDecoder<LIBAV_VER>::*)(mozilla::MediaRawData *), StorensRefPtrPassByPtr<mozilla::MediaRawData> , 0> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:729:12
    #9 0x7f2e119ff6be in apply<mozilla::FFmpegDataDecoder<LIBAV_VER>, void (mozilla::FFmpegDataDecoder<LIBAV_VER>::*)(mozilla::MediaRawData *)> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:735
    #10 0x7f2e119ff6be in mozilla::detail::RunnableMethodImpl<void (mozilla::FFmpegDataDecoder<46465650>::*)(mozilla::MediaRawData*), true, false, RefPtr<mozilla::MediaRawData> >::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:764
    #11 0x7f2e0c1cce46 in mozilla::TaskQueue::Runner::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/TaskQueue.cpp:172:5
    #12 0x7f2e0c1e360f in nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:227:7
...
See log.txt for entire log.

Comment 1

[Tyson Smith [:tsmith]]

Attachment: test_case.webm

Comment 2

[Tyson Smith [:tsmith]]

Attachment: test_case.html

Comment 3

[Gerald Squelart (he/him) (not at Mozilla since 2022-09-15)]

The patch in bug 1289280 caught this issue here as well.

Comment 4

[Randell Jesup [:jesup] (needinfo me)]

gerald: does that mean this is a dup?  That bug is now marked fixed

Comment 5

[Gerald Squelart (he/him) (not at Mozilla since 2022-09-15)]

(In reply to Randell Jesup [:jesup] from comment #4)
> gerald: does that mean this is a dup?  That bug is now marked fixed
Thank you for the reminder.

Since it's the exact same input test case, and the fix in bug 1289280 will also prevent crashes like the one in comment 0, we can mark this as dup.