Closed Bug 1351098 Opened 3 years ago Closed 3 years ago

Stagefright: Assertion failure in [@ mp4_demuxer::Edts::Edts]

Categories

(Core :: Audio/Video: Playback, defect, P3, critical)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1387793

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Assertion failure: false, at /home/worker/workspace/build/src/media/libstagefright/binding/include/mp4_demuxer/ByteReader.h:129

Found with mozilla-central asan debug buildID=20170327212148

Looks like this could possibly trigger an invalid read, marking s-s

==59547==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f72293c7a8a bp 0x7f71f49f6b30 sp 0x7f71f49f6b30 T55)
==59547==The signal is caused by a WRITE memory access.
==59547==Hint: address points to the zero page.
    #0 0x7f72293c7a89 in mp4_demuxer::ByteReader::ReadU32() /home/worker/workspace/build/src/media/libstagefright/binding/include/mp4_demuxer/ByteReader.h:129:7
    #1 0x7f72293e96a7 in mp4_demuxer::Edts::Edts(mp4_demuxer::Box&) /home/worker/workspace/build/src/media/libstagefright/binding/MoofParser.cpp:836:34
    #2 0x7f72293e3992 in mp4_demuxer::MoofParser::ParseTrak(mp4_demuxer::Box&) /home/worker/workspace/build/src/media/libstagefright/binding/MoofParser.cpp:271:15
    #3 0x7f72293e1f4d in mp4_demuxer::MoofParser::ParseMoov(mp4_demuxer::Box&) /home/worker/workspace/build/src/media/libstagefright/binding/MoofParser.cpp:251:7
    #4 0x7f72293e172c in mp4_demuxer::MoofParser::RebuildFragmentedIndex(mp4_demuxer::BoxContext&) /home/worker/workspace/build/src/media/libstagefright/binding/MoofParser.cpp:50:7
    #5 0x7f72293d70c3 in mp4_demuxer::MoofParser::RebuildFragmentedIndex(mozilla::media::IntervalSet<long> const&) /home/worker/workspace/build/src/media/libstagefright/binding/MoofParser.cpp:38:10
    #6 0x7f722db4a95b in mozilla::MP4TrackDemuxer::EnsureUpToDateIndex() /home/worker/workspace/build/src/dom/media/fmp4/MP4Demuxer.cpp:322:11
    #7 0x7f722db4a1fd in mozilla::MP4TrackDemuxer::MP4TrackDemuxer(mozilla::MP4Demuxer*, mozilla::UniquePtr<mozilla::TrackInfo, mozilla::DefaultDelete<mozilla::TrackInfo> >&&, mp4_demuxer::IndiceWrapper const&) /home/worker/workspace/build/src/dom/media/fmp4/MP4Demuxer.cpp:279:3
    #8 0x7f722db48fe6 in mozilla::MP4Demuxer::Init() /home/worker/workspace/build/src/dom/media/fmp4/MP4Demuxer.cpp:173:35
    #9 0x7f722d6ce1a5 in mozilla::MediaFormatReader::DemuxerProxy::Init()::$_10::operator()() const /home/worker/workspace/build/src/dom/media/MediaFormatReader.cpp:1008:47
...
see log.txt
Attached video test_case.mp4
Assignee: nobody → twsmith
Flags: in-testsuite?
Assignee: twsmith → nobody
Summary: Stagefright: Assertion failure in [@ mp4_demuxer::ByteReader::ReadU32] → Stagefright: Assertion failure in [@ mp4_demuxer::Edts::Edts]
It's just a `MOZ_ASSERT(false)`, which does `*((volatile int*) NULL) = line;` (i.e., writing the line number at 0x0) in debug builds to force a crash.
So this is not a sec issue.

The problem is in MoofParser.cpp:836, reader->ReadU32() probably goes too far.
The test at line 821 above may be incorrect, or we need another kind of check here.
Group: media-core-security
We should probably just remove the assertion from ByteReader.
(:kentuckyfriedtakahe, :k17e) from comment #3)
> We should probably just remove the assertion from ByteReader.

Looks like bug 1387793 took care of that.
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: in-testsuite? → in-testsuite-
Resolution: --- → DUPLICATE
Duplicate of bug: 1387793
You need to log in before you can comment on or make changes to this bug.