Closed Bug 1351196 Opened 3 years ago Closed 3 years ago

Use of uninitialized memory in libavcodec-ffmpeg

Categories

(Core :: Audio/Video: Playback, defect, P1)

All
Linux
defect

Tracking

()

RESOLVED INVALID
Tracking Status
firefox55 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uninitialized, sec-moderate, testcase)

Attachments

(1 file)

Attached video test_case.mp4
Found using Valgrind with mozilla-central build:
20170328001342
https://hg.mozilla.org/mozilla-central/rev/5182b2c4b963ed87d038c7d9a4021463917076cd

https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.latest.firefox/gecko.v2.mozilla-central.latest.firefox.linux64-valgrind-opt

Conditional jump or move depends on uninitialised value(s)
   at 0x3D5FCC18: ??? (in /usr/lib/x86_64-linux-gnu/libavcodec-ffmpeg.so.56.60.100)
   by 0x3D5FCF58: ??? (in /usr/lib/x86_64-linux-gnu/libavcodec-ffmpeg.so.56.60.100)
   by 0x3D5FDE2F: ??? (in /usr/lib/x86_64-linux-gnu/libavcodec-ffmpeg.so.56.60.100)
   by 0x3D5FEC2A: ??? (in /usr/lib/x86_64-linux-gnu/libavcodec-ffmpeg.so.56.60.100)
   by 0x3D41CD61: ??? (in /usr/lib/x86_64-linux-gnu/libavcodec-ffmpeg.so.56.60.100)
   by 0x3D8AE0B5: ??? (in /usr/lib/x86_64-linux-gnu/libavcodec-ffmpeg.so.56.60.100)
   by 0x3D98B497: avcodec_open2 (in /usr/lib/x86_64-linux-gnu/libavcodec-ffmpeg.so.56.60.100)
   by 0x12418425: mozilla::FFmpegDataDecoder<55>::InitDecoder() (FFmpegDataDecoder.cpp:77)
   by 0x12419707: mozilla::FFmpegVideoDecoder<55>::Init() (FFmpegVideoDecoder.cpp:122)
   by 0x1240295B: mozilla::H264Converter::Init() (H264Converter.cpp:47)
   by 0x1234F4CE: mozilla::MediaFormatReader::DecoderFactory::Wrapper::Init() (MediaFormatReader.cpp:545)
   by 0x1237537A: mozilla::MediaFormatReader::DecoderFactory::DoInitDecoder(mozilla::MediaFormatReader::DecoderFactory::Data&) (MediaFormatReader.cpp:727)
 Uninitialised value was created by a heap allocation
   at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x405730: moz_xrealloc (mozalloc.cpp:105)
   by 0x11335EC4: Realloc (nsTArray.h:211)
   by 0x11335EC4: nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) (nsTArray-inl.h:183)
   by 0x124183D6: AppendElements<nsTArrayInfallibleAllocator> (nsTArray.h:1622)
   by 0x124183D6: mozilla::FFmpegDataDecoder<55>::InitDecoder() (FFmpegDataDecoder.cpp:67)
   by 0x12419707: mozilla::FFmpegVideoDecoder<55>::Init() (FFmpegVideoDecoder.cpp:122)
   by 0x1240295B: mozilla::H264Converter::Init() (H264Converter.cpp:47)
   by 0x1234F4CE: mozilla::MediaFormatReader::DecoderFactory::Wrapper::Init() (MediaFormatReader.cpp:545)
   by 0x1237537A: mozilla::MediaFormatReader::DecoderFactory::DoInitDecoder(mozilla::MediaFormatReader::DecoderFactory::Data&) (MediaFormatReader.cpp:727)
   by 0x1238331E: mozilla::MediaFormatReader::DecoderFactory::RunStage(mozilla::MediaFormatReader::DecoderFactory::Data&) (MediaFormatReader.cpp:626)
   by 0x12384A9C: InvokeCallbackMethod<mozilla::MediaFormatReader::DecoderFactory::RunStage(mozilla::MediaFormatReader::DecoderFactory::Data&)::<lambda(mozilla::MediaFormatReader::DecoderFactory::Token*)>, void (mozilla::MediaFormatReader::DecoderFactory::RunStage(mozilla::MediaFormatReader::DecoderFactory::Data&)::<lambda(mozilla::MediaFormatReader::DecoderFactory::Token*)>::*)(mozilla::GlobalAllocPolicy::Token*) const, const RefPtr<mozilla::GlobalAllocPolicy::Token>&> (MozPromise.h:477)
   by 0x12384A9C: mozilla::MozPromise<RefPtr<mozilla::GlobalAllocPolicy::Token>, bool, true>::FunctionThenValue<mozilla::MediaFormatReader::DecoderFactory::RunStage(mozilla::MediaFormatReader::DecoderFactory::Data&)::{lambda(mozilla::GlobalAllocPolicy::Token*)#1}, mozilla::MediaFormatReader::DecoderFactory::RunStage(mozilla::MediaFormatReader::DecoderFactory::Data&)::{lambda()#2}>::DoResolveOrRejectInternal(mozilla::MozPromise<RefPtr<mozilla::GlobalAllocPolicy::Token>, bool, true>::ResolveOrRejectValue const&) (MozPromise.h:628)
   by 0x123827C2: mozilla::MozPromise<RefPtr<mozilla::GlobalAllocPolicy::Token>, bool, true>::ThenValueBase::DoResolveOrReject(mozilla::MozPromise<RefPtr<mozilla::GlobalAllocPolicy::Token>, bool, true>::ResolveOrRejectValue const&) (MozPromise.h:433)
   by 0x123828DB: mozilla::MozPromise<RefPtr<mozilla::GlobalAllocPolicy::Token>, bool, true>::ThenValueBase::ResolveOrRejectRunnable::Run() (MozPromise.h:339)
Flags: in-testsuite?
Guessing sec-moderate, though if the conditions are right memory can be manipulated to force a useful value into the uninitialized slot.
Keywords: sec-moderate
Gerald, can you please take a look at this?
Flags: needinfo?(gsquelart)
I think Jean-Yves would be better able to deal with this.

(Jean-Yves, please reassign to me if you don't have time -- but I'm quite busy too at the moment!)
Flags: needinfo?(gsquelart) → needinfo?(jyavenard)
Can this be reproduced with latest ffmpeg?
Flags: needinfo?(jyavenard)
Can't reproduce with current ffmpeg
Flags: needinfo?(twsmith)
Priority: -- → P1
I cannot reproduce this with the latest FFmpeg
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(twsmith)
Resolution: --- → INVALID
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.