Closed Bug 1359275 Opened 7 years ago Closed 7 years ago

index out of bounds [@ mp4parse_get_indice_table]

Categories

(Core :: Audio/Video: Playback, defect, P1)

54 Branch
defect

Tracking

()

RESOLVED FIXED
mozilla56
Tracking Status
firefox-esr52 --- unaffected
firefox54 --- wontfix
firefox55 --- wontfix
firefox56 --- fixed

People

(Reporter: tsmith, Assigned: ayang)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-dos, testcase, Whiteboard: [sg:dos])

Crash Data

Attachments

(2 files)

Attached video test_case.mp4
I don't think this is a sec issue because of rust but I'll mark it because this is new to me. Feel free to open it or msg me.

thread '<unnamed>' panicked at 'index out of bounds: the len is 1 but the index is 16777216', /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libcollections/vec.rs:1392
stack backtrace:
   1:     0x7eff3e2b500a - std::sys::imp::backtrace::tracing::imp::write::hf33ae72d0baa11ed
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:42
   2:     0x7eff3e2b442e - std::panicking::default_hook::{{closure}}::h59672b733cc6a455
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:351
   3:     0x7eff3e2b3ab5 - std::panicking::rust_panic_with_hook::hcf0ddb069e7beee7
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:367
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:555
   4:     0x7eff3e2b35af - std::panicking::begin_panic::hd6eb68e27bdf6140
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:517
   5:     0x7eff3e2b3559 - std::panicking::begin_panic_fmt::hfea5965948b877f8
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:501
   6:     0x7eff3e2be5e6 - core::panicking::panic_fmt::hc0f6d7b2c300cdd9
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:477
   7:     0x7eff3e2be2ec - core::panicking::panic_bounds_check::h02a4af86d01b3e96
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libcore/panicking.rs:56
   8:     0x7eff3e21b0f8 - mp4parse_get_indice_table
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libcollections/vec.rs:1392
                        at /home/worker/workspace/build/src/media/libstagefright/binding/mp4parse_capi/src/lib.rs:879
                        at /home/worker/workspace/build/src/media/libstagefright/binding/mp4parse_capi/src/lib.rs:693
   9:     0x7eff32cead71 - _ZN11mp4_demuxer15MP4MetadataRust15ReadTrackIndiceEP18mp4parse_byte_datai
                        at /home/worker/workspace/build/src/media/libstagefright/binding/MP4Metadata.cpp:1137
  10:     0x7eff32ce89b4 - _ZN11mp4_demuxer11MP4Metadata14GetTrackIndiceEi
                        at /home/worker/workspace/build/src/media/libstagefright/binding/MP4Metadata.cpp:576
  11:     0x7eff382c7ea3 - _ZN7mozilla10MP4Demuxer4InitEv
                        at /home/worker/workspace/build/src/dom/media/fmp4/MP4Demuxer.cpp:247
  12:     0x7eff37d22f66 - _ZN7mozilla6detail21ProxyFunctionRunnableIZNS_17MediaFormatReader12DemuxerProxy4InitEvE4$_10NS_10MozPromiseINS_11MediaResultES6_Lb1EEEE3RunEv
                        at /home/worker/workspace/build/src/dom/media/MediaFormatReader.cpp:1007
                        at /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:1356
  13:     0x7eff32f1afa4 - _ZN7mozilla9TaskQueue6Runner3RunEv
                        at /home/worker/workspace/build/src/xpcom/threads/TaskQueue.cpp:232
  14:     0x7eff32f4a043 - _ZN12nsThreadPool3RunEv
                        at /home/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:225
  15:     0x7eff32f4a72c - _ZThn8_N12nsThreadPool3RunEv
                        at /home/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:154
  16:     0x7eff32f425f0 - _ZN8nsThread16ProcessNextEventEbPb
                        at /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1270
  17:     0x7eff32f3f038 - _Z19NS_ProcessNextEventP9nsIThreadb
                        at /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389
  18:     0x7eff33d08d20 - _ZN7mozilla3ipc28MessagePumpForNonMainThreads3RunEPN4base11MessagePump8DelegateE
                        at /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:338
  19:     0x7eff33c6e350 - _ZN11MessageLoop3RunEv
                        at /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238
                        at /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
                        at /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
  20:     0x7eff32f3ba1f - _ZN8nsThread10ThreadFuncEPv
                        at /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:501
  21:     0x7eff4bdc6c93 - _pt_root
                        at /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216
  22:     0x7eff4f3bd6b9 - start_thread
  23:     0x7eff4e44682c - clone
  24:                0x0 - <unknown>
Flags: in-testsuite?
Group: media-core-security
Keywords: csectype-dos
Whiteboard: [sg:dos]
poke. Any updates here? I see this quite frequently while fuzzing.
Flags: needinfo?(gsquelart)
Flags: needinfo?(ayang)
Rust -> Alfredo :-)
Flags: needinfo?(gsquelart)
Assignee: nobody → ayang
Flags: needinfo?(ayang)
<SampleToChunkBox EntryCount="1">
  <BoxInfo Size="28" Type="stsc"/>
  <FullBoxInfo Version="0" Flags="0x0"/>
  <SampleToChunkEntry FirstChunk="16777217" SamplesPerChunk="17" SampleDescriptionIndex="1"/>

FirstChunk is out of boundary.
Crash Signature: [@ alloc::oom::default_oom_handler | mp4parse_capi::mp4parse_get_indice_table]
Comment on attachment 8890655 [details]
Bug 1359275 - use get() or get_mut()to avoid out of vector boundary.

https://reviewboard.mozilla.org/r/161820/#review167164
Attachment #8890655 - Flags: review?(kinetik) → review+
Pushed by ayang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bc2f0aac349f
use get() or get_mut()to avoid out of vector boundary. r=kinetik
https://hg.mozilla.org/mozilla-central/rev/bc2f0aac349f
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Too late for 55 (we're building the RC on Monday). Alfredo, can we land the testcase?
Blocks: 1340980
Flags: needinfo?(ayang)
Version: Trunk → 54 Branch
(In reply to Ryan VanderMeulen [:RyanVM] from comment #10)
> Too late for 55 (we're building the RC on Monday). Alfredo, can we land the
> testcase?

It already added into travis-ci test in https://github.com/mozilla/mp4parse-rust/blob/master/mp4parse_capi/tests/test_chunk_out_of_range.rs. Or do you want to land another one in m-c?
Flags: needinfo?(ayang)
Upstream is fine assuming that you're not worried about a Gecko change ever breaking the testcase.
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.