1359275 - index out of bounds [@ mp4parse_get_indice_table]

Status: RESOLVED FIXED

(Core :: Audio/Video: Playback, defect, P1)

Description

[Tyson Smith [:tsmith]]

Attachment: test_case.mp4

I don't think this is a sec issue because of rust but I'll mark it because this is new to me. Feel free to open it or msg me.

thread '<unnamed>' panicked at 'index out of bounds: the len is 1 but the index is 16777216', /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libcollections/vec.rs:1392
stack backtrace:
   1:     0x7eff3e2b500a - std::sys::imp::backtrace::tracing::imp::write::hf33ae72d0baa11ed
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:42
   2:     0x7eff3e2b442e - std::panicking::default_hook::{{closure}}::h59672b733cc6a455
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:351
   3:     0x7eff3e2b3ab5 - std::panicking::rust_panic_with_hook::hcf0ddb069e7beee7
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:367
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:555
   4:     0x7eff3e2b35af - std::panicking::begin_panic::hd6eb68e27bdf6140
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:517
   5:     0x7eff3e2b3559 - std::panicking::begin_panic_fmt::hfea5965948b877f8
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:501
   6:     0x7eff3e2be5e6 - core::panicking::panic_fmt::hc0f6d7b2c300cdd9
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:477
   7:     0x7eff3e2be2ec - core::panicking::panic_bounds_check::h02a4af86d01b3e96
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libcore/panicking.rs:56
   8:     0x7eff3e21b0f8 - mp4parse_get_indice_table
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libcollections/vec.rs:1392
                        at /home/worker/workspace/build/src/media/libstagefright/binding/mp4parse_capi/src/lib.rs:879
                        at /home/worker/workspace/build/src/media/libstagefright/binding/mp4parse_capi/src/lib.rs:693
   9:     0x7eff32cead71 - _ZN11mp4_demuxer15MP4MetadataRust15ReadTrackIndiceEP18mp4parse_byte_datai
                        at /home/worker/workspace/build/src/media/libstagefright/binding/MP4Metadata.cpp:1137
  10:     0x7eff32ce89b4 - _ZN11mp4_demuxer11MP4Metadata14GetTrackIndiceEi
                        at /home/worker/workspace/build/src/media/libstagefright/binding/MP4Metadata.cpp:576
  11:     0x7eff382c7ea3 - _ZN7mozilla10MP4Demuxer4InitEv
                        at /home/worker/workspace/build/src/dom/media/fmp4/MP4Demuxer.cpp:247
  12:     0x7eff37d22f66 - _ZN7mozilla6detail21ProxyFunctionRunnableIZNS_17MediaFormatReader12DemuxerProxy4InitEvE4$_10NS_10MozPromiseINS_11MediaResultES6_Lb1EEEE3RunEv
                        at /home/worker/workspace/build/src/dom/media/MediaFormatReader.cpp:1007
                        at /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:1356
  13:     0x7eff32f1afa4 - _ZN7mozilla9TaskQueue6Runner3RunEv
                        at /home/worker/workspace/build/src/xpcom/threads/TaskQueue.cpp:232
  14:     0x7eff32f4a043 - _ZN12nsThreadPool3RunEv
                        at /home/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:225
  15:     0x7eff32f4a72c - _ZThn8_N12nsThreadPool3RunEv
                        at /home/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:154
  16:     0x7eff32f425f0 - _ZN8nsThread16ProcessNextEventEbPb
                        at /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1270
  17:     0x7eff32f3f038 - _Z19NS_ProcessNextEventP9nsIThreadb
                        at /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389
  18:     0x7eff33d08d20 - _ZN7mozilla3ipc28MessagePumpForNonMainThreads3RunEPN4base11MessagePump8DelegateE
                        at /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:338
  19:     0x7eff33c6e350 - _ZN11MessageLoop3RunEv
                        at /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238
                        at /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
                        at /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
  20:     0x7eff32f3ba1f - _ZN8nsThread10ThreadFuncEPv
                        at /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:501
  21:     0x7eff4bdc6c93 - _pt_root
                        at /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216
  22:     0x7eff4f3bd6b9 - start_thread
  23:     0x7eff4e44682c - clone
  24:                0x0 - <unknown>

Comment 1

[Tyson Smith [:tsmith]]

poke. Any updates here? I see this quite frequently while fuzzing.

Comment 2

[Gerald Squelart (he/him) (not at Mozilla since 2022-09-15)]

Rust -> Alfredo :-)

Comment 3

[Alfredo Yang (:alfredo)]

<SampleToChunkBox EntryCount="1">
  <BoxInfo Size="28" Type="stsc"/>
  <FullBoxInfo Version="0" Flags="0x0"/>
  <SampleToChunkEntry FirstChunk="16777217" SamplesPerChunk="17" SampleDescriptionIndex="1"/>

FirstChunk is out of boundary.

Comment 4

[Alfredo Yang (:alfredo)]

https://github.com/mozilla/mp4parse-rust/pull/107

Comment 6

[Alfredo Yang (:alfredo)]

Attachment: Bug 1359275 - use get() or get_mut()to avoid out of vector boundary.

Review commit: https://reviewboard.mozilla.org/r/161820/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/161820/

Comment 7

[Matthew Gregan [:kinetik]]

Comment on attachment 8890655 [details]
Bug 1359275 - use get() or get_mut()to avoid out of vector boundary.

https://reviewboard.mozilla.org/r/161820/#review167164

Comment 8

[Pulsebot]

Pushed by ayang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bc2f0aac349f
use get() or get_mut()to avoid out of vector boundary. r=kinetik

Comment 9

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/bc2f0aac349f

Comment 10

[Ryan VanderMeulen [:RyanVM]]

Too late for 55 (we're building the RC on Monday). Alfredo, can we land the testcase?

Comment 11

[Alfredo Yang (:alfredo)]

(In reply to Ryan VanderMeulen [:RyanVM] from comment #10)
> Too late for 55 (we're building the RC on Monday). Alfredo, can we land the
> testcase?

It already added into travis-ci test in https://github.com/mozilla/mp4parse-rust/blob/master/mp4parse_capi/tests/test_chunk_out_of_range.rs. Or do you want to land another one in m-c?

Comment 12

[Ryan VanderMeulen [:RyanVM]]

Upstream is fine assuming that you're not worried about a Gecko change ever breaking the testcase.