index out of bounds [@ mp4parse_get_indice_table]

RESOLVED FIXED in Firefox 56

Status

()

Core
Audio/Video: Playback
P1
critical
RESOLVED FIXED
a year ago
10 months ago

People

(Reporter: tsmith, Assigned: alfredo)

Tracking

(Blocks: 1 bug, {crash, csectype-dos, testcase})

54 Branch
mozilla56
crash, csectype-dos, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox54 wontfix, firefox55 wontfix, firefox56 fixed)

Details

(Whiteboard: [sg:dos], crash signature)

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(2 attachments)

(Reporter)

Description

a year ago
Created attachment 8861259 [details]
test_case.mp4

I don't think this is a sec issue because of rust but I'll mark it because this is new to me. Feel free to open it or msg me.

thread '<unnamed>' panicked at 'index out of bounds: the len is 1 but the index is 16777216', /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libcollections/vec.rs:1392
stack backtrace:
   1:     0x7eff3e2b500a - std::sys::imp::backtrace::tracing::imp::write::hf33ae72d0baa11ed
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:42
   2:     0x7eff3e2b442e - std::panicking::default_hook::{{closure}}::h59672b733cc6a455
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:351
   3:     0x7eff3e2b3ab5 - std::panicking::rust_panic_with_hook::hcf0ddb069e7beee7
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:367
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:555
   4:     0x7eff3e2b35af - std::panicking::begin_panic::hd6eb68e27bdf6140
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:517
   5:     0x7eff3e2b3559 - std::panicking::begin_panic_fmt::hfea5965948b877f8
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:501
   6:     0x7eff3e2be5e6 - core::panicking::panic_fmt::hc0f6d7b2c300cdd9
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libstd/panicking.rs:477
   7:     0x7eff3e2be2ec - core::panicking::panic_bounds_check::h02a4af86d01b3e96
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libcore/panicking.rs:56
   8:     0x7eff3e21b0f8 - mp4parse_get_indice_table
                        at /buildslave/rust-buildbot/slave/stable-dist-rustc-linux/build/src/libcollections/vec.rs:1392
                        at /home/worker/workspace/build/src/media/libstagefright/binding/mp4parse_capi/src/lib.rs:879
                        at /home/worker/workspace/build/src/media/libstagefright/binding/mp4parse_capi/src/lib.rs:693
   9:     0x7eff32cead71 - _ZN11mp4_demuxer15MP4MetadataRust15ReadTrackIndiceEP18mp4parse_byte_datai
                        at /home/worker/workspace/build/src/media/libstagefright/binding/MP4Metadata.cpp:1137
  10:     0x7eff32ce89b4 - _ZN11mp4_demuxer11MP4Metadata14GetTrackIndiceEi
                        at /home/worker/workspace/build/src/media/libstagefright/binding/MP4Metadata.cpp:576
  11:     0x7eff382c7ea3 - _ZN7mozilla10MP4Demuxer4InitEv
                        at /home/worker/workspace/build/src/dom/media/fmp4/MP4Demuxer.cpp:247
  12:     0x7eff37d22f66 - _ZN7mozilla6detail21ProxyFunctionRunnableIZNS_17MediaFormatReader12DemuxerProxy4InitEvE4$_10NS_10MozPromiseINS_11MediaResultES6_Lb1EEEE3RunEv
                        at /home/worker/workspace/build/src/dom/media/MediaFormatReader.cpp:1007
                        at /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:1356
  13:     0x7eff32f1afa4 - _ZN7mozilla9TaskQueue6Runner3RunEv
                        at /home/worker/workspace/build/src/xpcom/threads/TaskQueue.cpp:232
  14:     0x7eff32f4a043 - _ZN12nsThreadPool3RunEv
                        at /home/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:225
  15:     0x7eff32f4a72c - _ZThn8_N12nsThreadPool3RunEv
                        at /home/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:154
  16:     0x7eff32f425f0 - _ZN8nsThread16ProcessNextEventEbPb
                        at /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1270
  17:     0x7eff32f3f038 - _Z19NS_ProcessNextEventP9nsIThreadb
                        at /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389
  18:     0x7eff33d08d20 - _ZN7mozilla3ipc28MessagePumpForNonMainThreads3RunEPN4base11MessagePump8DelegateE
                        at /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:338
  19:     0x7eff33c6e350 - _ZN11MessageLoop3RunEv
                        at /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238
                        at /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
                        at /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
  20:     0x7eff32f3ba1f - _ZN8nsThread10ThreadFuncEPv
                        at /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:501
  21:     0x7eff4bdc6c93 - _pt_root
                        at /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216
  22:     0x7eff4f3bd6b9 - start_thread
  23:     0x7eff4e44682c - clone
  24:                0x0 - <unknown>
Flags: in-testsuite?
status-firefox55: --- → affected
status-firefox57: affected → ---
Group: media-core-security
Keywords: csectype-dos
Whiteboard: [sg:dos]
Priority: -- → P1
(Reporter)

Comment 1

11 months ago
poke. Any updates here? I see this quite frequently while fuzzing.
Flags: needinfo?(gsquelart)
Flags: needinfo?(ayang)
Rust -> Alfredo :-)
Flags: needinfo?(gsquelart)
(Assignee)

Updated

11 months ago
Assignee: nobody → ayang
Flags: needinfo?(ayang)
(Assignee)

Comment 3

10 months ago
<SampleToChunkBox EntryCount="1">
  <BoxInfo Size="28" Type="stsc"/>
  <FullBoxInfo Version="0" Flags="0x0"/>
  <SampleToChunkEntry FirstChunk="16777217" SamplesPerChunk="17" SampleDescriptionIndex="1"/>

FirstChunk is out of boundary.
(Assignee)

Updated

10 months ago
Duplicate of this bug: 1383781
Crash Signature: [@ alloc::oom::default_oom_handler | mp4parse_capi::mp4parse_get_indice_table]
Comment hidden (mozreview-request)

Comment 7

10 months ago
mozreview-review
Comment on attachment 8890655 [details]
Bug 1359275 - use get() or get_mut()to avoid out of vector boundary.

https://reviewboard.mozilla.org/r/161820/#review167164
Attachment #8890655 - Flags: review?(kinetik) → review+

Comment 8

10 months ago
Pushed by ayang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bc2f0aac349f
use get() or get_mut()to avoid out of vector boundary. r=kinetik

Comment 9

10 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/bc2f0aac349f
Status: NEW → RESOLVED
Last Resolved: 10 months ago
status-firefox56: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Too late for 55 (we're building the RC on Monday). Alfredo, can we land the testcase?
Blocks: 1340980
status-firefox54: --- → wontfix
status-firefox55: affected → wontfix
status-firefox-esr52: --- → unaffected
Flags: needinfo?(ayang)
Version: Trunk → 54 Branch
(Assignee)

Comment 11

10 months ago
(In reply to Ryan VanderMeulen [:RyanVM] from comment #10)
> Too late for 55 (we're building the RC on Monday). Alfredo, can we land the
> testcase?

It already added into travis-ci test in https://github.com/mozilla/mp4parse-rust/blob/master/mp4parse_capi/tests/test_chunk_out_of_range.rs. Or do you want to land another one in m-c?
Flags: needinfo?(ayang)
Upstream is fine assuming that you're not worried about a Gecko change ever breaking the testcase.
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.