1387739 - slice index starts after end in [@ mp4parse::find_descriptor]

Status: RESOLVED FIXED

(Core :: Audio/Video: Playback, defect, P1)

Description

[Tyson Smith [:tsmith] (PTO)]

Attachment: test_case.mp4

Load the attached test case. It takes about 10 seconds to crash.

thread '<unnamed>' panicked at 'slice index starts at 5 but ends at 0', /checkout/src/libcore/slice/mod.rs:741
stack backtrace:
   0:     0x7f28e2592f53 - std::sys::imp::backtrace::tracing::imp::unwind_backtrace::hcab99e0793da62c7
                               at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1:     0x7f28e258ff19 - std::panicking::default_hook::{{closure}}::h9ba2c6973907a2be
                               at /checkout/src/libstd/sys_common/backtrace.rs:71
                               at /checkout/src/libstd/sys_common/backtrace.rs:60
                               at /checkout/src/libstd/panicking.rs:355
   2:     0x7f28e258f340 - std::panicking::default_hook::he4d55e2dd21c3cca
                               at /checkout/src/libstd/panicking.rs:371
   3:     0x7f28e258ee65 - std::panicking::rust_panic_with_hook::ha138c05cd33ad44d
                               at /checkout/src/libstd/panicking.rs:549
   4:     0x7f28e258ed7f - std::panicking::begin_panic::hcdbfa35c94142fa2
                               at /checkout/src/libstd/panicking.rs:511
   5:     0x7f28e258ece9 - std::panicking::begin_panic_fmt::hc09fe500d9b7be81
                               at /checkout/src/libstd/panicking.rs:495
   6:     0x7f28e259cb16 - core::panicking::panic_fmt::h883a028e9f4b4457
                               at /checkout/src/libstd/panicking.rs:471
   7:     0x7f28e25a0e53 - core::slice::slice_index_order_fail::hc540f9fb2d51da1d
                               at /checkout/src/libcore/slice/mod.rs:741
   8:     0x7f28e255dadd - mp4parse::find_descriptor::h9c831d9fe538b1c5
                               at /checkout/src/libcore/slice/mod.rs:864
                               at /checkout/src/libcore/slice/mod.rs:717
                               at src/media/libstagefright/binding/mp4parse/src/lib.rs:1351
   9:     0x7f28e255c406 - mp4parse::find_descriptor::h9c831d9fe538b1c5
                               at src/media/libstagefright/binding/mp4parse/src/lib.rs:1511
                               at src/media/libstagefright/binding/mp4parse/src/lib.rs:1355
  10:     0x7f28e2084086 - mp4parse::read_stsd::h9e777bb1a28d4868
                               at src/media/libstagefright/binding/mp4parse/src/lib.rs:1524
                               at src/media/libstagefright/binding/mp4parse/src/lib.rs:1828
                               at src/media/libstagefright/binding/mp4parse/src/lib.rs:1897
  11:     0x7f28e207b7bd - mp4parse::read_minf::h62d5c602e83f3429
                               at src/media/libstagefright/binding/mp4parse/src/lib.rs:882
                               at src/media/libstagefright/binding/mp4parse/src/lib.rs:869
  12:     0x7f28e20747a3 - mp4parse::read_moov::h4567d7d218d52d38
                               at src/media/libstagefright/binding/mp4parse/src/lib.rs:857
                               at src/media/libstagefright/binding/mp4parse/src/lib.rs:783
                               at src/media/libstagefright/binding/mp4parse/src/lib.rs:686
  13:     0x7f28e2072a97 - mp4parse_read
                               at src/media/libstagefright/binding/mp4parse/src/lib.rs:641
                               at src/media/libstagefright/binding/mp4parse_capi/src/lib.rs:322
  14:     0x7f28d58591c5 - _ZN11mp4_demuxer15MP4MetadataRust4InitEv
                               at src/media/libstagefright/binding/MP4Metadata.cpp:766
  15:     0x7f28d5858f3d - _ZN11mp4_demuxer11MP4MetadataC1EPNS_6StreamE
                               at src/media/libstagefright/binding/MP4Metadata.cpp:248
  16:     0x7f28db2bd6d0 - _ZN7mozilla10MP4Demuxer4InitEv
                               at src/dom/media/fmp4/MP4Demuxer.cpp:149
  17:     0x7f28dac64534 - _ZN7mozilla6detail21ProxyFunctionRunnableIZNS_17MediaFormatReader12DemuxerProxy4InitEvE4$_10NS_10MozPromiseINS_11MediaResultES6_Lb1EEEE3RunEv
                               at src/dom/media/MediaFormatReader.cpp:1027
                               at src/obj-firefox/dist/include/mozilla/MozPromise.h:1510
  18:     0x7f28d5ab00a4 - _ZN7mozilla9TaskQueue6Runner3RunEv
                               at src/xpcom/threads/TaskQueue.cpp:246
  19:     0x7f28d5ae1de8 - _ZN12nsThreadPool3RunEv
                               at src/xpcom/threads/nsThreadPool.cpp:225
  20:     0x7f28d5ae252c - _ZThn16_N12nsThreadPool3RunEv
                               at src/xpcom/threads/nsThreadPool.cpp:154
  21:     0x7f28d5ad82ee - _ZN8nsThread16ProcessNextEventEbPb
                               at src/xpcom/threads/nsThread.cpp:1446
  22:     0x7f28d5ade488 - _Z19NS_ProcessNextEventP9nsIThreadb
                               at src/xpcom/threads/nsThreadUtils.cpp:480
  23:     0x7f28d68e77f0 - _ZN7mozilla3ipc28MessagePumpForNonMainThreads3RunEPN4base11MessagePump8DelegateE
                               at src/ipc/glue/MessagePump.cpp:339
  24:     0x7f28d6848a8b - _ZN11MessageLoop3RunEv
                               at src/ipc/chromium/src/base/message_loop.cc:326
                               at src/ipc/chromium/src/base/message_loop.cc:319
                               at src/ipc/chromium/src/base/message_loop.cc:299
  25:     0x7f28d5acfe8d - _ZN8nsThread10ThreadFuncEPv
                               at src/xpcom/threads/nsThread.cpp:506
  26:     0x7f28f0ac1453 - _pt_root
                               at src/nsprpub/pr/src/pthreads/ptthread.c:216
  27:     0x7f28f40ba6b9 - start_thread
  28:     0x7f28f31433dc - clone
  29:                0x0 - <unknown>

Comment 1

[Alfredo Yang (:alfredo)]

It's ok at latest nightly build, but it's good to check the boundary anyway.

Comment 2

[Tyson Smith [:tsmith] (PTO)]

Attachment: test_case.mp4

Here is a test case that still reproduces the issue. I am seeing it frequently while fuzzing.

Comment 3

[Alfredo Yang (:alfredo)]

https://github.com/mozilla/mp4parse-rust/pull/110

Comment 4

[Alfredo Yang (:alfredo)]

Attachment: Bug 1387739 - update mp4 rust parser for slice boundary checking.

Review commit: https://reviewboard.mozilla.org/r/171408/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/171408/

Comment 5

[Matthew Gregan [:kinetik]]

Comment on attachment 8900068 [details]
Bug 1387739 - update mp4 rust parser for slice boundary checking.

https://reviewboard.mozilla.org/r/171408/#review176598

Comment 6

[Pulsebot]

Pushed by ayang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/637c37f4362c
update mp4 rust parser for slice boundary checking. r=kinetik

Comment 7

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/637c37f4362c

Comment 8

[Ryan VanderMeulen [:RyanVM]]

Is there a user impact here that justifies Beta backport consideration or can it ride the 57 train?

Comment 9

[Alfredo Yang (:alfredo)]

(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)
> Is there a user impact here that justifies Beta backport consideration or
> can it ride the 57 train?

It's an invalid content so it's good to ride the 57 train.