1413702 - UBSan: division by zero in [@ mp4_demuxer::Moof::Moof]

Status: RESOLVED FIXED

(Core :: Audio/Video: Playback, defect, P2)

Description

[Tyson Smith [:tsmith]]

Attachment: test_case.mp4

This was found with a Firefox build built with -fsanitize=float-divide-by-zero,integer-divide-by-zero

/mozilla-central/media/libstagefright/binding/MoofParser.cpp:450:46: runtime error: division by zero
    #0 mp4_demuxer::Moof::Moof(mp4_demuxer::Box&, mp4_demuxer::Trex&, mp4_demuxer::Mvhd&, mp4_demuxer::Mdhd&, mp4_demuxer::Edts&, mp4_demuxer::Sinf&, unsigned long*, bool) /mozilla-central/media/libstagefright/binding/MoofParser.cpp:450:46
    #1 mp4_demuxer::MoofParser::RebuildFragmentedIndex(mp4_demuxer::BoxContext&) /mozilla-central/media/libstagefright/binding/MoofParser.cpp:65:12
    #2 RebuildFragmentedIndex /mozilla-central/media/libstagefright/binding/MoofParser.cpp:35:10
    #3 mp4_demuxer::MoofParser::RebuildFragmentedIndex(mozilla::media::IntervalSet<long> const&, bool*) /mozilla-central/media/libstagefright/binding/MoofParser.cpp:51
    #4 mp4_demuxer::Index::UpdateMoofIndex(mozilla::media::IntervalSet<long> const&, bool) /mozilla-central/media/libstagefright/binding/Index.cpp:439:16
    #5 mozilla::MP4TrackDemuxer::EnsureUpToDateIndex() /mozilla-central/dom/media/fmp4/MP4Demuxer.cpp:400:11
    #6 mozilla::MP4TrackDemuxer::MP4TrackDemuxer(mozilla::MP4Demuxer*, mozilla::UniquePtr<mozilla::TrackInfo, mozilla::DefaultDelete<mozilla::TrackInfo> >&&, mp4_demuxer::IndiceWrapper const&) /mozilla-central/dom/media/fmp4/MP4Demuxer.cpp:358:3
    #7 mozilla::MP4Demuxer::Init() /mozilla-central/dom/media/fmp4/MP4Demuxer.cpp:221:13
    #8 operator() /mozilla-central/dom/media/MediaFormatReader.cpp:1115:47
    #9 mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_10, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, true> >::Run() /mozilla-central/objdir-ff-ubsan/dist/include/mozilla/MozPromise.h:1511
    #10 mozilla::TaskQueue::Runner::Run() /mozilla-central/xpcom/threads/TaskQueue.cpp:246:12
    #11 nsThreadPool::Run() /mozilla-central/xpcom/threads/nsThreadPool.cpp:228:14
    #12 non-virtual thunk to nsThreadPool::Run() /mozilla-central/xpcom/threads/nsThreadPool.cpp
    #13 nsThread::ProcessNextEvent(bool, bool*) /mozilla-central/xpcom/threads/nsThread.cpp:1037:14
    #14 NS_ProcessNextEvent(nsIThread*, bool) /mozilla-central/xpcom/threads/nsThreadUtils.cpp:513:10
    #15 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /mozilla-central/ipc/glue/MessagePump.cpp:334:20
    #16 RunInternal /mozilla-central/ipc/chromium/src/base/message_loop.cc:326:10
    #17 RunHandler /mozilla-central/ipc/chromium/src/base/message_loop.cc:319
    #18 MessageLoop::Run() /mozilla-central/ipc/chromium/src/base/message_loop.cc:299
    #19 nsThread::ThreadFunc(void*) /mozilla-central/xpcom/threads/nsThread.cpp:425:11
    #20 _pt_root /mozilla-central/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #21 start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)
    #22 clone /build/glibc-CxtIbX/glibc-2.26/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment 1

[Blake Wu [:bwu][:blakewu]]

Alfredo,
Per discussion, please take care of this bug.
Thanks!

Comment 2

[Alfredo Yang (:alfredo)]

Attachment: Bug 1413702 - avoid dividing by zero.

Review commit: https://reviewboard.mozilla.org/r/196582/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/196582/

Comment 3

[Matthew Gregan [:kinetik]]

Comment on attachment 8925462 [details]
Bug 1413702 - avoid dividing by zero.

https://reviewboard.mozilla.org/r/196582/#review202002

Comment 4

[Pulsebot]

Pushed by ayang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c2b1d6f40e47
avoid dividing by zero. r=kinetik

Comment 5

[Andreea Pavel [:apavel]]

https://hg.mozilla.org/mozilla-central/rev/c2b1d6f40e47