Closed Bug 1535980 Opened 5 years ago Closed 2 years ago

src/dom/media/webm/WebMDemuxer.cpp:392:28: runtime error: -8.27704e+259 is outside the range of representable values of type 'unsigned int'

Categories

(Core :: Audio/Video: Playback, defect, P2)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
107 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 --- wontfix
firefox67 --- wontfix
firefox98 --- wontfix
firefox99 --- wontfix
firefox100 --- wontfix
firefox101 --- wontfix
firefox102 --- wontfix
firefox103 --- wontfix
firefox107 --- fixed

People

(Reporter: tsmith, Assigned: az)

References

(Blocks 3 open bugs)

Details

(Keywords: csectype-undefined, testcase)

Attachments

(3 files)

testcase.webm
79.56 KB, video/webm
Details
Bug 1535980 - Ensure that the audio rate read by WebMDemuxer is correctly compared against the maximum allowable rate during metadata sanity checking to avoid out of range errors that could be produced by malformed media files. r=tsmith
48 bytes, text/x-phabricator-request
Details | Review
Bug 1535980 - Add crashtest for webm demuxer audio rate sanity check
48 bytes, text/x-phabricator-request
Details | Review

Found in m-c commit 8ae5bb51b141

This was build with undefined behavior sanitizer checks enabled via mozconfig.
ac_add_options --enable-undefined-sanitizer="enum"

mozilla-central/dom/media/webm/WebMDemuxer.cpp:393:28: runtime error: -8.27704e+259 is outside the range of representable values of type 'unsigned int'
    #0 0x7f595f0e0a85 in mozilla::WebMDemuxer::ReadMetadata() mozilla-central/dom/media/webm/WebMDemuxer.cpp:393:28
    #1 0x7f595f0dea48 in mozilla::WebMDemuxer::Init() mozilla-central/dom/media/webm/WebMDemuxer.cpp:181:7
    #2 0x7f595e90c553 in mozilla::MediaFormatReader::DemuxerProxy::Init()::$_15::operator()() const mozilla-central/dom/media/MediaFormatReader.cpp:898:47
    #3 0x7f595e90c0d5 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_15, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, true> >::Run() mozilla-central/objdir-ff-ubsan/dist/include/mozilla/MozPromise.h:1419:29
    #4 0x7f5958a700a5 in mozilla::TaskQueue::Runner::Run() mozilla-central/xpcom/threads/TaskQueue.cpp:199:12
    #5 0x7f5958aac20e in nsThreadPool::Run() mozilla-central/xpcom/threads/nsThreadPool.cpp:241:14
    #6 0x7f5958aac79c in non-virtual thunk to nsThreadPool::Run() mozilla-central/xpcom/threads/nsThreadPool.cpp
    #7 0x7f5958aa49c8 in nsThread::ProcessNextEvent(bool, bool*) mozilla-central/xpcom/threads/nsThread.cpp:1179:14
    #8 0x7f5958aa9456 in NS_ProcessNextEvent(nsIThread*, bool) mozilla-central/xpcom/threads/nsThreadUtils.cpp:482:10
    #9 0x7f5959c25a73 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) mozilla-central/ipc/glue/MessagePump.cpp:303:20
    #10 0x7f5959ac0da4 in MessageLoop::Run() mozilla-central/ipc/chromium/src/base/message_loop.cc:290:3
    #11 0x7f5958a9ff8d in nsThread::ThreadFunc(void*) mozilla-central/xpcom/threads/nsThread.cpp:454:11
    #12 0x7f597d08ed38 in _pt_root mozilla-central/nsprpub/pr/src/pthreads/ptthread.c:201:5
Flags: in-testsuite?

Is there a test-case for this?

Prioritizing like bug 1532858.

Rank: 15
Flags: needinfo?(twsmith)
Priority: -- → P2
Attached video testcase.webm

I guess I forgot to attach it after unpacking it, sorry about that.

Flags: needinfo?(twsmith)

This is also caught by the float-cast-overflow UBSan check.

To enable this check add the following to your mozconfig:

ac_add_options --enable-undefined-sanitizer="float-cast-overflow"
Blocks: float-cast-overflow
status-firefox100: --- → affected
status-firefox68: affected → ---
status-firefox69: affected → ---
status-firefox98: --- → wontfix
status-firefox99: --- → affected
status-firefox-esr91: --- → affected
Summary: UBSan: value outside the range of representable values in [@ mozilla::WebMDemuxer::ReadMetadata] → src/dom/media/webm/WebMDemuxer.cpp:392:28: runtime error: -8.27704e+259 is outside the range of representable values of type 'unsigned int'

A Pernosco session is available here: https://pernos.co/debug/DwiNny1wgIwYx-SqmOoePg/index.html

This issue is currently triggered while fuzzing with the 'float-cast-overflow' UBSan check enabled. This issue will need to be addressed before the check can be enabled by default.

If it requires too much effort to fix immediately please ni? me and let me know. If necessary it will be added to a suppression list. Thank you :)

Flags: needinfo?(jmathies)
Blocks: media-triage
Flags: needinfo?(jmathies)
Flags: needinfo?(azebrowski)
No longer blocks: media-triage
Assignee: nobody → azebrowski
Status: NEW → ASSIGNED

Depends on D154176

Attachment #9295019 - Attachment description: WIP: Bug 1535980 - Add crashtest for webm demuxer audio rate sanity check → Bug 1535980 - Add crashtest for webm demuxer audio rate sanity check
Pushed by azebrowski@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4c8dfff616b0
Ensure that the audio rate read by WebMDemuxer is correctly compared against the maximum allowable rate during metadata sanity checking to avoid out of range errors that could be produced by malformed media files. r=tsmith,media-playback-reviewers,alwu
https://hg.mozilla.org/integration/autoland/rev/2389cfd09084
Add crashtest for webm demuxer audio rate sanity check r=alwu

https://hg.mozilla.org/mozilla-central/rev/4c8dfff616b0
https://hg.mozilla.org/mozilla-central/rev/2389cfd09084

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox107: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 107 Branch
Flags: needinfo?(azebrowski)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: