Open Bug 1536243 Opened 5 years ago Updated 2 years ago

Conditional jump or move depends on uninitialized values created by mozilla::FFmpegDataDecoder<57>::InitDecoder

Categories

(Core :: Audio/Video: Playback, defect, P4)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox67 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uninitialized, sec-low, testcase)

Attachments

(1 file)

testcase.mp4
2.37 KB, video/mp4
Details
Attached video testcase.mp4 
==76355== Thread 55 MediaPD~oder #1:
==76355== Conditional jump or move depends on uninitialised value(s)
==76355==    at 0x2D87F9D8: ff_h2645_extract_rbsp (h2645_parse.c:56)
==76355==    by 0x2D87FEA3: ff_h2645_packet_split (h2645_parse.c:329)
==76355==    by 0x2D8BCBAE: decode_extradata_ps (h264_parse.c:358)
==76355==    by 0x2D8BE37F: ff_h264_decode_extradata (h264_parse.c:399)
==76355==    by 0x2D63DCCE: h264_decode_init (h264dec.c:416)
==76355==    by 0x2DC45A15: avcodec_open2 (utils.c:1023)
==76355==    by 0x11C975C4: mozilla::FFmpegDataDecoder<57>::InitDecoder() (FFmpegDataDecoder.cpp:99)
==76355==    by 0x11C99B81: mozilla::FFmpegVideoDecoder<57>::Init() (FFmpegVideoDecoder.cpp:141)
==76355==    by 0x11C67E75: mozilla::detail::ProxyFunctionRunnable<mozilla::MediaChangeMonitor::Init()::$_0, mozilla::MozPromise<mozilla::TrackInfo::TrackType, mozilla::MediaResult, true> >::Run() (MediaChangeMonitor.cpp:235)
==76355==    by 0xFD43DB3: mozilla::TaskQueue::Runner::Run() (TaskQueue.cpp:199)
==76355==    by 0xFD54423: nsThreadPool::Run() (nsThreadPool.cpp:241)
==76355==    by 0xFD5456C: non-virtual thunk to nsThreadPool::Run() (nsThreadPool.cpp:0)
==76355==  Uninitialised value was created by a heap allocation
==76355==    at 0x4C32373: memalign (vg_replace_malloc.c:908)
==76355==    by 0x4C32476: posix_memalign (vg_replace_malloc.c:1072)
==76355==    by 0x2EF27762: av_malloc (in /usr/lib/x86_64-linux-gnu/libavutil.so.55.78.100)
==76355==    by 0x11C9750A: mozilla::FFmpegDataDecoder<57>::InitDecoder() (FFmpegDataDecoder.cpp:82)
==76355==    by 0x11C99B81: mozilla::FFmpegVideoDecoder<57>::Init() (FFmpegVideoDecoder.cpp:141)
==76355==    by 0x11C67E75: mozilla::detail::ProxyFunctionRunnable<mozilla::MediaChangeMonitor::Init()::$_0, mozilla::MozPromise<mozilla::TrackInfo::TrackType, mozilla::MediaResult, true> >::Run() (MediaChangeMonitor.cpp:235)
==76355==    by 0xFD43DB3: mozilla::TaskQueue::Runner::Run() (TaskQueue.cpp:199)
==76355==    by 0xFD54423: nsThreadPool::Run() (nsThreadPool.cpp:241)
==76355==    by 0xFD5456C: non-virtual thunk to nsThreadPool::Run() (nsThreadPool.cpp:0)
==76355==    by 0xFD50D47: nsThread::ProcessNextEvent(bool, bool*) (nsThread.cpp:1179)
==76355==    by 0xFD52EA7: NS_ProcessNextEvent(nsIThread*, bool) (nsThreadUtils.cpp:482)
==76355==    by 0x101E464C: mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) (MessagePump.cpp:333)
Flags: in-testsuite?
Group: media-core-security
Keywords: sec-low

Nils, who should take a look?

Rank: 10
Flags: needinfo?(drno)
Priority: -- → P2
Blocks: media-triage
Flags: needinfo?(drno)
Priority: P2 → P3

ffmpeg related issue.

No longer blocks: media-triage
Priority: P3 → P4
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: