Crash in [@ mozilla::SourceListener::StopSharing]
Categories
(Core :: WebRTC: Audio/Video, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox66 | --- | unaffected |
firefox67 | --- | unaffected |
firefox67.0.1 | --- | unaffected |
firefox68 | --- | fixed |
People
(Reporter: philipp, Assigned: jib)
References
Details
(4 keywords, Whiteboard: [post-critsmash-triage])
Crash Data
Attachments
(1 file)
This bug is for crash report bp-240cd7fb-e555-4bd7-9c93-82e780190511.
Top 10 frames of crashing thread:
0 xul.dll void mozilla::SourceListener::StopSharing dom/media/MediaManager.cpp:4449
1 xul.dll void mozilla::GetUserMediaWindowListener::StopSharing dom/media/MediaManager.cpp:4596
2 xul.dll static void mozilla::MediaManager::IterateWindowListeners<`lambda at z:/task_1557522085/build/src/dom/media/MediaManager.cpp:3910:15'> dom/media/MediaManager.cpp:3925
3 xul.dll nsresult mozilla::MediaManager::Observe dom/media/MediaManager.cpp:3783
4 xul.dll nsObserverList::NotifyObservers xpcom/ds/nsObserverList.cpp:66
5 xul.dll nsObserverService::NotifyObservers xpcom/ds/nsObserverService.cpp:295
6 xul.dll NS_InvokeByIndex
7 xul.dll static bool XPCWrappedNative::CallMethod js/xpconnect/src/XPCWrappedNative.cpp:1157
8 xul.dll static bool XPC_WN_CallMethod js/xpconnect/src/XPCWrappedNativeJSOps.cpp:943
9 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:535
this crash signature is starting to show up in the 68.0a1 nightly cycle - the first affected build was 20190430121130.
Updated•5 years ago
|
Comment 1•5 years ago
|
||
https://crash-stats.mozilla.com/report/index/95847257-4a3d-41fa-b15c-d0bf10190511 appears to be a clear UAF
Comment 2•5 years ago
|
||
On 4/30 Bug 1335740 landed in MediaManager.cpp. Jan-Ivar can you please have a look what is going on here?
Assignee | ||
Comment 3•5 years ago
|
||
This looks like the same kind of problem as bug 1547381. In short, the StopTrack()
API is a footgun. I'll add a patch.
Assignee | ||
Comment 4•5 years ago
|
||
I don't know why this ref-count hazard wasn't a problem before 4/30, but maybe other code kept these ref-counts > 1.
Assignee | ||
Comment 5•5 years ago
|
||
Comment 7•5 years ago
|
||
There's some STR in bug 1551452.
Comment 8•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/f12fb7f69d5180c2c133b441e23b0b8b8d4fe123
https://hg.mozilla.org/mozilla-central/rev/f12fb7f69d51
Updated•5 years ago
|
Updated•4 years ago
|
Description
•