Closed Bug 1561490 Opened 5 years ago Closed 5 years ago

heap-use-after-free in [@ mozilla::WaveDataDecoder::ProcessDecode]

Categories

(Core :: Audio/Video: Playback, defect, P3)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1561484
Tracking Flags:
Tracking Status
firefox69 --- affected

People

(Reporter: tsmith, Unassigned)

References

Details

(4 keywords)

Attachments

(2 files)

full_log.txt
34.81 KB, text/plain
Details
testcase.wav
592 bytes, audio/wav
Details
Attached file full_log.txt

This crash was found using decoders new libfuzzer media fuzzing interface (bug 1465407)

==8634==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000d01bc at pc 0x7fe323a76b0d bp 0x7fe27dc317d0 sp 0x7fe27dc317c8
READ of size 4 at 0x6110000d01bc thread T18 (MediaPD~oder #1)
    #0 0x7fe323a76b0c in mozilla::WaveDataDecoder::ProcessDecode(mozilla::MediaRawData*) dom/media/platforms/agnostic/WAVDecoder.cpp:70:40
    #1 0x7fe323ab83c0 in applyImpl<mozilla::WaveDataDecoder, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::WaveDataDecoder::*)(mozilla::MediaRawData *), StoreRefPtrPassByPtr<mozilla::MediaRawData> , 0> objdir-ff-fuzzing/dist/include/nsThreadUtils.h:1124:12
    #2 0x7fe323ab83c0 in apply<mozilla::WaveDataDecoder, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::WaveDataDecoder::*)(mozilla::MediaRawData *)> objdir-ff-fuzzing/dist/include/nsThreadUtils.h:1130
    #3 0x7fe323ab83c0 in Invoke objdir-ff-fuzzing/dist/include/mozilla/MozPromise.h:1293
    #4 0x7fe323ab83c0 in mozilla::detail::ProxyRunnable<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true>, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::WaveDataDecoder::*)(mozilla::MediaRawData*), mozilla::WaveDataDecoder, mozilla::MediaRawData*>::Run() objdir-ff-fuzzing/dist/include/mozilla/MozPromise.h:1313
    #5 0x7fe31a60c7ab in mozilla::TaskQueue::Runner::Run() xpcom/threads/TaskQueue.cpp:199:12
    #6 0x7fe31a6500f4 in nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:244:14
    #7 0x7fe31a6510a4 in non-virtual thunk to nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp
    #8 0x7fe31a643d40 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1225:14
    #9 0x7fe31a64b644 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:486:10
    #10 0x7fe31bc9379e in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:303:20
    #11 0x7fe31bb02b9e in RunInternal ipc/chromium/src/base/message_loop.cc:315:10
    #12 0x7fe31bb02b9e in RunHandler ipc/chromium/src/base/message_loop.cc:308
    #13 0x7fe31bb02b9e in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:290
    #14 0x7fe31a63b718 in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:459:11
    #15 0x7fe341c2ef48 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:201:5
    #16 0x7fe34185f6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #17 0x7fe34083d88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Attached audio testcase.wav

This file will likely not reproduce the crash on a regular build. The libfuzzer fuzzing interface should be used to verify this bug. Feel free to ping me if needed.

No longer depends on: 1561484

The size indicates it may be a data read, but AudioInfo has virtual functions so guessing it could be sec-high if there are other accesses of this freed object.

Keywords: sec-high

Alastor can you please have a look at this bug?

Assignee: nobody → alwu
Flags: needinfo?(alwu)
Priority: -- → P1

(In reply to Daniel Veditz [:dveditz] from comment #2)

The size indicates it may be a data read, but AudioInfo has virtual functions so guessing it could be sec-high if there are other accesses of this freed object.

looks to me more like an incorrect use of the MediaDataDecoder interface from this fuzzing interface. The MediaDataDecoder states clearly that the MediaInfo object provided to a MediaDataDecoder must be valid for the entire duration of the MediaDataDecoder.
https://searchfox.org/mozilla-central/source/dom/media/platforms/PlatformDecoderModule.h#234 It is safe for a MediaDataDecoder to store a reference to the original MediaInfo

Where is that fuzzing code?

Assignee: alwu → nobody
Flags: needinfo?(twsmith)
Priority: P1 → P3
Flags: needinfo?(alwu)
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(twsmith)
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: