Closed
Bug 1561492
Opened 5 years ago
Closed 5 years ago
divide-by-zero in [@ mozilla::ADTSTrackDemuxer::Init]
Categories
(Core :: Audio/Video: Playback, defect, P2)
Core
Audio/Video: Playback
Tracking
()
RESOLVED
FIXED
mozilla70
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox-esr68 | --- | wontfix |
| firefox68 | --- | wontfix |
| firefox69 | --- | wontfix |
| firefox70 | --- | fixed |
People
(Reporter: tsmith, Assigned: decoder)
References
(Regression)
Details
(4 keywords, Whiteboard: [post-critsmash-triage][adv-main70+][adv-main70+r])
Attachments
(2 files)
This crash was found using decoders new libfuzzer media fuzzing interface (bug 1465407)
[129774, MediaPlayback #3] ###!!! ABORT: Divide by zero: file toolkit/xre/nsSigHandlers.cpp, line 149
AddressSanitizer:DEADLYSIGNAL
=================================================================
==129774==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55721a0b7b27 bp 0x7f6834c13450 sp 0x7f6834c13440 T70222)
==129774==The signal is caused by a WRITE memory access.
==129774==Hint: address points to the zero page.
#0 0x55721a0b7b26 in mozalloc_abort memory/mozalloc/mozalloc_abort.cpp:33:3
#1 0x7f684738dfe5 in Abort(char const*) xpcom/base/nsDebugImpl.cpp:439:39
#2 0x7f684738ed08 in NS_DebugBreak xpcom/base/nsDebugImpl.cpp
#3 0x7f6856fff8fe in fpehandler(int, siginfo_t*, void*) toolkit/xre/nsSigHandlers.cpp:148:5
#4 0x7f686e86688f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1288f)
#5 0x7f6850136fb2 in mozilla::ADTSTrackDemuxer::Init() dom/media/ADTSDemuxer.cpp:344:59
#6 0x7f6850135f60 in mozilla::ADTSDemuxer::InitInternal() dom/media/ADTSDemuxer.cpp:250:25
#7 0x7f6850137650 in mozilla::ADTSDemuxer::Init() dom/media/ADTSDemuxer.cpp:254:8
#8 0x7f68501d002b in mozilla::BenchmarkPlayback::DemuxSamples() dom/media/Benchmark.cpp:190:13
#9 0x7f68501e283b in operator() dom/media/Benchmark.cpp:144:59
#10 0x7f68501e283b in mozilla::detail::RunnableFunction<mozilla::Benchmark::Run()::$_2::operator()() const::'lambda'()>::Run() objdir-ff-fuzzing/dist/include/nsThreadUtils.h:564
#11 0x7f684760c7ab in mozilla::TaskQueue::Runner::Run() xpcom/threads/TaskQueue.cpp:199:12
#12 0x7f68476500f4 in nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:244:14
#13 0x7f68476510a4 in non-virtual thunk to nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp
#14 0x7f6847643d40 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1225:14
#15 0x7f684764b644 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:486:10
#16 0x7f6848c939ab in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:333:5
#17 0x7f6848b02b9e in RunInternal ipc/chromium/src/base/message_loop.cc:315:10
#18 0x7f6848b02b9e in RunHandler ipc/chromium/src/base/message_loop.cc:308
#19 0x7f6848b02b9e in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:290
#20 0x7f684763b718 in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:459:11
#21 0x7f686ec2af48 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:201:5
#22 0x7f686e85b6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#23 0x7f686d83988e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
The attached testcase will likely not reproduce the crash on a regular build. The libfuzzer fuzzing interface should be used to verify this bug. Feel free to ping me if needed.
Marking as s-s until bug 1465407 is open.
|
||
Updated•5 years ago
|
Priority: -- → P2
|
Assignee | |
Comment 1•5 years ago
|
||
|
|
Assignee | |
Comment 2•5 years ago
|
||
The problem here is that we need to check mSamplesPerSecond prior to the mPreRoll calculation. That calculation only got added in bug 1482706 so this is likely a more regression from that bug.
Regressed by: 1482706
|
||
Updated•5 years ago
|
Keywords: regression
|
||
Comment 3•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/743982bb982698f9b5dd5cced5f84ae5bc7d2f59
https://hg.mozilla.org/mozilla-central/rev/743982bb9826
Group: media-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox70:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
|
||
Updated•5 years ago
|
Assignee: nobody → choller
|
||
Updated•5 years ago
|
status-firefox68:
--- → wontfix
status-firefox-esr60:
--- → unaffected
status-firefox-esr68:
--- → wontfix
|
||
Updated•5 years ago
|
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
|
||
Comment 4•5 years ago
|
||
Hi Tyson,
Any chance you could provide some additional info regarding the " libfuzzer fuzzing interface" (setup/installers)?
*for verification purposes.
Tried with regular builds but indeed, no crash when trying to open the file.
Flags: needinfo?(twsmith)
|
Reporter | |
Comment 5•5 years ago
|
||
Of course. Full details can be found here[1]. Here is a basic summary.
To reproduce the issue:
- Build (with --enable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --enable-fuzzing --disable-debug) or download an ASan --enable-fuzzing build including gtests
- Run FUZZER=MediaADTS LIBFUZZER=1 MOZ_RUN_GTEST=1 objdir/dist/bin/firefox test.bin
[1] https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Fuzzing_Interface
Flags: needinfo?(twsmith)
|
||
Updated•5 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main70+][adv-main70-rollup]
|
|
||
Updated•5 years ago
|
Whiteboard: [post-critsmash-triage][adv-main70+][adv-main70-rollup] → [post-critsmash-triage][adv-main70+][adv-main70+r]
|
||
Updated•3 years ago
|
Group: core-security-release
|
|
||
Updated•2 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•