Closed
Bug 1568037
Opened 5 years ago
Closed 5 years ago
crash near null in [@ opus_multistream_decoder_ctl_va_list]
Categories
(Core :: Audio/Video: Playback, defect)
Core
Audio/Video: Playback
Tracking
()
RESOLVED
FIXED
mozilla70
People
(Reporter: tsmith, Assigned: decoder)
Details
(Keywords: crash, testcase)
Attachments
(2 files)
The attached testcase crashes on mozilla-central revision 6d98669f6869 (build with --enable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --enable-fuzzing --disable-debug).
To reproduce the issue:
- Build or download an ASan --enable-fuzzing build including gtests
- Run FUZZER=MediaWebM LIBFUZZER=1 MOZ_RUN_GTEST=1 objdir/dist/bin/firefox test.bin
==35716==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7fb0fe745ec
c bp 0x7fb0b1d696d0 sp 0x7fb0b1d695a0 T3233267)
==35716==The signal is caused by a READ memory access.
==35716==Hint: address points to the zero page.
#0 0x7fb0fe745ecb in opus_multistream_decoder_ctl_va_list src/media/libopus/src/opus_multistream_decoder.c
#1 0x7fb0fe744d12 in opus_multistream_decoder_ctl src/media/libopus/src/opus_multistream_decoder.c:541:10
#2 0x7fb0fa8ff44c in mozilla::OpusDataDecoder::Init() src/dom/media/platforms/agnostic/OpusDecoder.cpp:96:5
#3 0x7fb0fa964ff0 in operator() src/dom/media/platforms/wrappers/AudioTrimmer.cpp:24:56
#4 0x7fb0fa964ff0 in mozilla::detail::ProxyFunctionRunnable<mozilla::AudioTrimmer::Init()::$_34, mozilla::MozPromise<mozilla::TrackInfo::TrackType, mozilla::MediaResult, true> >::Run() src/objdir-ff-fuzzing/dist/include/mozilla/MozPromise.h:1420
#5 0x7fb0f14a8eeb in mozilla::TaskQueue::Runner::Run() src/xpcom/threads/TaskQueue.cpp:199:12
#6 0x7fb0f14ec664 in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:244:14
#7 0x7fb0f14ed614 in non-virtual thunk to nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp
#8 0x7fb0f14e02bb in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
#9 0x7fb0f14e7bb4 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
#10 0x7fb0f2b52d8e in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:303:20
#11 0x7fb0f29bafee in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
#12 0x7fb0f29bafee in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
#13 0x7fb0f29bafee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
#14 0x7fb0f14d7e58 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:459:11
#15 0x7fb118dc7f48 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:198:5
#16 0x7fb1189f86da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#17 0x7fb1179d688e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
||
Comment 1•5 years ago
|
||
Jean-Yves, could you do a first pass triage of this?
Flags: needinfo?(jyavenard)
|
Assignee | |
Comment 2•5 years ago
|
||
|
|
Assignee | |
Comment 3•5 years ago
|
||
The problem here is that opus_multistream_decoder_create can return NULL for various reasons (in this case it isn't happy with the arguments). The patch checks the returned value and rejects the promise if creating the decoder failed for some reason.
Pushed by choller@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/25683d47d764 Check for successful Opus decoder creation. r=jya
|
||
Comment 5•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
|
||
Updated•5 years ago
|
Assignee: nobody → choller
|
||
Updated•5 years ago
|
status-firefox68:
--- → wontfix
status-firefox69:
--- → wontfix
status-firefox-esr60:
--- → wontfix
status-firefox-esr68:
--- → wontfix
|
||
Updated•4 years ago
|
Flags: needinfo?(jyavenard)
You need to log in
before you can comment on or make changes to this bug.
Description
•