Open Bug 1583405 Opened 5 years ago Updated 2 years ago

invalid shift in media/libvorbis/lib/vorbis_info.c:218

Categories

(Core :: Audio/Video: Playback, defect, P2)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox71 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined, testcase)

Attachments

(1 file)

testcase.webm
31.77 KB, video/webm
Details
Attached video testcase.webm

This is triggered with an UBSan build. To enable this check add the following to your mozconfig:

ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer="shift"
ac_add_options --disable-jemalloc

media/libvorbis/lib/vorbis_info.c:218:22: runtime error: shift exponent -1 is negative
    #0 0x7f90976d8f02 in _vorbis_unpack_info media/libvorbis/lib/vorbis_info.c
    #1 0x7f90976d8a11 in vorbis_synthesis_headerin media/libvorbis/lib/vorbis_info.c:401:16
    #2 0x7f90956bd331 in mozilla::VorbisDataDecoder::DecodeHeader(unsigned char const*, unsigned long) dom/media/platforms/agnostic/VorbisDecoder.cpp:130:11
    #3 0x7f90956bcadf in mozilla::VorbisDataDecoder::Init() dom/media/platforms/agnostic/VorbisDecoder.cpp:77:9
    #4 0x7f909551a70c in mozilla::RemoteDecoderParent::RecvInit() dom/media/ipc/RemoteDecoderParent.cpp:45:13
    #5 0x7f9090a36008 in mozilla::PRemoteDecoderParent::OnMessageReceived(IPC::Message const&) objdir-ff-ubsan/ipc/ipdl/PRemoteDecoderParent.cpp:307:63
    #6 0x7f9090a33326 in mozilla::PRemoteDecoderManagerParent::OnMessageReceived(IPC::Message const&) objdir-ff-ubsan/ipc/ipdl/PRemoteDecoderManagerParent.cpp:179:32
    #7 0x7f9090302968 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) ipc/glue/MessageChannel.cpp:2185:25
    #8 0x7f9090300470 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) ipc/glue/MessageChannel.cpp:2109:9
    #9 0x7f90903011de in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) ipc/glue/MessageChannel.cpp:1954:3
    #10 0x7f90903018af in mozilla::ipc::MessageChannel::MessageTask::Run() ipc/glue/MessageChannel.cpp:1985:13
    #11 0x7f908f17761d in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1225:14
    #12 0x7f908f17bf46 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:486:10
    #13 0x7f909030a2d4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:333:5
    #14 0x7f909019ef24 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:290:3
    #15 0x7f908f17272d in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:458:11
    #16 0x7f90b5e1ddd8 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:198:5
    #17 0x7f90b5a726da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #18 0x7f90b4a5088e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?
Priority: -- → P2
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: