Closed Bug 1661347 Opened 4 years ago Closed 4 years ago

Input validation check 'in->data == NULL || in->sz' failed in dav1d_send_data!

Categories

(Core :: Graphics: ImageLib, defect, P3)

defect

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- disabled
firefox80 --- disabled
firefox81 --- disabled
firefox82 --- fixed

People

(Reporter: tsmith, Assigned: jbauman)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Attached image testcase.avif

Input validation check 'in->data == NULL || in->sz' failed in dav1d_send_data!

#0 0x7f9e4710d18a in __libc_signal_restore_set /build/glibc-YYA7BZ/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3
#1 0x7f9e4710d18a in raise /build/glibc-YYA7BZ/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3
#2 0x7f9e470ec858 in abort /build/glibc-YYA7BZ/glibc-2.31/stdlib/abort.c:79:7
#3 0x7f9e373ac512 in dav1d_send_data src/third_party/dav1d/src/lib.c
#4 0x7f9e33da4881 in mozilla::image::nsAVIFDecoder::DecodeWithDav1d(Mp4parseByteData const&, mozilla::layers::PlanarYCbCrData&) src/image/decoders/nsAVIFDecoder.cpp:128:9
#5 0x7f9e33da6044 in mozilla::image::nsAVIFDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) src/image/decoders/nsAVIFDecoder.cpp:453:25
#6 0x7f9e33ce675c in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) src/image/Decoder.cpp:172:19
#7 0x7f9e33cfd1f7 in mozilla::image::MetadataDecodingTask::Run() src/image/IDecodingTask.cpp:150:34
#8 0x7f9e33d07966 in mozilla::image::DecodePoolWorker::Run() src/image/DecodePool.cpp:276:23
#9 0x7f9e321b34b8 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1234:14
#10 0x7f9e321b8e8a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:513:10
#11 0x7f9e32ae3ee9 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:302:20
#12 0x7f9e32a53d23 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
#13 0x7f9e32a53c3d in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#14 0x7f9e32a53c3d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#15 0x7f9e321af85d in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:442:10
#16 0x7f9e468ae67b in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#17 0x7f9e47620608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
#18 0x7f9e471e9102 in clone /build/glibc-YYA7BZ/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?
Keywords: testcase
Blocks: AVIF
Severity: -- → S3
Priority: -- → P3

mp4parse-rust should reject this since the size advertised by the iinf box is far too large. I need to spend a bit of time figuring out the best way to reject this form of invalidity more generally.

Assignee: nobody → jbauman
Status: NEW → ASSIGNED

I spoke too soon. The problem isn't the iinf box, it's that the primary item extents are nonsensical. A check that all the data indicated by the primary item extents is successfully read should fix this. That should be relatively straightforward.

https://github.com/mozilla/mp4parse-rust/pull/241 has the fix for this, so this should be done next time we update the version of mp4parse-rust in mozilla-central.

Depends on: 1661583

Fixed via bug 1661583

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: