Closed
Bug 1661347
Opened 4 years ago
Closed 4 years ago
Input validation check 'in->data == NULL || in->sz' failed in dav1d_send_data!
Categories
(Core :: Graphics: ImageLib, defect, P3)
Core
Graphics: ImageLib
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox-esr78 | --- | disabled |
firefox80 | --- | disabled |
firefox81 | --- | disabled |
firefox82 | --- | fixed |
People
(Reporter: tsmith, Assigned: jbauman)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
8.27 KB,
image/avif
|
Details |
Input validation check 'in->data == NULL || in->sz' failed in dav1d_send_data!
#0 0x7f9e4710d18a in __libc_signal_restore_set /build/glibc-YYA7BZ/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3
#1 0x7f9e4710d18a in raise /build/glibc-YYA7BZ/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3
#2 0x7f9e470ec858 in abort /build/glibc-YYA7BZ/glibc-2.31/stdlib/abort.c:79:7
#3 0x7f9e373ac512 in dav1d_send_data src/third_party/dav1d/src/lib.c
#4 0x7f9e33da4881 in mozilla::image::nsAVIFDecoder::DecodeWithDav1d(Mp4parseByteData const&, mozilla::layers::PlanarYCbCrData&) src/image/decoders/nsAVIFDecoder.cpp:128:9
#5 0x7f9e33da6044 in mozilla::image::nsAVIFDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) src/image/decoders/nsAVIFDecoder.cpp:453:25
#6 0x7f9e33ce675c in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) src/image/Decoder.cpp:172:19
#7 0x7f9e33cfd1f7 in mozilla::image::MetadataDecodingTask::Run() src/image/IDecodingTask.cpp:150:34
#8 0x7f9e33d07966 in mozilla::image::DecodePoolWorker::Run() src/image/DecodePool.cpp:276:23
#9 0x7f9e321b34b8 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1234:14
#10 0x7f9e321b8e8a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:513:10
#11 0x7f9e32ae3ee9 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:302:20
#12 0x7f9e32a53d23 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
#13 0x7f9e32a53c3d in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#14 0x7f9e32a53c3d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#15 0x7f9e321af85d in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:442:10
#16 0x7f9e468ae67b in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#17 0x7f9e47620608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
#18 0x7f9e471e9102 in clone /build/glibc-YYA7BZ/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
mp4parse-rust should reject this since the size advertised by the iinf
box is far too large. I need to spend a bit of time figuring out the best way to reject this form of invalidity more generally.
Assignee: nobody → jbauman
Assignee | ||
Updated•4 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 2•4 years ago
|
||
I spoke too soon. The problem isn't the iinf
box, it's that the primary item extents are nonsensical. A check that all the data indicated by the primary item extents is successfully read should fix this. That should be relatively straightforward.
Assignee | ||
Comment 3•4 years ago
|
||
https://github.com/mozilla/mp4parse-rust/pull/241 has the fix for this, so this should be done next time we update the version of mp4parse-rust in mozilla-central.
Assignee | ||
Comment 4•4 years ago
|
||
Fixed via bug 1661583
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Updated•4 years ago
|
status-firefox80:
--- → disabled
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → disabled
You need to log in
before you can comment on or make changes to this bug.
Description
•