Closed Bug 1667480 Opened 4 years ago Closed 4 years ago

MP4 triggers OOM in [@ mozilla::Box::ReadAsSlice]

Categories

(Core :: Audio/Video: Playback, defect, P3)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
83 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox81 --- wontfix
firefox82 --- wontfix
firefox83 --- fixed

People

(Reporter: tsmith, Assigned: alwu)

Details

(Keywords: crash, csectype-oom, testcase)

Attachments

(3 files)

testcase.mp4
918 bytes, video/mp4
Details
Bug 1667480 - part1 : return empty slice if range is empty.
47 bytes, text/x-phabricator-request
Details | Review
Bug 1667480 - part2 : add a crash test.
47 bytes, text/x-phabricator-request
Details | Review
Attached video testcase.mp4

Should this be a fallible allocation instead to avoid the crash?

https://crash-stats.mozilla.org/report/index/41be40bf-7600-4e63-bb76-907f60200925

==93==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f1f8e23f4bf bp 0x7f1f6b3cfe60 sp 0x7f1f6b3cfe60 T66513)
    #0 0x7f1f8e23f4bf in NS_ABORT_OOM(unsigned long) src/xpcom/base/nsDebugImpl.cpp:620:3
    #1 0x7f1f8c6054d4 in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_RelocateUsingMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray-inl.h:154:5
    #2 0x7f1f951823ce in SetCapacity<nsTArrayInfallibleAllocator> /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2175:47
    #3 0x7f1f951823ce in nsTArray_Impl /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1024:49
    #4 0x7f1f951823ce in nsTArray /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2691:44
    #5 0x7f1f951823ce in mozilla::BumpAllocator::Allocate(unsigned long) src/dom/media/mp4/Box.cpp:213:28
    #6 0x7f1f95182030 in mozilla::Box::ReadAsSlice() src/dom/media/mp4/Box.cpp:198:37
    #7 0x7f1f951c31dc in BoxReader src/dom/media/mp4/Box.h:91:20
    #8 0x7f1f951c31dc in mozilla::Edts::Parse(mozilla::Box&) src/dom/media/mp4/MoofParser.cpp:1011:13
    #9 0x7f1f951c2e31 in mozilla::Edts::Edts(mozilla::Box&) src/dom/media/mp4/MoofParser.cpp:999:12
    #10 0x7f1f951b13a4 in mozilla::MoofParser::ParseTrak(mozilla::Box&) src/dom/media/mp4/MoofParser.cpp:288:15
    #11 0x7f1f951ae5a8 in mozilla::MoofParser::ParseMoov(mozilla::Box&) src/dom/media/mp4/MoofParser.cpp:266:7
    #12 0x7f1f951acbd7 in mozilla::MoofParser::RebuildFragmentedIndex(mozilla::BoxContext&) src/dom/media/mp4/MoofParser.cpp:78:7
    #13 0x7f1f951ac359 in mozilla::MoofParser::RebuildFragmentedIndex(mozilla::media::IntervalSet<long> const&) src/dom/media/mp4/MoofParser.cpp:48:10
    #14 0x7f1f951907b5 in mozilla::Index::UpdateMoofIndex(mozilla::media::IntervalSet<long> const&, bool) src/dom/media/mp4/Index.cpp:523:16
    #15 0x7f1f951a5c30 in UpdateMoofIndex src/dom/media/mp4/Index.cpp:501:3
    #16 0x7f1f951a5c30 in mozilla::MP4TrackDemuxer::EnsureUpToDateIndex() src/dom/media/mp4/MP4Demuxer.cpp:349:11
    #17 0x7f1f951a5221 in mozilla::MP4TrackDemuxer::MP4TrackDemuxer(mozilla::MediaResource*, mozilla::UniquePtr<mozilla::TrackInfo, mozilla::DefaultDelete<mozilla::TrackInfo> >&&, mozilla::IndiceWrapper const&) src/dom/media/mp4/MP4Demuxer.cpp:315:3
    #18 0x7f1f9519bb19 in mozilla::MP4Demuxer::Init() src/dom/media/mp4/MP4Demuxer.cpp:224:45
    #19 0x7f1f943b030a in mozilla::BenchmarkPlayback::DemuxSamples() src/dom/media/Benchmark.cpp:191:13
    #20 0x7f1f944038cb in operator() src/dom/media/Benchmark.cpp:145:59
    #21 0x7f1f944038cb in mozilla::detail::RunnableFunction<mozilla::Benchmark::Run()::$_14::operator()() const::'lambda'()>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #22 0x7f1f8e43c245 in mozilla::TaskQueue::Runner::Run() src/xpcom/threads/TaskQueue.cpp:158:20
    #23 0x7f1f8e46a57a in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:299:14
    #24 0x7f1f8e45c183 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1234:14
    #25 0x7f1f8e46627c in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:513:10
    #26 0x7f1f8f70c472 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:302:20
    #27 0x7f1f8f61b0b1 in RunInternal src/ipc/chromium/src/base/message_loop.cc:334:10
    #28 0x7f1f8f61b0b1 in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
    #29 0x7f1f8f61b0b1 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
    #30 0x7f1f8e454c45 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:442:10
    #31 0x7f1fb372142e in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #32 0x7f1fb335a6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #33 0x7f1fb2338a3e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x121a3e)
Flags: in-testsuite?
Assignee: nobody → alwu
Severity: -- → S3
Priority: -- → P3
Pushed by alwu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d93289a33056
part1 : return empty slice if range is empty. r=jya
https://hg.mozilla.org/integration/autoland/rev/3be697c08c1d
part2 : add a crash test. r=jya

https://hg.mozilla.org/mozilla-central/rev/d93289a33056
https://hg.mozilla.org/mozilla-central/rev/3be697c08c1d

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox83: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch
status-firefox81: affectedwontfix
status-firefox-esr78: --- → wontfix
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: