Closed Bug 1675366 Opened 4 years ago Closed 3 years ago

applying zero offset to null pointer in src/media/libvpx/libvpx/vp8/decoder/dboolhuff.c:18

Categories

(Core :: Audio/Video: Playback, defect, P3)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1759324
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox84 --- wontfix
firefox94 --- wontfix
firefox95 --- wontfix
firefox96 --- wontfix
firefox101 --- fixed

People

(Reporter: tsmith, Assigned: chunmin)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.webm
3.92 KB, video/webm
Details
Attached video testcase.webm

Since with is caught with UBSan it requires --enable-fuzzing & --enable-address-sanitizer in mozconfig.

src/media/libvpx/libvpx/vp8/decoder/dboolhuff.c:18:32: runtime error: applying zero offset to null pointer
    #0 0x7f0aded27647 in vp8dx_start_decode src/media/libvpx/libvpx/vp8/decoder/dboolhuff.c:18:32
    #1 0x7f0aded2aa25 in setup_token_decoder src/media/libvpx/libvpx/vp8/decoder/decodeframe.c:796:9
    #2 0x7f0aded2aa25 in vp8_decode_frame src/media/libvpx/libvpx/vp8/decoder/decodeframe.c:1079:3
    #3 0x7f0aded39eae in vp8dx_receive_compressed_data src/media/libvpx/libvpx/vp8/decoder/onyxd_if.c:322:13
    #4 0x7f0adee06868 in vp8_decode src/media/libvpx/libvpx/vp8/vp8_dx_iface.c:488:9
    #5 0x7f0adf047b7b in vpx_codec_decode src/media/libvpx/libvpx/vpx/src/vpx_decoder.c:116:11
    #6 0x7f0adc63c674 in mozilla::VPXDecoder::ProcessDecode(mozilla::MediaRawData*) src/dom/media/platforms/agnostic/VPXDecoder.cpp:120:27
    #7 0x7f0adc6829e5 in applyImpl<mozilla::VPXDecoder, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::VPXDecoder::*)(mozilla::MediaRawData *), StoreRefPtrPassByPtr<mozilla::MediaRawData> , 0> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
    #8 0x7f0adc6829e5 in apply<mozilla::VPXDecoder, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::VPXDecoder::*)(mozilla::MediaRawData *)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
    #9 0x7f0adc6829e5 in mozilla::detail::MethodCall<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true>, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::VPXDecoder::*)(mozilla::MediaRawData*), mozilla::VPXDecoder, mozilla::MediaRawData*>::Invoke() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1437:47
    #10 0x7f0adc682339 in mozilla::detail::ProxyRunnable<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true>, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::VPXDecoder::*)(mozilla::MediaRawData*), mozilla::VPXDecoder, mozilla::MediaRawData*>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1457:42
    #11 0x7f0ad5cffe85 in mozilla::TaskQueue::Runner::Run() src/xpcom/threads/TaskQueue.cpp:158:20
    #12 0x7f0ad5d2a78a in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:299:14
    #13 0x7f0ad5d1ba27 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1197:14
    #14 0x7f0ad5d265bc in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:513:10
    #15 0x7f0ad6ff9dd2 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:302:20
    #16 0x7f0ad6efa4f1 in RunInternal src/ipc/chromium/src/base/message_loop.cc:334:10
    #17 0x7f0ad6efa4f1 in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
    #18 0x7f0ad6efa4f1 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
    #19 0x7f0ad5d14b32 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:442:10
    #20 0x7f0aef1a942e in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #21 0x7f0af2ab5608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477:8
    #22 0x7f0af267e292 in clone /build/glibc-ZN95T4/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/0iLmbr7FYczbTR6WVXn_kQ/index.html

I've checked the pernosco result, and it seems more likely be an issue for libvpx.

The sample we sent to libvpx is [1930375:1968226] which is valid. However, when detereming pbi->fragments in libvpx, it somehow access to the wrong element because it incorrectly count the amount of elements inside pbi->fragments.

I will put this on P3 for now, because it's not an common crash (you have to add additional config)

Severity: -- → S4
Priority: -- → P3
Keywords: bugmon

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201109215349-6659b306f585.
The bug appears to have been introduced in the following build range:

Start: 0f0b1fa85339ba43198835f1ffb821437d432c19 (20200831194413)
End: c8320f7940b28a128275198c307b41bba9ec26b9 (20200831221001)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0f0b1fa85339ba43198835f1ffb821437d432c19&tochange=c8320f7940b28a128275198c307b41bba9ec26b9

Whiteboard: [bugmon:bisected,confirmed]
Assignee: nobody → cchang

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210417095008-4f124a8d83d1) but not with tip (mozilla-central 20220415213125-86271ddb1099.)
The bug appears to have been fixed in the following build range:

Start: e153742662e05452366c718791de5e6780346440 (20220411075940)
End: eecb5e5f0e0f42fd074cef11e8dfb72132bd81ef (20220411113237)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e153742662e05452366c718791de5e6780346440&tochange=eecb5e5f0e0f42fd074cef11e8dfb72132bd81ef
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

:chunmin, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(cchang)

(In reply to Bugmon [:jkratzer for issues] from comment #4)

The bug appears to have been fixed in the following build range:

Start: e153742662e05452366c718791de5e6780346440 (20220411075940)
End: eecb5e5f0e0f42fd074cef11e8dfb72132bd81ef (20220411113237)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e153742662e05452366c718791de5e6780346440&tochange=eecb5e5f0e0f42fd074cef11e8dfb72132bd81ef
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(cchang)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: