Crash in [@ mozilla::MediaTransportHandlerIPC::GetIceStats]
Categories
(Core :: WebRTC: Networking, defect)
Tracking
()
People
(Reporter: jib, Assigned: bwc)
References
Details
(Keywords: csectype-wildptr, sec-high)
Crash Data
Attachments
(1 obsolete file)
UAF
Crash report: bp-47753228-ed0b-4f69-b71d-3496d0211104
Reason: EXCEPTION_ACCESS_VIOLATION_WRITE
Top 10 frames of crashing thread:
0 xul.dll mozilla::MediaTransportHandlerIPC::GetIceStats(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, double) dom/media/webrtc/jsapi/MediaTransportHandlerIPC.cpp:314 context
1 xul.dll mozilla::PeerConnectionImpl::GetStats(mozilla::dom::MediaStreamTrack*, bool) dom/media/webrtc/jsapi/PeerConnectionImpl.cpp:2806 cfi
2 xul.dll static mozilla::PeerConnectionCtx::EverySecondTelemetryCallback_m(nsITimer*, void*) dom/media/webrtc/jsapi/PeerConnectionCtx.cpp:280 cfi
3 xul.dll nsTimerImpl::Fire(int) xpcom/threads/nsTimerImpl.cpp:620 cfi
4 xul.dll nsTimerEvent::Run() xpcom/threads/TimerThread.cpp:264 cfi
5 xul.dll mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) xpcom/threads/TaskController.cpp:805 cfi
6 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1148 cfi
7 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:107 cfi
8 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:324 cfi
9 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:306 cfi
10 xul.dll nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:137 cfi
Comment 1•3 years ago
|
||
I don't see any definitive signs of a UAF (our poison value), but it's crashing on a nonsense pointer that doesn't have any clear relation to any register value. It's gotten ahold of a corrupt object somehow, but this could also be due to a buffer overflow, or it's uninitialized or something. (Unless we've missed a clue about UAFness here)
Updated•3 years ago
|
Comment 2•3 years ago
|
||
One crash in 6 months -- may not be very productive to chase this one down just from a crash report.
Updated•3 years ago
|
Comment 3•3 years ago
|
||
The severity field is not set for this bug.
:bwc, could you have a look please?
For more information, please visit auto_nag documentation.
Updated•3 years ago
|
Assignee | ||
Comment 4•3 years ago
|
||
Updated•3 years ago
|
Updated•3 years ago
|
Comment 5•3 years ago
|
||
The severity field for this bug is set to S4. However, the bug is flagged with the sec-high
keyword.
:bwc, could you consider increasing the severity of this security bug?
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 6•3 years ago
|
||
This has not happened in a very long time, since 93 on crash-stats.
Comment 7•3 years ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.
Updated•11 months ago
|
Description
•