Closed Bug 1742945 Opened 4 years ago Closed 4 years ago

Crash in [@ dav1d_recon_b_intra_8bpc]

Categories

(Core :: Audio/Video: Playback, defect, P3)

Product:
Core
Component:
Audio/Video: Playback
Platform:
x86_64
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
99 Branch

People

(Reporter: gcp, Assigned: jimm)

References

Details

(Keywords: crash, csectype-bounds, sec-high)

Crash Data

Maybe Fission related. (DOMFissionEnabled=1)

Crash report: https://crash-stats.mozilla.org/report/index/42f10ff3-470a-4f2b-b71f-20cd90211123

Reason: STATUS_STACK_BUFFER_OVERRUN / FAST_FAIL_GUARD_ICALL_CHECK_FAILURE

Top 10 frames of crashing thread:

0 ntdll.dll RtlFailFast2 
1 ntdll.dll RtlpHandleInvalidUserCallTarget 
2 ntdll.dll LdrpHandleInvalidUserCallTarget 
3 xul.dll dav1d_recon_b_intra_8bpc media/libdav1d/8bd_recon_tmpl.c:1349
4 xul.dll decode_b third_party/dav1d/src/decode.c:869
5 xul.dll decode_sb third_party/dav1d/src/decode.c:2351
6 xul.dll decode_sb third_party/dav1d/src/decode.c:2399
7 xul.dll decode_sb third_party/dav1d/src/decode.c:2395
8 xul.dll decode_sb third_party/dav1d/src/decode.c:2402
9 xul.dll dav1d_decode_tile_sbrow third_party/dav1d/src/decode.c:2790

FAST_FAIL_GUARD_ICALL_CHECK_FAILURE indicates a CFG failure. This looks similar to bug 1742934 but in the AV1 decoder. I guess the code is similar?

Group: core-security → media-core-security
See Also: → 1742951
Crash Signature: [@ dav1d_recon_b_intra_8bpc] → [@ dav1d_recon_b_intra_8bpc] [@ decode_b]

Since bug 1754070 landed I see at least one case of this at https://crash-stats.mozilla.org/report/index/e5858bb9-d515-4b8e-b836-d2bf10220301 I.e. this appears to have been happening prior to our last dav1d update and also since. So it doesn't look like something introduced in a recent update, nor is it something fixed in a recent patch.

Crash Signature: [@ dav1d_recon_b_intra_8bpc] [@ decode_b] → [@ dav1d_recon_b_intra_8bpc] [@ decode_b]
Blocks: media-triage

Waiting to see if we continue to get crashes post the recent update.

If not, we'll need to reach out to dav1d engineers.

Update landed in 99, so far so good.

https://bugzilla.mozilla.org/show_bug.cgi?id=1754070

Assignee: nobody → jmathies
No longer blocks: media-triage
Severity: S2 → S4
Priority: -- → P3

The severity field for this bug is set to S4. However, the bug is flagged with the sec-high keyword.
:jimm, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jmathies)
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(jmathies)
Resolution: --- → FIXED
Group: media-core-security → core-security-release
Depends on: 1754070
Target Milestone: --- → 99 Branch
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.