Open Bug 1757124 Opened 2 years ago Updated 2 months ago

Crash [@ mozilla::dom::TextTrackCue::TextTrackCue]

Categories

(Core :: Audio/Video, defect, P3)

defect

Tracking

()

Tracking Status
firefox99 --- affected

People

(Reporter: jkratzer, Assigned: alwu)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, pernosco-wanted, Whiteboard: [fuzzblocker])

Testcase found while fuzzing mozilla-central rev 6531d095b2a7 (built with --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch
$ python -m fuzzfetch --build 6531d095b2a7 --asan --fuzzing -n build
$ ./build/firefox -xpcshell -e "new VTTCue(2, 3, 'a')"
==570==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f643be27ace bp 0x7ffdf1ff6d50 sp 0x7ffdf1ff6d10 T0)
==570==The signal is caused by a READ memory access.
==570==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x7f643be27ace in mozilla::dom::TextTrackCue::TextTrackCue(nsPIDOMWindowInner*, double, double, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/media/webvtt/TextTrackCue.cpp:62:35
    #1 0x7f64398d58e6 in mozilla::dom::TextTrackCue::Constructor(mozilla::dom::GlobalObject&, double, double, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TextTrackCue.h:42:13
    #2 0x7f64398d51cf in mozilla::dom::VTTCue_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/VTTCueBinding.cpp:1737:58
    #3 0x7f6441ecbdc5 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:425:13
    #4 0x7f6441ecbdc5 in CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:441:8
    #5 0x7f6441ecbdc5 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:636:10
    #6 0x7f6441eb545f in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3299:16
    #7 0x7f6441e9a2b1 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:394:13
    #8 0x7f6441ecd033 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:767:13
    #9 0x7f6441f87c02 in ExecuteInExtensibleLexicalEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<js::ExtensibleLexicalEnvironmentObject*>) /builds/worker/checkouts/gecko/js/src/builtin/Eval.cpp:403:10
    #10 0x7f6441f87540 in js::ExecuteInFrameScriptEnvironment(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JSObject*>) /builds/worker/checkouts/gecko/js/src/builtin/Eval.cpp:438:8
    #11 0x7f64423a7bfa in EvalReturningScope(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/TestingFunctions.cpp:6040:10
    #12 0x1ed6a760b638  (<unknown module>)

DEDUP_TOKEN: mozilla::dom::TextTrackCue::TextTrackCue(nsPIDOMWindowInner*, double, double, nsTSubstring<char16_t> const&, mozilla::ErrorResult&)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/dom/media/webvtt/TextTrackCue.cpp:62:35 in mozilla::dom::TextTrackCue::TextTrackCue(nsPIDOMWindowInner*, double, double, nsTSubstring<char16_t> const&, mozilla::ErrorResult&)
Keywords: bugmon, testcase
Whiteboard: [bugmon:confirm]
Severity: S2 → S4
Priority: -- → P3
Whiteboard: [fuzzblocker]

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:jimm, could you consider increasing the severity?

For more information, please visit BugBot documentation.

Flags: needinfo?(jmathies)
Blocks: media-triage
Flags: needinfo?(jmathies)
Assignee: nobody → alwu
Blocks: webvtt
No longer blocks: media-triage
Severity: S4 → S3
You need to log in before you can comment on or make changes to this bug.