1798778 - Assertion failure: aLength >= nextFrameHeaderOffset, at /builds/worker/checkouts/gecko/dom/media/ADTSDemuxer.cpp:764

Status: VERIFIED FIXED

(Core :: Audio/Video: Playback, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.mp3

Found while fuzzing m-c 20221102-1f668a84e012 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.mp3

Assertion failure: aLength >= nextFrameHeaderOffset, at /builds/worker/checkouts/gecko/dom/media/ADTSDemuxer.cpp:764

#0 0x7fda4ad04126 in mozilla::ADTSDemuxer::ADTSSniffer(unsigned char const*, unsigned int) /builds/worker/checkouts/gecko/dom/media/ADTSDemuxer.cpp:764:3
#1 0x7fda4e1fe46d in MatchesADTS /builds/worker/checkouts/gecko/toolkit/components/mediasniffer/nsMediaSniffer.cpp:182:10
#2 0x7fda4e1fe46d in nsMediaSniffer::GetMIMETypeFromContent(nsIRequest*, unsigned char const*, unsigned int, nsTSubstring<char>&) /builds/worker/checkouts/gecko/toolkit/components/mediasniffer/nsMediaSniffer.cpp:238:7
#3 0x7fda4752bdf5 in NS_SniffContent(char const*, nsIRequest*, unsigned char const*, unsigned int, nsTSubstring<char>&) /builds/worker/checkouts/gecko/netwerk/base/nsNetUtil.cpp:2848:32
#4 0x7fda47a3994e in mozilla::net::HttpBaseChannel::CallTypeSniffers(void*, unsigned char const*, unsigned int) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpBaseChannel.cpp:5644:3
#5 0x7fda4750fa34 in CallPeekFunc(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:68:3
#6 0x7fda472bce64 in nsPipeInputStream::ReadSegments(nsresult (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:1360:12
#7 0x7fda4750f528 in nsInputStreamPump::PeekStream(void (*)(void*, unsigned char const*, unsigned int), void*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:88:24
#8 0x7fda47b1bc1e in mozilla::net::nsHttpChannel::CallOnStartRequest() /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp:1553:15
#9 0x7fda47b2639a in mozilla::net::nsHttpChannel::ContinueProcessNormal(nsresult) /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp:2640:8
#10 0x7fda47b21b7b in mozilla::net::nsHttpChannel::ContinueProcessResponse3(nsresult) /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp
#11 0x7fda47b215ef in mozilla::net::nsHttpChannel::ContinueProcessResponse2(nsresult) /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp:2240:10
#12 0x7fda47b210f8 in mozilla::net::nsHttpChannel::ContinueProcessResponse1() /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp:2213:10
#13 0x7fda47b20791 in mozilla::net::nsHttpChannel::ProcessResponse() /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp:2121:10
#14 0x7fda47b481c3 in mozilla::net::nsHttpChannel::OnStartRequest(nsIRequest*) /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp:7047:31
#15 0x7fda475115fe in nsInputStreamPump::OnStateStart() /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:501:21
#16 0x7fda4751127a in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:407:21
#17 0x7fda475120dc in non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp
#18 0x7fda472cb1af in operator() /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:73:47
#19 0x7fda472cb1af in already_AddRefed<mozilla::CancelableRunnable> NS_NewCancelableRunnableFunction<CallbackHolder::CallbackHolder(nsIAsyncInputStream*, nsIInputStreamCallback*, unsigned int, nsIEventTarget*)::'lambda'()>(char const*, CallbackHolder::CallbackHolder(nsIAsyncInputStream*, nsIInputStreamCallback*, unsigned int, nsIEventTarget*)::'lambda'()&&)::FuncCancelableRunnable::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:650:9
#20 0x7fda4730b625 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#21 0x7fda47306c0c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#22 0x7fda473057da in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#23 0x7fda47305b35 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#24 0x7fda4730ef26 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#25 0x7fda4730ef26 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#26 0x7fda473248c8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#27 0x7fda4732b03d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#28 0x7fda47f0bf03 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#29 0x7fda47e32048 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#30 0x7fda47e31f51 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#31 0x7fda47e31f51 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#32 0x7fda4c2b05f8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#33 0x7fda4e390e64 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
#34 0x7fda4e4d7ba7 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5725:22
#35 0x7fda4e4d8ee2 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5918:8
#36 0x7fda4e4d96c9 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5974:21
#37 0x55ee303d194c in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:226:22
#38 0x55ee303d194c in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:428:16
#39 0x7fda5be45082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#40 0x55ee303a8188 in _start (/home/worker/builds/m-c-20221102094537-fuzzing-debug/firefox-bin+0x5b188) (BuildId: 9d54c3bae16afe69be2e17742f60095899ba08f5)

Comment 1

[Tyson Smith [:tsmith]]

Please ni? me if you'd like a Pernosco session.

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20221102174350-6d65bca9434c.
The bug appears to have been introduced in the following build range:

Start: c3fff370055d2f32f5858b0c90ef6c7bf077efef (20220208163503)
End: bad861b891423d17bc93922efdbc5f55588f5e5b (20220208215108)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c3fff370055d2f32f5858b0c90ef6c7bf077efef&tochange=bad861b891423d17bc93922efdbc5f55588f5e5b

Comment 3

[Dianna Smith [:diannaS]]

:padenot could this be caused by bug 1749761?

Comment 4

[Paul Adenot (:padenot)]

Yes, the assert is overly zealous here, and the case the fuzzer found is actually covered by the test in the return expression. We can simply remove the assert.

Comment 5

[Paul Adenot (:padenot)]

Attachment: Bug 1798778 - Remove an over-zealous assertion when sniffing for an ADTS stream, when the available data is shorter than the next frame header offset. r?alwu

I haven't found a program that plays this file. It crashes some program I tried.

Comment 6

[Paul Adenot (:padenot)]

Attachment: Bug 1798778 - Test sniffing for an ADTS stream, when the available data is shorter than the next frame header offset. r?alwu

Depends on D161574

Comment 7

[Pulsebot]

Pushed by padenot@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/81aa6667d105
Remove an over-zealous assertion when sniffing for an ADTS stream, when the available data is shorter than the next frame header offset. r=alwu
https://hg.mozilla.org/integration/autoland/rev/787e62be625a
Test sniffing for an ADTS stream, when the available data is shorter than the next frame header offset. r=alwu

Comment 8

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/81aa6667d105
https://hg.mozilla.org/mozilla-central/rev/787e62be625a

Comment 9

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20221110044858-57d2a9aee4e4.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.