1814736 - Hit MOZ_CRASH(header offset > size) at /builds/worker/checkouts/gecko/third_party/rust/mp4parse/src/lib.rs:2422

Status: RESOLVED FIXED

(Core :: Graphics: ImageLib, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.avif

Found while fuzzing m-c 20230201-b7f075124503 (--enable-debug --enable-fuzzing)

Requires pref image.avif.sequence.enabled=true

Hit MOZ_CRASH(header offset > size) at /builds/worker/checkouts/gecko/third_party/rust/mp4parse/src/lib.rs:2422

#0 0x7f05fdb83019 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7f05fdb83019 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f05fdb82ed4 in mozglue_static::panic_hook::ha59f1f267114bf19 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7f05fdb813e5 in core::ops::function::Fn::call::h4841581de0cbdbcb /builds/worker/fetches/rust/library/core/src/ops/function.rs:161:5
#4 0x7f0601550fcf in std::panicking::rust_panic_with_hook::he624a806f54fe0a0 (/home/user/workspace/browsers/m-c-20230201215112-fuzzing-asan-opt/libxul.so+0x28415fcf) (BuildId: 7fddc85b62763055da0737092391e12ca0d3c5da)
#5 0x7f0601566e28 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h36ff83c71c517f4b std.9b381759-cgu.7
#6 0x7f0601566c0b in std::sys_common::backtrace::__rust_end_short_backtrace::ha77f947ed714341e std.9b381759-cgu.7
#7 0x7f0601550b31 in rust_begin_unwind (/home/user/workspace/browsers/m-c-20230201215112-fuzzing-asan-opt/libxul.so+0x28415b31) (BuildId: 7fddc85b62763055da0737092391e12ca0d3c5da)
#8 0x7f06015c5132 in core::panicking::panic_fmt::h4b9a34e0258d41d3 (/home/user/workspace/browsers/m-c-20230201215112-fuzzing-asan-opt/libxul.so+0x2848a132) (BuildId: 7fddc85b62763055da0737092391e12ca0d3c5da)
#9 0x7f06015b47d0 in core::panicking::panic_display::h92fec27e51d23087 core.07381e02-cgu.15
#10 0x7f06015b477a in core::panicking::panic_str::h62612708ab28b93f core.07381e02-cgu.15
#11 0x7f06015b4755 in core::option::expect_failed::h368000c9d0d6add0 (/home/user/workspace/browsers/m-c-20230201215112-fuzzing-asan-opt/libxul.so+0x28479755) (BuildId: 7fddc85b62763055da0737092391e12ca0d3c5da)
#12 0x7f05fd909ea6 in core::option::Option$LT$T$GT$::expect::h4d56610a0ff59903 /builds/worker/fetches/rust/library/core/src/option.rs:741:21
#13 0x7f05fd909ea6 in mp4parse::skip_box_content::h676b1c9bd9bc1ca5 /builds/worker/checkouts/gecko/third_party/rust/mp4parse/src/lib.rs:2422:9
#14 0x7f05fd909ea6 in mp4parse::read_avif_meta::h2b36ea238dfc14e0 /builds/worker/checkouts/gecko/third_party/rust/mp4parse/src/lib.rs:2916:18
#15 0x7f05fda5fb2f in mp4parse::read_avif::hb5405be34e31d066 /builds/worker/checkouts/gecko/third_party/rust/mp4parse/src/lib.rs:2531:29
#16 0x7f05fda5fb2f in _$LT$mp4parse_capi..Mp4parseAvifParser$u20$as$u20$mp4parse_capi..ContextParser$GT$::read::hf16871876e2d5ae9 /builds/worker/checkouts/gecko/third_party/rust/mp4parse_capi/src/lib.rs:423:17
#17 0x7f05fda5fb2f in mp4parse_capi::mp4parse_new_common_safe::hcd47a5775c0e1be8 /builds/worker/checkouts/gecko/third_party/rust/mp4parse_capi/src/lib.rs:534:5
#18 0x7f05fda5fb2f in mp4parse_capi::mp4parse_new_common::h941fff2af0fbb5da /builds/worker/checkouts/gecko/third_party/rust/mp4parse_capi/src/lib.rs:520:15
#19 0x7f05fda5fb2f in mp4parse_avif_new /builds/worker/checkouts/gecko/third_party/rust/mp4parse_capi/src/lib.rs:503:5
#20 0x7f05ece65044 in mozilla::image::AVIFParser::Init(mozilla::ByteStream*) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:317:7
#21 0x7f05ece64ec5 in mozilla::image::AVIFParser::Create(Mp4parseIo const*, mozilla::ByteStream*, mozilla::UniquePtr<mozilla::image::AVIFParser, mozilla::DefaultDelete<mozilla::image::AVIFParser>>&) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:208:30
#22 0x7f05ece723c3 in mozilla::image::nsAVIFDecoder::CreateParser() /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1216:9
#23 0x7f05ece6cc3b in mozilla::image::nsAVIFDecoder::Decode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1410:33
#24 0x7f05ece6bd6e in mozilla::image::nsAVIFDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/decoders/nsAVIFDecoder.cpp:1181:25
#25 0x7f05ecd56f4f in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) /builds/worker/checkouts/gecko/image/Decoder.cpp:177:19
#26 0x7f05ecd7d07a in mozilla::image::MetadataDecodingTask::Run() /builds/worker/checkouts/gecko/image/IDecodingTask.cpp:161:34
#27 0x7f05ecd914bb in mozilla::image::DecodingTask::Run() /builds/worker/checkouts/gecko/image/DecodePool.cpp:146:12
#28 0x7f05ea14b34d in mozilla::TaskController::RunPoolThread() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:328:33
#29 0x7f060c1eb628 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#30 0x7f060c9ceb42 in start_thread nptl/pthread_create.c:442:8
#31 0x7f060ca609ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Comment 1

[Tyson Smith [:tsmith]]

This is the issue most commonly reported by the libfuzzer targets (at the time of writing).

Comment 2

[Mayank Bansal]

https://crash-stats.mozilla.org/report/index/571a5840-9325-4a50-b660-ceec50230203#tab-bugzilla

Comment 3

[Timothy Nikkel (:tnikkel)]

This does not reproduce before bug 1788119 landed. But it does reproduce after bug 1788119 and there it reproduces with image.avif.sequence.enabled=false.

Comment 4

[Zaggy1024]

This should be fixed in mp4parse#392.

Comment 5

[Zaggy1024]

Attachment: Bug 1814736 - Update mp4parse to fix a crash on files with invalid box sizes. r=kinetik

Comment 6

[Pulsebot]

Pushed by mgregan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c6e823d1e1a8
Update mp4parse to fix a crash on files with invalid box sizes. r=kinetik

Comment 7

[Cristina Horotan [:chorotan]]

https://hg.mozilla.org/mozilla-central/rev/c6e823d1e1a8