Closed Bug 1835044 Opened 1 year ago Closed 1 year ago

nsTArray bounds check crash in mozilla::media::IntervalSet

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
115 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox113 --- unaffected
firefox114 --- unaffected
firefox115 --- fixed

People

(Reporter: jandem, Assigned: padenot)

References

(
URL
)

Details

(Keywords: crash, sec-other)

Crash Data

Attachments

(1 file)

Bug 1835044 - Properly compare extremely large TimeUnits. r?alwu
48 bytes, text/x-phabricator-request
Details | Review

I was looking at crash URLs for bug 1834386 and, trying one of them (see URL field, you may have to check "I agree" and then "Next"), I get this crash:

https://crash-stats.mozilla.org/report/index/1d50e38d-139b-45d7-95e5-99a400230525

Marking as security-sensitive in case there are issues not caught by the nsTArray release assertions.

Note that you need to be on the latest Nightly (from a few hours ago) because else it crashes due to bug 1834984.

Group: core-security → media-core-security
Crash Signature: [@ mozilla::detail::InvalidArrayIndex_CRASH | nsTArray_Impl<T>::ElementAt | nsTArray_Impl<T>::operator[] | mozilla::media::IntervalSet<T>::operator[] ]
Keywords: crash

This bug has the keyword crash, so its type should be defect.

Type: task → defect
Flags: needinfo?(padenot)

This crash is a bit odd because the crash annotation seems to be missing.

That's a fun one.

This site doesn't play here in France, but before that it can crash because a couple buffers are appended. It's using MSE, and the start time in their mp4 container is about 53 years or so. So we do all our calculations in the fallback code that translates the rational numbers into doubles, and there was a bug in the operator>= implementation in the fallback path: https://searchfox.org/mozilla-central/rev/daedd554ae8a2c7f420ad77311134c8c298ba318/dom/media/TimeUnits.cpp#204-207. But an earlier interval computation was comparing the numbers in a different way, resulting in a correct comparison code being used.

Those are meant to be divisions (or we can also swap the multiplicators, so we multiply the number in the same base, but it's easier convert to seconds: the numbers are smaller, the precision is better).

And also the unit test for this was wrong of course.

Flags: needinfo?(padenot)
Assignee: nobody → padenot
Status: NEW → ASSIGNED

I plan to land this directly because it's nightly-only and we know precisely when this landed (last week).

I'll mark this sec-other. It sounds like there's no known security issue and it is Nightly only with a patch up for review, but it does seem like there could be some issues somewhere so we might want to leave it hidden until a fix lands.

Keywords: sec-other

Properly compare extremely large TimeUnits. r=alwu
https://hg.mozilla.org/integration/autoland/rev/2f0238fa0a6b6167a7fbf5cbeb1803b579fdbe85
https://hg.mozilla.org/mozilla-central/rev/2f0238fa0a6b

Group: media-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox115: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 115 Branch
Group: core-security-release
Blocks: 1909614
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: