Closed Bug 1937978 Opened 11 months ago Closed 10 months ago

ClearKey crash on AV1

Categories

(Core :: Audio/Video: GMP, defect)

Product:
Core
Component:
Audio/Video: GMP
Version:
Firefox 133
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
136 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- verified
firefox133 --- wontfix
firefox134 --- wontfix
firefox135 --- verified
firefox136 --- verified

People

(Reporter: vitaly.ivanov, Assigned: pehrsons)

References

(Blocks 1 open bug)

Details

(Keywords: regression)

Crash Data

Attachments

(5 files)

Screenshot 2024-12-18 102559.png
106.84 KB, image/png
Details
Bug 1937978 - Exit early with success when decrypting an empty CBCS subsample buffer with ClearKey. r?#media-playback-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Bug 1937978 - Exit early with success when decrypting an empty CBCS subsample buffer with ClearKey. r?#media-playback-reviewers
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1937978 - Exit early with success when decrypting an empty CBCS subsample buffer with ClearKey. r?#media-playback-reviewers
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr128+
Details | Review
1937978.gif
1.77 MB, image/gif
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36

Steps to reproduce:

  1. Download https://github.com/vitaly-castLabs/mse-eme-player/blob/main/media/av1-test-v-encr.mp4
  2. Open https://vitaly-castlabs.github.io/mse-eme-player/ in Firefox.
  3. Set MIME to video/mp4;codecs="av01.0.04M.08".
  4. Hit Browse... and select the file downloaded in step 1.

Tested on Win 11 24H2, Core Ultra 7 258V laptop, no external GPU

Actual results:

It shows 1 frame and stops with "The clearkey plugin has crashed"

Expected results:

Normal playback. The video can be played by Chrome and ffplay (ffplay -decryption_key 3c3c3c3c3c3c3c3c3c3c3c3c3c3c3c3c ./av1-test-v-encr.mp4) without any issues

The Bugbug bot thinks this bug should belong to the 'Core::Audio/Video: Playback' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Audio/Video: Playback
Product: Firefox → Core
Component: Audio/Video: Playback → Audio/Video: GMP
See Also: → 1765465

I get this crash report: https://crash-stats.mozilla.org/report/index/93c819d3-fcb7-4972-ab00-d55a10241218#tab-bugzilla

Status: UNCONFIRMED → NEW
Crash Signature: [@ ClearKeyUtils::DecryptCbcs ]
Ever confirmed: true

Bisection:
Bug 1601817 - Add plumbing to expose Widevine and Clearkey AV1 support. r=media-playback-reviewers,geckoview-reviewers,owlish,alwu

This patch adds in the necessary plumbing to allow attempting to use the
Widevine and Clearkey plugins for EME decryption with AV1 codecs.

Differential Revision: https://phabricator.services.mozilla.com/D174359

Keywords: regression
Regressed by: 1601817

Profile with "media playback" preset logging: https://share.firefox.dev/4glX9fG

Flags: needinfo?(aosmond)

Set release status flags based on info from the regressing bug 1601817

status-firefox133: --- → affected
status-firefox134: --- → affected
status-firefox135: --- → affected
status-firefox-esr128: --- → affected

This might happen (just a shot in the dark) due to SVT AV1 encoder not producing OBU_TEMPORAL_DELIMITERs consistently - they seemed to be dropped randomly. When I switch to libaom (or standalone aomenc), the crash no longer happens. So this works:

ffmpeg -f lavfi -i testsrc=n=2:size=640x480:rate=30 -t 5 -f yuv4mpegpipe -pix_fmt yuv420p - | aomenc - --codec=av1 --obu --i420 --width=640 --height=480 --fps=30/1 --cpu-used=5 --rt --cq-level=40 --tile-rows=2 --num-tile-groups=2 -o av1-test.obu && \
ffmpeg -i av1-test.obu -c:v copy -f mp4 -movflags frag_keyframe+empty_moov+default_base_moof av1-test-frag.mp4 && \
packager in=av1-test-frag.mp4,stream=video,output=av1-test-frag-encr.mp4,drm_label=VIDEO --protection_scheme cbcs --enable_raw_key_encryption --keys label=VIDEO:key_id=00000000000000000000000000000001:key=3c3c3c3c3c3c3c3c3c3c3c3c3c3c3c3c:iv=d5fbd6b82ed93e4ef98ae40931ee33b7 --protection_systems CommonSystem --segment_duration 1 --fragment_duration 1 --fragment_sap_aligned=false --segment_sap_aligned=false --clear_lead 0 --nogenerate_sidx_in_media_segments

While if I generate it the way it's described here, the resulting encrypted fmp4 crashes ClearKey plugin:
https://github.com/vitaly-castLabs/mse-eme-player/blob/main/README.md

Severity: -- → S3
See Also: → 1908682

I got notice of this crash through the following STR:

Expected Result:
Video plays

Actual Result:
Plugin process crashes in ClearKeyUtils::DecryptCbcs, accessing the first element in an empty Span.

Reporting success when decrypting an empty buffer works for the case above, I'll put up a patch to propose this as a fix.

Flags: needinfo?(aosmond)
Assignee: nobody → apehrson
Status: NEW → ASSIGNED

Without the early exit, DecryptCbcs() will try to get the address of the first
element in the subsample (Span), which with length 0 is forbidden.

This could also be solved by getting the address of the Span through data()
instead, to avoid dereferencing the first element. That seems more like a
footgun than the early exit however.

Pushed by pehrsons@gmail.com: https://hg.mozilla.org/integration/autoland/rev/2b4b08e13b75 Exit early with success when decrypting an empty CBCS subsample buffer with ClearKey. r=media-playback-reviewers,aosmond

Bug 1601817 is the regressor because it enables ClearKey for AV1. However, this may impact other codecs too.

status-firefox-esr115: unaffectedaffected
No longer regressed by: 1601817
Blocks: clearkey

https://hg.mozilla.org/mozilla-central/rev/2b4b08e13b75

Status: ASSIGNED → RESOLVED
Closed: 10 months ago
status-firefox136: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 136 Branch

Without the early exit, DecryptCbcs() will try to get the address of the first
element in the subsample (Span), which with length 0 is forbidden.

This could also be solved by getting the address of the Span through data()
instead, to avoid dereferencing the first element. That seems more like a
footgun than the early exit however.

Original Revision: https://phabricator.services.mozilla.com/D235310

Attachment #9461482 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

Flags: qe-verify+

Without the early exit, DecryptCbcs() will try to get the address of the first
element in the subsample (Span), which with length 0 is forbidden.

This could also be solved by getting the address of the Span through data()
instead, to avoid dereferencing the first element. That seems more like a
footgun than the early exit however.

Original Revision: https://phabricator.services.mozilla.com/D235310

Attachment #9461484 - Flags: approval-mozilla-esr128?

esr128 Uplift Approval Request

  • User impact if declined: Decoding of some media content will fail due to plugin process crashes
  • Code covered by automated testing: no
  • Fix verified in Nightly: no
  • Needs manual QE test: yes
  • Steps to reproduce for manual QE testing: See https://bugzilla.mozilla.org/show_bug.cgi?id=1937978#c7; https://bugzilla.mozilla.org/show_bug.cgi?id=1908682#c0 if you can get access
  • Risk associated with taking this patch: Low
  • Explanation of risk level: Trivial; adds early exit guards for cases that would otherwise crash
  • String changes made/needed: None
  • Is Android affected?: no
Attachment #9461484 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
Attachment #9461482 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]
Attached image 1937978.gif

Reproduced the issue with Firefox 136.0a1 (2025-01-20) on Windows 10x64 by following steps from comment 0 and comment 7. Clearkey plugin crashes after following the steps.
The issue is verified fixed with Firefox 136.0a1 (2025-01-26), 135.0b10 (20250124174536 - comment 17) and 128.7.0esr (20250124132142 - comment 16) on Windows 10x64, macOS 12 and Ubuntu 24. The clearkey plugin no longer crashes and the videos are successfully played after following the steps from comment 0 and comment 7. Unfortunately, we don't have an account for the https://www.pw.live/ webpage.
However, on Windows 10x64 with Nightly 136.0a1 (2025-01-26) if I click the seek bar from comment 0 to almost the end I get an Video can't be played because the file is a corrupt error (see screen recording). This only happens with the latest nightly and on Windows 10x64. I cannot reproduce this with 135.0b10 (20250124174536 - comment 17) and 128.7.0esr (20250124132142 - comment 16). Should we close this one and file a new issue for this? Thank you!

Flags: needinfo?(apehrson)

Yes, please file another issue, this seems separate.

Flags: needinfo?(apehrson)

(In reply to Andreas Pehrson [:pehrsons] from comment #19)

Yes, please file another issue, this seems separate.

Thank you! I have filed bug 1943934. Closing this one as verified per comment 18.

Status: RESOLVED → VERIFIED
Has STR: --- → yes
QA Whiteboard: [qa-triaged]
status-firefox135: fixedverified
status-firefox136: fixedverified
status-firefox-esr128: fixedverified
Flags: qe-verify+
See Also: → 1943934
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: