Open Bug 2004810 Opened 1 day ago Updated 1 day ago

WebM demuxer converts uint64 duration to int64 without bounds check, causing wrap to negative TimeUnit

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Version:
Firefox 148
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: zzjas98, Unassigned)

Details

Attachments

(1 file)

poc.zip
967 bytes, application/zip
Details
Attached file poc.zip

Steps to reproduce:

  • We tested on commit 2ffc25def47ca208d9247c71838598359600b817
  • Unzip the poc.zip
  • Set MOZ_LOG="MediaDemuxer:5
  • Load the poc.html
  • The log will show large negative duration:
[Child 1834476: MediaPDecoder #1]: D/MediaDemuxer WebMDemuxer[55d8e0dfb390] ::ReadMetadata: stream duration: -8446744073.709552
...
[Child 1834476: MediaPDecoder #1]: D/MediaDemuxer WebMDemuxer[55d8e0dfb390] ::GetBuffered: Duration: -8446744073.709552 StartTime: 0.000000

Cause:

In WebMDemuxer.cpp line 506-510,
nestegg_duration() function returns a uint64_t value, but it's passed directly to TimeUnit::FromNanoseconds() which takes an int64_t.

Similarly, WebMDemuxer.cpp line 549-555 does the same convertion without bounds check.

We believe this is only a correctness bug since there is no unsafe downstream usage of the negative duration value. Please let us know if we missed anything or if you have any feedback!

Thank you!

Actual results:

integer overflow

Expected results:

no integer overflow

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: