Closed
Bug 493224
Opened 15 years ago
Closed 15 years ago
Crash [@ oggplay_buffer_release] with malformed ogg file
Categories
(Core :: Audio/Video, defect)
Tracking
()
VERIFIED
FIXED
mozilla1.9.2a1
People
(Reporter: martijn.martijn, Assigned: cajbir)
References
()
Details
(Keywords: crash, testcase, verified1.9.1, Whiteboard: [sg:critical?])
Crash Data
Attachments
(2 files, 1 obsolete file)
11.30 KB,
patch
|
roc
:
approval1.9.1+
|
Details | Diff | Splinter Review |
385.58 KB,
application/octet-stream
|
Details |
See url, when viewing that ogg file in the browser, it crashes after a view seconds. http://crash-stats.mozilla.com/report/index/92afc3ec-5c1d-4ba3-8cc6-6a6bb2090515 0 xul.dll oggplay_buffer_release media/liboggplay/src/liboggplay/oggplay_buffer.c:313 1 xul.dll nsOggDecodeStateMachine::NextFrame content/media/video/src/nsOggDecoder.cpp:735 2 xul.dll nsOggDecodeStateMachine::QueueDecodedFrames content/media/video/src/nsOggDecoder.cpp:1015 3 xul.dll nsOggDecodeStateMachine::PlayFrame content/media/video/src/nsOggDecoder.cpp:820 4 xul.dll nsOggDecodeStateMachine::Run content/media/video/src/nsOggDecoder.cpp:1252 5 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:510 6 xul.dll NS_ProcessNextEvent_P obj-firefox/xpcom/build/nsThreadUtils.cpp:230 7 xul.dll nsThread::ThreadFunc xpcom/threads/nsThread.cpp:254 8 nspr4.dll _PR_NativeRunThread nsprpub/pr/src/threads/combined/pruthr.c:426 9 nspr4.dll pr_root nsprpub/pr/src/md/windows/w95thred.c:122 10 mozcrt19.dll _callthreadstartex obj-firefox/memory/jemalloc/crtsrc/threadex.c:348 11 mozcrt19.dll _threadstartex obj-firefox/memory/jemalloc/crtsrc/threadex.c:326 12 kernel32.dll kernel32.dll@0xb728 I guess it might be related to a couple of the other bugs that are open about this, not sure.
Assignee | ||
Comment 1•15 years ago
|
||
Crashes in command line liboggplay based player as well. Added liboggplay maintainer to the CC list.
Reporter | ||
Updated•15 years ago
|
Flags: blocking1.9.2?
Flags: blocking1.9.1?
Wouldn't block the release on this, would still take a patch.
Flags: blocking1.9.1? → wanted1.9.1+
Comment 3•15 years ago
|
||
The problem with the given ogg content is that the theora stream is not following the specifications: ogg spec. requires that in any stream the granule position will never decrease. the ogg contents mentioned in bug 463726 are having the same problem. The theora frames' granule position is sometimes decreasing. The attach patch basically drops the frames which has smaller granule position than the last - 'valid' - seen one. Of course by this the video is not going to be 'consistent' - meaning the video 'freezes' (see football.ogg) -, but it is a badly created content. Maybe it would be better that in case we detect this behavior we simply stop decoding the content, instead of trying to enforce the decoding in the above mentioned way... any ideas/suggestions/comments?
Either way is fine --- actually, whatever is simplest is best --- but it should actually be specified in the Ogg or Theora specs. We don't want to be in a situation where one player plays the content and another doesn't.
> The problem with the given ogg content is that the theora stream is not
> following the specifications
Yeah, we're talking about content created by bad guys who are trying to take over the browser, who aren't interested in following the specification :-)
Assignee | ||
Comment 5•15 years ago
|
||
Viktor's fix from comment 3 packaged up with README_MOZILLA, changes, etc.
Assignee: nobody → chris.double
Attachment #378353 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Whiteboard: [needs landing]
http://hg.mozilla.org/mozilla-central/rev/2d3e4849df48 We should have a testcase here.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Whiteboard: [needs landing] → [needs 191 landing]
Attachment #378509 -
Flags: approval1.9.1+
Comment 8•15 years ago
|
||
(In reply to comment #3) > The problem with the given ogg content is that the theora stream is not > following the specifications: ogg spec. Evil hackers make their living violating specs. Expect the unexpected!
Comment 9•15 years ago
|
||
The "testcase" keyword means there's a testcase attached to the bug. A URL pointing at a server doesn't count because that can go away and invalidate the keyword.
Keywords: testcase → testcase-wanted
Whiteboard: [sg:critical?]
Comment 10•15 years ago
|
||
Updated•15 years ago
|
Attachment #378917 -
Attachment description: testcase URL → testcase from URL
Updated•15 years ago
|
Keywords: testcase-wanted → testcase
Comment 11•15 years ago
|
||
Verified fixed with on trunk and 1.9.1: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090526 Minefield/3.6a1pre ID:20090526044156 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090526 Shiretoko/3.5pre (.NET CLR 3.5.30729) ID:20090526042535
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
Target Milestone: --- → mozilla1.9.2a1
Updated•15 years ago
|
Flags: wanted1.9.0.x-
Flags: wanted1.8.1.x-
Updated•13 years ago
|
Crash Signature: [@ oggplay_buffer_release]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•