Closed Bug 498855 Opened 16 years ago Closed 16 years ago

Crash in vorbis_synthesis

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: ladamski, Assigned: cajbir)

References

Details

(Keywords: crash, testcase, verified1.9.1, Whiteboard: [sg:dos])

Attachments

(5 files, 3 obsolete files)

Fix
3.68 KB, patch
cajbir
: review+
beltzner
: approval1.9.1+
Details | Diff | Splinter Review
Testcase 1 - crashes browser
20.00 KB, video/ogg
Details
Testcase 2 - crashes browser
20.00 KB, video/ogg
Details
Testcase 3 - crashes browser
20.00 KB, video/ogg
Details
Patch - add test
72.11 KB, patch
Details | Diff | Splinter Review
Lots of crashes for this one. I know we had a previous vorbis_synthesis issue but this one seems to be different / previously protected by the CRC checks. #0 0x135828df in vorbis_synthesis at vorbis_synthesis.c:30 #1 0x1354fdec in fs_vorbis_decode at fishsound_vorbis.c:158 #2 0x1354f132 in fish_sound_decode at fishsound_decode.c:117 #3 0x13554b0f in oggplay_callback_audio at oggplay_callback.c:391 #4 0x13561a99 in oggz_read_deliver_packet at oggz_read.c:298 #5 0x13560ce1 in oggz_dlist_deliter at oggz_dlist.c:183 #6 0x13561f89 in oggz_read_sync at oggz_read.c:462 #7 0x13562469 in oggz_read at oggz_read.c:606 #8 0x13552f02 in oggplay_initialise at oggplay.c:122 #9 0x13552fb3 in oggplay_open_with_reader at oggplay.c:159 #10 0x13541fc0 in nsOggDecodeStateMachine::LoadOggHeaders at nsOggDecoder.cpp:1752 #11 0x13546669 in nsOggDecodeStateMachine::Run at nsOggDecoder.cpp:1422 #12 0x005759e4 in nsThread::ProcessNextEvent at nsThread.cpp:510 #13 0x004fe968 in NS_ProcessNextEvent_P at nsThreadUtils.cpp:227 #14 0x00575bf3 in nsThread::ThreadFunc at nsThread.cpp:254 #15 0x00728465 in _pt_root at ptthread.c:228 #16 0x96291155 in _pthread_start #17 0x96291012 in thread_start
Whiteboard: [sg:critical]
Flags: blocking1.9.1?
This particular stack trace is bug 496684 which has langed on trunk. Applying this patch to 1.9.1 fixes two of these files but one still crashes. Looking into it.
Depends on: 496684
Flags: blocking1.9.1? → blocking1.9.1+
Attached patch FixSplinter Review
This patch fixes the crash and stops the files from playing by checking for a null value and returning an error. It requires bug 496684 to be landed (it's on trunk but not branch) for liboggplay to detect the return value and stop playing. The underlying issue is due to problems that liboggplay has with Ogg headers. A complete fix is pending from the liboggplay maintainers for the header issues - this is a continuing issue from bug 496684 and the bug that was spawned from.
Assignee: nobody → chris.double
Status: NEW → ASSIGNED
Null derefs, not sg:critical.
Whiteboard: [sg:critical] → [sg:critical][needs review]
Updating sg: tag per roc's comment, also not a blocker for 1.9.1 if there isn't security exposure.
Flags: blocking1.9.1+ → blocking1.9.1-
Whiteboard: [sg:critical][needs review] → [sg:dosl][needs review]
Whiteboard: [sg:dosl][needs review] → [sg:dos][needs review]
Attachment #383733 - Flags: review?(monty)
This is Lucas' testcase 1 with CRCs corrected, crashes browser without "disable CRC check patch" applied.
Attachment #383673 - Attachment is obsolete: true
This is Lucas' testcase 2 with CRCs corrected, crashes browser without "disable CRC check patch" applied.
Attachment #383674 - Attachment is obsolete: true
This is Lucas' testcase 3 with CRCs corrected, crashes browser without "disable CRC check patch" applied.
Attachment #383675 - Attachment is obsolete: true
Pushed to mozilla-central: http://hg.mozilla.org/mozilla-central/rev/1271d9a47bfb
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Reviewed by monty on irc.
Whiteboard: [sg:dos][needs review] → [sg:dos]
Attachment #383733 - Flags: review?(monty) → review+
Verified fixed on trunk and 1.9.1 with builds on all platforms like Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090623 Minefield/3.6a1pre ID:20090623035831 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 ID:20090624012136
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
Keywords: fixed1.9.1crash, verified1.9.1
OS: Mac OS X → All
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.2a1
Attached patch Patch - add testSplinter Review
Patch - adds testcase which ensures that the 3 testcase files here don't load, they throw an error. This is rebased on top of the "Patch - add test" in bug 499519.
Testcase pushed to m-c: http://hg.mozilla.org/mozilla-central/rev/0234cf1eee13
Flags: in-testsuite? → in-testsuite+
Chris, will those tests also be pushed to 1.9.1? And can we open this bug to the public now?
Is the patch included in a public release? If it's not, the bug can't be opened up. And it seems to me the test shouldn't have been checked in yet, but probably Chris knows better and it's no problem the test has been checked in yet.
Oh, this was a null deref, so no security problem, and apparently, the bug has become public now, at this time of writing. The tests can also be pushed to 1.9.1, but whether they will get pushed to 1.9.1 depends on if someone pushes them to that release.
Unfortunately 1.9.1 has a different test harness structure so the test will need to be redone for 1.9.1.
Flags: wanted1.9.0.x-
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: