Closed Bug 504644 Opened 16 years ago Closed 16 years ago

crash (segfault) [@ _vorbis_unpack_comment] when playing corrupted ogg vorbis/theora file

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.1 --- .4-fixed

People

(Reporter: keeler, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:dupe 501279])

Crash Data

Attachments

(2 files)

test file that causes crash
128.04 KB, audio/ogg
Details
stack trace of relevant thread
2.94 KB, text/plain
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11) Gecko/2009060308 Ubuntu/9.04 (jaunty) Firefox/3.0.11 Build Identifier: mozilla-central revision c121e64e9940 Segmentation fault when playing corrupted ogg vorbis/theora file (attached). Reproducible: Always Steps to Reproduce: 1. Load attached file. Actual Results: firefox crashes Expected Results: some sort of "this file is corrupted" message Backtrace from a program that uses the ogg libraries similarly to firefox (i.e. oggplayer): Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb77a36d0 (LWP 16379)] 0x0807ffb8 in vorbis_synthesis_headerin () Current language: auto; currently asm (gdb) backtrace #0 0x0807ffb8 in vorbis_synthesis_headerin () #1 0x0805cdf8 in fs_vorbis_decode (fsound=0x8760b58, buf=0x0, bytes=77) at fishsound_vorbis.c:131 #2 0x08057029 in oggplay_callback_audio (oggz=0x8748200, op=0xbfdfb8b8, serialno=1242478144, user_data=0x8760af0) at oggplay_callback.c:392 #3 0x08056e4a in oggplay_callback_predetected (oggz=0x8748200, op=0xbfdfb8b8, serialno=1242478144, user_data=0x8748040) at oggplay_callback.c:653 #4 0x0805fff0 in oggz_read_sync (oggz=0x8748200) at oggz_read.c:486 #5 0x08060783 in oggz_read (oggz=0x8748200, n=8192) at oggz_read.c:606 #6 0x080559c9 in oggplay_initialise (me=0x8748040, block=0) at oggplay.c:122 #7 0x08055af8 in oggplay_open_with_reader (reader=0x8748008) at oggplay.c:159 #8 0x0804d8e7 in main (argc=2, argv=0xbfdfbaf4) at oggplayer.cpp:892
Summary: crash (segfault) @vorbis_synthesis_headerin when playing corrupted ogg vorbis/theora file → crash (segfault) @ _vorbis_unpack_comment when playing corrupted ogg vorbis/theora file
Went back and actually got the stack trace from firefox. It seems the error is really in _vorbis_unpack_comment.
It looks like this was fixed in the patch for bug 501279.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Testcase added in patch for bug 501279.
Flags: in-testsuite? → in-testsuite+
status1.9.1: --- → wanted
Depends on: CVE-2009-3379
Keywords: crash, testcase
Whiteboard: [sg:dupe 501279]
Group: core-security
status1.9.1: wanted.4-fixed
Summary: crash (segfault) @ _vorbis_unpack_comment when playing corrupted ogg vorbis/theora file → crash (segfault) [@ _vorbis_unpack_comment] when playing corrupted ogg vorbis/theora file
Flags: wanted1.9.0.x-
Crash Signature: [@ _vorbis_unpack_comment]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: