506094 - crash (corrupt/double free) @ res0_free_info when playing corrupted ogg theora file

Status: RESOLVED FIXED

(Core :: Audio/Video, defect)

Description

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Attachment: test file that causes crash

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11) Gecko/2009060308 Ubuntu/9.04 (jaunty) Firefox/3.0.11
Build Identifier: mozilla-central revision df57940538b4

Segmentation fault when playing corrupted ogg theora file (attached).

Reproducible: Sometimes

Steps to Reproduce:
1. Load attached file.
2. Refresh the page once or twice.
Actual Results:  
firefox crashes

Expected Results:  
some sort of "this file is corrupted" message

Comment 1

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Attachment: stack trace of relevant thread

Comment 2

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Attachment: stack trace of oggplayer

Comment 3

[Timothy B. Terriberry (:derf)]

This is already fixed in Vorbis trunk, revision r16218, which claims to be a fix for https://bugzilla.mozilla.org/show_bug.cgi?id=501279. This fix is included in the recent 1.2.3 release of libvorbis.

I don't have access to that bug, so I can't comment on what it was fixing or why.

Comment 4

[Timothy B. Terriberry (:derf)]

Okay, I can now confirm that this file triggers the same issue that that one did (premature end-of-packet in the cascade flags decode), and is indeed fixed by the same solution.

Comment 5

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Is there some sort of "fixed upstream" flag we can put on this?

Comment 6

[Samuel Sidler (old account; do not CC)]

Not really, but let's use the status whiteboard for that. :)

Comment 7

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Looks like the patch for bug 501279 fixed this in mozilla-central.

Comment 8

[Chris Pearce [:cpearce (Not reading bugmail)]]

Testcase added in patch for bug 501279.