Closed Bug 506094 Opened 11 years ago Closed 11 years ago

crash (corrupt/double free) @ res0_free_info when playing corrupted ogg theora file

Categories

(Core :: Audio/Video, defect)

x86
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
status1.9.1 --- .4-fixed

People

(Reporter: keeler, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:dupe 501279][fixed upstream])

Attachments

(3 files)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11) Gecko/2009060308 Ubuntu/9.04 (jaunty) Firefox/3.0.11
Build Identifier: mozilla-central revision df57940538b4

Segmentation fault when playing corrupted ogg theora file (attached).

Reproducible: Sometimes

Steps to Reproduce:
1. Load attached file.
2. Refresh the page once or twice.
Actual Results:  
firefox crashes

Expected Results:  
some sort of "this file is corrupted" message
This is already fixed in Vorbis trunk, revision r16218, which claims to be a fix for https://bugzilla.mozilla.org/show_bug.cgi?id=501279. This fix is included in the recent 1.2.3 release of libvorbis.

I don't have access to that bug, so I can't comment on what it was fixing or why.
Okay, I can now confirm that this file triggers the same issue that that one did (premature end-of-packet in the cascade flags decode), and is indeed fixed by the same solution.
Is there some sort of "fixed upstream" flag we can put on this?
Not really, but let's use the status whiteboard for that. :)
Whiteboard: [fixed upstream]
Looks like the patch for bug 501279 fixed this in mozilla-central.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Testcase added in patch for bug 501279.
Flags: in-testsuite? → in-testsuite+
Depends on: CVE-2009-3379
Whiteboard: [fixed upstream] → [sg:dupe 501279][fixed upstream]
Group: core-security
Flags: wanted1.9.0.x-
You need to log in before you can comment on or make changes to this bug.