Closed Bug 507415 Opened 15 years ago Closed 15 years ago

crash (segfault) @ oggplay_data_handle_theora_frame (memcpy) when playing corrupted ogg vorbis file

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 504613

People

(Reporter: keeler, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: [sg:dupe 504613] null deref)

Attachments

(2 files)

test file that causes crash
116.01 KB, audio/ogg
Details
stack trace of oggplayer
1.41 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.12) Gecko/2009070811 Ubuntu/9.04 (jaunty) Firefox/3.0.12
Build Identifier: mozilla-central revision 505e5dc1e170

Segmentation fault when playing corrupted ogg vorbis file (attached).
I thought this was the same as bug 500311, but the fix for that didn't fix this issue, so I'm filing a new bug.

Reproducible: Always

Steps to Reproduce:
1. Load attached file.
Actual Results:  
firefox crashes

Expected Results:  
some sort of "this file is corrupted" message
Status: NEW → UNCONFIRMED
Ever confirmed: false
Bug poke: is this being worked on?
The is due to a problem in liboggplay's header handling. It is fixed in the patche in bug 512328 (which in turn depends on updates to liboggz and libfishsound).
Depends on: CVE-2009-3378
Still crashes for me, but only when I reload, doesn't crash on the initial load. Interesting...
(In reply to comment #4)
> Still crashes for me

And by that I mean, the checkin of bug 512328 didn't fix this crash.
No longer depends on: CVE-2009-3378
I think _dec->pp_frame_buf is never properly initialized for use in th_decode_ycbcr_out (decode.c), called by theora_decode_YUVout (decapiwrapper.c), called by oggplay_callback_theora (oggplay_callback.c) (because this call needs to happen correctly for the later call to oggplay_data_handle_theora_frame to succeed).
Luckily, it appears that _dec->pp_frame_buf is at least zeroed out, so this should always be a null deref.
Whiteboard: [sg:DoS] null deref
Actually, I'm pretty sure this is a duplicate of bug 504613.
(The hard part about these two bugs is getting a stack trace halfway through memcpy, because it does strange things with $esp.  Try running this through oggplayer in gdb and run 'set $esp += 4' after it crashes.)
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:DoS] null deref → [sg:dupe 504613] null deref
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: