Closed
Bug 507415
Opened 15 years ago
Closed 15 years ago
crash (segfault) @ oggplay_data_handle_theora_frame (memcpy) when playing corrupted ogg vorbis file
Categories
(Core :: Audio/Video, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 504613
People
(Reporter: keeler, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: [sg:dupe 504613] null deref)
Attachments
(2 files)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.12) Gecko/2009070811 Ubuntu/9.04 (jaunty) Firefox/3.0.12 Build Identifier: mozilla-central revision 505e5dc1e170 Segmentation fault when playing corrupted ogg vorbis file (attached). I thought this was the same as bug 500311, but the fix for that didn't fix this issue, so I'm filing a new bug. Reproducible: Always Steps to Reproduce: 1. Load attached file. Actual Results: firefox crashes Expected Results: some sort of "this file is corrupted" message
Reporter | ||
Comment 1•15 years ago
|
||
Reporter | ||
Updated•15 years ago
|
Status: NEW → UNCONFIRMED
Ever confirmed: false
Reporter | ||
Comment 2•15 years ago
|
||
Bug poke: is this being worked on?
Comment 3•15 years ago
|
||
The is due to a problem in liboggplay's header handling. It is fixed in the patche in bug 512328 (which in turn depends on updates to liboggz and libfishsound).
Depends on: CVE-2009-3378
Comment 4•15 years ago
|
||
Still crashes for me, but only when I reload, doesn't crash on the initial load. Interesting...
Comment 5•15 years ago
|
||
(In reply to comment #4) > Still crashes for me And by that I mean, the checkin of bug 512328 didn't fix this crash.
No longer depends on: CVE-2009-3378
Reporter | ||
Comment 6•15 years ago
|
||
I think _dec->pp_frame_buf is never properly initialized for use in th_decode_ycbcr_out (decode.c), called by theora_decode_YUVout (decapiwrapper.c), called by oggplay_callback_theora (oggplay_callback.c) (because this call needs to happen correctly for the later call to oggplay_data_handle_theora_frame to succeed). Luckily, it appears that _dec->pp_frame_buf is at least zeroed out, so this should always be a null deref.
Whiteboard: [sg:DoS] null deref
Reporter | ||
Comment 7•15 years ago
|
||
Actually, I'm pretty sure this is a duplicate of bug 504613. (The hard part about these two bugs is getting a stack trace halfway through memcpy, because it does strange things with $esp. Try running this through oggplayer in gdb and run 'set $esp += 4' after it crashes.)
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Updated•15 years ago
|
Whiteboard: [sg:DoS] null deref → [sg:dupe 504613] null deref
Updated•14 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•