Malformed WebM file leads to crash [@peek_element]

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
8 years ago
6 years ago

People

(Reporter: posidron, Assigned: kinetik)

Tracking

(Blocks: 1 bug)

Trunk
x86_64
Mac OS X
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 final+)

Details

Attachments

(2 attachments)

(Reporter)

Description

8 years ago
Created attachment 482815 [details]
testcase

File: 0.webm
Number of values: 14
Offset:  4391/0x001127	Value: ['00', '00', '00', '01']
Offset: 16337/0x003fd1	Value: ['00', '00']
Offset: 32387/0x007e83	Value: ['80', '00', '00', '00', '00', '00', '00', '00']
Offset: 37970/0x009452	Value: ['ff', 'ff', 'ff', 'ff']
Offset: 38041/0x009499	Value: ['00', '00', '00', '00']
Offset: 39462/0x009a26	Value: ['00', '00']
Offset: 42438/0x00a5c6	Value: ['80', '00', '00', '00', '00', '00', '00', '00']
Offset: 54883/0x00d663	Value: ['00', '00']
Offset: 58256/0x00e390	Value: ['ff', 'c4', '40', '0f']
Offset: 63539/0x00f833	Value: ['80', '00', '00', '00', '00', '00', '00', '00']
Offset: 71026/0x011572	Value: ['7f', 'ff']
Offset: 78704/0x013370	Value: ['20', '00']
Offset: 79379/0x013613	Value: ['7f', 'ff', 'ff', 'ff']
Offset: 87426/0x015582	Value: ['80', '00']

Windows 7 is also affected.

Please execute the provided html file.
(Reporter)

Comment 1

8 years ago
Created attachment 482816 [details]
callstack
(Assignee)

Updated

8 years ago
Assignee: nobody → kinetik
Status: NEW → ASSIGNED
(Assignee)

Updated

8 years ago
blocking2.0: --- → ?
(Assignee)

Comment 2

8 years ago
In nsWebMReader::ReadMetadata, vorbis_synthesis_headerin fails (returning OV_EBADHEADER), so we call nsWebMReader::Cleanup() (destroying mContext) and then return an error.  nsBuiltinDecoderStateMachine::LoadMetadata fails to check the result of ReadMetadata() and we eventually crash when we're called to decode a frame.  So this sounds like the same bug as bug 604067 comment 4 mentions in the first sentence.
(Assignee)

Updated

8 years ago
Depends on: 604067
blocking2.0: ? → final+
(Assignee)

Comment 3

8 years ago
Fixed by bug 604067.
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(In reply to comment #3)
> Fixed by bug 604067.

Just backed this out unfortunately. :(
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Bug 604067 landed again, so this should be fixed...
Status: REOPENED → RESOLVED
Last Resolved: 8 years ago8 years ago
Resolution: --- → FIXED
(Reporter)

Updated

6 years ago
Blocks: 793199
You need to log in before you can comment on or make changes to this bug.