Closed
Bug 604993
Opened 14 years ago
Closed 14 years ago
Malformed WebM file leads to crash [@nsWebMReader::NextPacket]
Categories
(Core :: Audio/Video, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | final+ |
People
(Reporter: posidron, Assigned: kinetik)
References
Details
Attachments
(3 files)
Number of values: 8 Offset: 10900/0x002a94 Value: ['66', 'a5'] Offset: 36021/0x008cb5 Value: ['6d', 'e7'] Offset: 48373/0x00bcf5 Value: ['63', 'c3'] Offset: 54098/0x00d352 Value: ['45', 'dd'] Offset: 71173/0x011605 Value: ['ce'] Offset: 79199/0x01355f Value: ['45', '0d'] Offset: 81438/0x013e1e Value: ['54', 'aa'] Offset: 97902/0x017e6e Value: ['4d', '80'] Please execute the provided html file.
|
Reporter | |
Comment 1•14 years ago
|
||
|
Assignee | |
Updated•14 years ago
|
Assignee: nobody → kinetik
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•14 years ago
|
blocking2.0: --- → ?
|
|
Assignee | |
Comment 2•14 years ago
|
||
libnestegg's test program doesn't crash on this, but Firefox does:
0x7fffe01bf880: parent element 1c53bb6b
0x7fffe01bf880: single master element 1c53bb6b (ID_CUES)
0x7fffe01bf880: -> using data 0x7fffe01bf9b8 (96)
0x7fffe01bf880: multi master element bb (ID_CUE_POINT)
0x7fffe01bf880: -> using data 0x7fffdff1cfd0
0x7fffe01bf880: element b3 (ID_CUE_TIME) -> 0x7fffdff1cfd0 (0)
0x7fffe01bf880: multi master element b7 (ID_CUE_TRACK_POSITIONS)
0x7fffe01bf880: -> using data 0x7fffe626df10
0x7fffe01bf880: element f7 (ID_CUE_TRACK) -> 0x7fffe626df10 (0)
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffdf1ff710 (LWP 16840)]
0x00007ffff5cc5751 in parse (ctx=0x7fffe01bf880, top_level=0x0)
at /home/kinetik/mozilla-central/media/libnestegg/src/nestegg.c:975
975 element = find_element(id, ctx->ancestor->node);
id is 0x465c, which is FileData, an AttachedFile child.
I bet nestegg_read_packet is being called again after it has returned < 1... yep:
The final valid nestegg_read_packet originates from a NextPacket call to fetch next_packet temporarily:
1865 r = parse(ctx, NULL);
(gdb)
0x7fffdffc2880: parent element 1c53bb6b
[...]
1866 if (r != 1)
(gdb) n
1867 return r;
In this case, we're not handling EOS correctly, so after this call,nestegg_read_packet is called again from DecodeVideoFrame to fetch packet and crashes.
I'll fix this in two places: by changing nsWebMReader's EOS handling, and by making nestegg's handling of this more robust.|
|
Assignee | |
Comment 3•14 years ago
|
||
More info: After the parser reads the CueTrack element, it encounters EOS while reading the next element (which is garbage, anyway): it reads the ID as 0x465c (FileData), then hits EOS while reading the element size (for which it expects 4 bytes and only 2 are left in the stream). At this point, the parser bails out to the error handling at the end of parse() that frees the ancestor context stack.
|
|
Assignee | |
Comment 4•14 years ago
|
||
Update libnestegg to latest git. The relevant changes for this bug are: http://github.com/kinetiknz/nestegg/commit/7145428c036bdea602b6093c14bbffeafdf8894d The other changes since the last import are code cleanups that don't affect behaviour. With this change it's not necessary to change nsWebMReader at all.
Attachment #483895 -
Flags: review?(chris.double)
|
||
Updated•14 years ago
|
Attachment #483895 -
Flags: review?(chris.double) → review+
blocking2.0: ? → final+
|
|
Assignee | |
Updated•14 years ago
|
Keywords: checkin-needed
Whiteboard: [needs landing]
|
||
Comment 5•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/4633e1cb6dda
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Whiteboard: [needs landing]
|
|
Reporter | |
Updated•12 years ago
|
Blocks: fuzzing-webm
You need to log in
before you can comment on or make changes to this bug.
Description
•