Closed Bug 604993 Opened 15 years ago Closed 15 years ago

Malformed WebM file leads to crash [@nsWebMReader::NextPacket]

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+

People

(Reporter: posidron, Assigned: kinetik)

References

Details

Attachments

(3 files)

testcase
96.46 KB, application/zip
Details
callstack
2.67 KB, text/plain
Details
nestegg patch v0
47.24 KB, patch
cajbir
: review+
Details | Diff | Splinter Review
Attached file testcase
Number of values: 8 Offset: 10900/0x002a94 Value: ['66', 'a5'] Offset: 36021/0x008cb5 Value: ['6d', 'e7'] Offset: 48373/0x00bcf5 Value: ['63', 'c3'] Offset: 54098/0x00d352 Value: ['45', 'dd'] Offset: 71173/0x011605 Value: ['ce'] Offset: 79199/0x01355f Value: ['45', '0d'] Offset: 81438/0x013e1e Value: ['54', 'aa'] Offset: 97902/0x017e6e Value: ['4d', '80'] Please execute the provided html file.
Attached file callstack
Assignee: nobody → kinetik
Status: NEW → ASSIGNED
blocking2.0: --- → ?
libnestegg's test program doesn't crash on this, but Firefox does: 0x7fffe01bf880: parent element 1c53bb6b 0x7fffe01bf880: single master element 1c53bb6b (ID_CUES) 0x7fffe01bf880: -> using data 0x7fffe01bf9b8 (96) 0x7fffe01bf880: multi master element bb (ID_CUE_POINT) 0x7fffe01bf880: -> using data 0x7fffdff1cfd0 0x7fffe01bf880: element b3 (ID_CUE_TIME) -> 0x7fffdff1cfd0 (0) 0x7fffe01bf880: multi master element b7 (ID_CUE_TRACK_POSITIONS) 0x7fffe01bf880: -> using data 0x7fffe626df10 0x7fffe01bf880: element f7 (ID_CUE_TRACK) -> 0x7fffe626df10 (0) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffdf1ff710 (LWP 16840)] 0x00007ffff5cc5751 in parse (ctx=0x7fffe01bf880, top_level=0x0) at /home/kinetik/mozilla-central/media/libnestegg/src/nestegg.c:975 975 element = find_element(id, ctx->ancestor->node); id is 0x465c, which is FileData, an AttachedFile child. I bet nestegg_read_packet is being called again after it has returned < 1... yep: The final valid nestegg_read_packet originates from a NextPacket call to fetch next_packet temporarily: 1865 r = parse(ctx, NULL); (gdb) 0x7fffdffc2880: parent element 1c53bb6b [...] 1866 if (r != 1) (gdb) n 1867 return r; In this case, we're not handling EOS correctly, so after this call,nestegg_read_packet is called again from DecodeVideoFrame to fetch packet and crashes. I'll fix this in two places: by changing nsWebMReader's EOS handling, and by making nestegg's handling of this more robust.
More info: After the parser reads the CueTrack element, it encounters EOS while reading the next element (which is garbage, anyway): it reads the ID as 0x465c (FileData), then hits EOS while reading the element size (for which it expects 4 bytes and only 2 are left in the stream). At this point, the parser bails out to the error handling at the end of parse() that frees the ancestor context stack.
Attached patch nestegg patch v0Splinter Review
Update libnestegg to latest git. The relevant changes for this bug are: http://github.com/kinetiknz/nestegg/commit/7145428c036bdea602b6093c14bbffeafdf8894d The other changes since the last import are code cleanups that don't affect behaviour. With this change it's not necessary to change nsWebMReader at all.
Attachment #483895 - Flags: review?(chris.double)
Attachment #483895 - Flags: review?(chris.double) → review+
Keywords: checkin-needed
Whiteboard: [needs landing]
http://hg.mozilla.org/mozilla-central/rev/4633e1cb6dda
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Whiteboard: [needs landing]
Blocks: fuzzing-webm
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: