Closed
Bug 604993
Opened 14 years ago
Closed 14 years ago
Malformed WebM file leads to crash [@nsWebMReader::NextPacket]
Categories
(Core :: Audio/Video, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | final+ |
People
(Reporter: posidron, Assigned: kinetik)
References
Details
Attachments
(3 files)
Number of values: 8 Offset: 10900/0x002a94 Value: ['66', 'a5'] Offset: 36021/0x008cb5 Value: ['6d', 'e7'] Offset: 48373/0x00bcf5 Value: ['63', 'c3'] Offset: 54098/0x00d352 Value: ['45', 'dd'] Offset: 71173/0x011605 Value: ['ce'] Offset: 79199/0x01355f Value: ['45', '0d'] Offset: 81438/0x013e1e Value: ['54', 'aa'] Offset: 97902/0x017e6e Value: ['4d', '80'] Please execute the provided html file.
Reporter | ||
Comment 1•14 years ago
|
||
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → kinetik
Status: NEW → ASSIGNED
Assignee | ||
Updated•14 years ago
|
blocking2.0: --- → ?
Assignee | ||
Comment 2•14 years ago
|
||
libnestegg's test program doesn't crash on this, but Firefox does: 0x7fffe01bf880: parent element 1c53bb6b 0x7fffe01bf880: single master element 1c53bb6b (ID_CUES) 0x7fffe01bf880: -> using data 0x7fffe01bf9b8 (96) 0x7fffe01bf880: multi master element bb (ID_CUE_POINT) 0x7fffe01bf880: -> using data 0x7fffdff1cfd0 0x7fffe01bf880: element b3 (ID_CUE_TIME) -> 0x7fffdff1cfd0 (0) 0x7fffe01bf880: multi master element b7 (ID_CUE_TRACK_POSITIONS) 0x7fffe01bf880: -> using data 0x7fffe626df10 0x7fffe01bf880: element f7 (ID_CUE_TRACK) -> 0x7fffe626df10 (0) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffdf1ff710 (LWP 16840)] 0x00007ffff5cc5751 in parse (ctx=0x7fffe01bf880, top_level=0x0) at /home/kinetik/mozilla-central/media/libnestegg/src/nestegg.c:975 975 element = find_element(id, ctx->ancestor->node); id is 0x465c, which is FileData, an AttachedFile child. I bet nestegg_read_packet is being called again after it has returned < 1... yep: The final valid nestegg_read_packet originates from a NextPacket call to fetch next_packet temporarily: 1865 r = parse(ctx, NULL); (gdb) 0x7fffdffc2880: parent element 1c53bb6b [...] 1866 if (r != 1) (gdb) n 1867 return r; In this case, we're not handling EOS correctly, so after this call,nestegg_read_packet is called again from DecodeVideoFrame to fetch packet and crashes. I'll fix this in two places: by changing nsWebMReader's EOS handling, and by making nestegg's handling of this more robust.
Assignee | ||
Comment 3•14 years ago
|
||
More info: After the parser reads the CueTrack element, it encounters EOS while reading the next element (which is garbage, anyway): it reads the ID as 0x465c (FileData), then hits EOS while reading the element size (for which it expects 4 bytes and only 2 are left in the stream). At this point, the parser bails out to the error handling at the end of parse() that frees the ancestor context stack.
Assignee | ||
Comment 4•14 years ago
|
||
Update libnestegg to latest git. The relevant changes for this bug are: http://github.com/kinetiknz/nestegg/commit/7145428c036bdea602b6093c14bbffeafdf8894d The other changes since the last import are code cleanups that don't affect behaviour. With this change it's not necessary to change nsWebMReader at all.
Attachment #483895 -
Flags: review?(chris.double)
Updated•14 years ago
|
Attachment #483895 -
Flags: review?(chris.double) → review+
blocking2.0: ? → final+
Assignee | ||
Updated•14 years ago
|
Keywords: checkin-needed
Whiteboard: [needs landing]
Comment 5•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/4633e1cb6dda
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Whiteboard: [needs landing]
Reporter | ||
Updated•12 years ago
|
Blocks: fuzzing-webm
You need to log in
before you can comment on or make changes to this bug.
Description
•