Closed Bug 798873 Opened 13 years ago Closed 13 years ago

Crash in SDP formatted with too many ICE candidates - 'Assertion failure: endbuf_p - *ptr > 0' [@ sdp_build_attribute]

Categories

(Core :: WebRTC: Signaling, defect)

Product:
Core
Component:
WebRTC: Signaling
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla18
Tracking Flags:
Tracking Status
firefox18 --- fixed
firefox19 --- fixed

People

(Reporter: ekr, Assigned: ehugg)

References

Details

(Keywords: crash, Whiteboard: [WebRTC], [blocking-webrtc+], [blocking-gum+], [qa-])

Attachments

(4 files, 8 obsolete files)

Signaling - increase max SDP size.
5.41 KB, patch
ekr
: review+
jesup
: review+
Details | Diff | Splinter Review
Signaling SDP construction uses flex_string
143.64 KB, patch
jesup
: review+
bajaj
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Crashtest v1
2.33 KB, patch
jesup
: review-
Details | Diff | Splinter Review
Patch 3 - flex_string fix for Windows vsnprintf
1.53 KB, patch
jesup
: review+
Details | Diff | Splinter Review
If you have enough interfaces, then the SDP formatter overruns the available SDP, which causes a crash. There are two defects here: 1. The hardcoded SDP length of 2048 is too small, so you get truncation. 2. When you run out of space, you assert, which is a problem. (gdb) c Continuing. Assertion failure: endbuf_p - *ptr > 0, at /Users/ekr/dev/mozilla-inbound/media/webrtc/signaling/src/sipcc/core/sdp/sdp_attr.c:211 Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000 sdp_build_attribute (sdp_p=0x129d8e000, level=3, ptr=0x12b8f59f0, len=359) at sdp_attr.c:211 (gdb) bt #0 sdp_build_attribute (sdp_p=0x129d8e000, level=3, ptr=0x12b8f59f0, len=359) at sdp_attr.c:211 #1 0x00000001044f47cf in sdp_build (sdp_ptr=0x129d8e000, bufp=0x12b8f5a68, len=2048) at sdp_main.c:1198 #2 0x0000000104553ff6 in sipsdp_write_to_buf (sdp_info=0x12654cff0, retbytes=0x12b8f5ab4) at /Users/ekr/dev/mozilla-inbound/media/webrtc/signaling/src/sipcc/core/sipstack/ccsip_sdp.c:429 #3 0x00000001044ac537 in gsmsdp_encode_sdp (sdp_p=0x12654cff0, msg_body=0x12b8f5bf8) at /Users/ekr/dev/mozilla-inbound/media/webrtc/signaling/src/sipcc/core/gsm/gsm_sdp.c:5483 #4 0x00000001044ac6e2 in gsmsdp_encode_sdp_and_update_version (dcb_p=0x129d93000, msg_body=0x12b8f5bf8) at /Users/ekr/dev/mozilla-inbound/media/webrtc/signaling/src/sipcc/core/gsm/gsm_sdp.c:5539 #5 0x0000000104492007 in fsmdef_ev_createoffer (event=0x12b8f5e28) at /Users/ekr/dev/mozilla-inbound/media/webrtc/signaling/src/sipcc/core/gsm/fsmdef.c:2958 #6 0x00000001044c004b in sm_process_event (tbl=0x106398e98, event=0x12b8f5e28) at /Users/ekr/dev/mozilla-inbound/media/webrtc/signaling/src/sipcc/core/gsm/sm.c:83 #7 0x00000001044824aa in fim_process_event (data=0x128979000, cac_passed=0 '\0') at /Users/ekr/dev/mozilla-inbound/media/webrtc/signaling/src/sipcc/core/gsm/fim.c:671 #8 0x00000001044a3e73 in gsm_process_msg (cmd=158, msg=0x128979000) at /Users/ekr/dev/mozilla-inbound/media/webrtc/signaling/src/sipcc/core/gsm/gsm.c:167 #9 0x00000001044a42d4 in GSMTask (arg=0x12992d400) at /Users/ekr/dev/mozilla-inbound/media/webrtc/signaling/src/sipcc/core/gsm/gsm.c:359 #10 0x00007fff89825fd6 in _pthread_start () #11 0x00007fff89825e89 in thread_start () (gdb)
Assignee: nobody → ethanhugg
The right thing to happen is to generate an error.
Severity: normal → critical
Keywords: crash
Comment on attachment 668937 [details] [diff] [review] Signaling SDP construction handles overflow This is a work in progress. I'm considering running all of the SDP construction through the new static sdp_build_line so we can handle the snprintf return and pointer arithmetic in one place. If we want to go with this idea, I can change the rest of the file as well.
Attachment #668937 - Attachment is obsolete: true
Comment on attachment 669019 [details] [diff] [review] Signaling - increase max SDP size. SDP max length upped to 4096 MOZ_ASSERT on overflow removed. SDP creation overflow should now make CreateOffer/CreateAnswer fail. You can try out the last one on OSX by running a VMWare instance in the background, and recompiling with SDP_MAX_LENGTH set back to 2048.
Attachment #669019 - Flags: review?(ekr)
Status: NEW → ASSIGNED
Summary: Crash in SDP formatted with too many ICE candidates → Crash in SDP formatted with too many ICE candidates - 'Assertion failure: endbuf_p - *ptr > 0' [@ sdp_build_attribute]
Attached file crashtest (obsolete) —
This is a proposed crash test for this fix. Boris, what would be the best location in our tree for it? /dom/tests/crashtests/? It doesn't exist yet so I wonder where to put it into. Thanks.
Flags: in-testsuite?
Comment on attachment 669019 [details] [diff] [review] Signaling - increase max SDP size. Review of attachment 669019 [details] [diff] [review]: ----------------------------------------------------------------- looks good as a short-term fix
Attachment #669019 - Flags: review?(ekr) → review+
dom/media/test/craashtests seems like the obvious place for the test (and would involve creating said dirs).
https://hg.mozilla.org/mozilla-central/rev/87f3548e638e Leaving open as this is a temporary patch Agreed, we absolutely need tests for SDP overflows, etc. (FYI henrik)
Whiteboard: [blocking-webrtc+]
Attachment #669136 - Attachment mime type: text/plain → text/html
Attachment #669006 - Attachment is obsolete: true
Comment on attachment 670018 [details] [diff] [review] Signaling SDP construction uses flex_string Still work in progress. Uploading for testing and self-splinter. SDP max length removed entirely. Uses new flex_string string handler functions. Also "Cisco-SIPUA" changed to "Mozilla-SIPUA"
Attachment #670018 - Flags: feedback?(snandaku)
Attachment #670018 - Attachment is obsolete: true
Attachment #670018 - Flags: feedback?(snandaku)
Comment on attachment 670043 [details] [diff] [review] Signaling SDP construction uses flex_string Complete removal of SDP_MAX_STRING in favor of the new flex_string.
Attachment #670043 - Flags: review?(snandaku)
Attachment #670043 - Flags: review?(ekr)
Comment on attachment 670043 [details] [diff] [review] Signaling SDP construction uses flex_string Review of attachment 670043 [details] [diff] [review]: ----------------------------------------------------------------- ::: media/webrtc/signaling/src/sipcc/core/sdp/sdp_attr.c @@ +73,5 @@ > + semicolon ? ";" : "", > + name, > + value); > +} > + unsigned .. should we be specific on right integral type and its size so that it maps appropriately to format specified .... @@ +237,5 @@ > SDP_PRINT("%s Built a=%s attribute line", sdp_p->debug_str, > sdp_get_attr_name(attr_p->type)); > } > + } else { > + SDP_ERROR("%s error building attribute %d", __FUNCTION__, result); Should we return on Error ? @@ +3402,3 @@ > } > + > + flex_string_append(fs, "\r\n"); line 3657 seems to add only \n from the original code ? ::: media/webrtc/signaling/src/sipcc/cpr/common/cpr_string.c @@ +144,5 @@ > +void flex_string_init(flex_string *fs) { > + fs->buffer_length = FLEX_STRING_CHUNK_SIZE; > + fs->string_length = 0; > + fs->buffer = cpr_malloc(fs->buffer_length); > + fs->buffer[0] = '\0'; cpr_malloc(FLEX_STRING_CHUNK_SIZE) @@ +181,5 @@ > + * Not thread-safe > + */ > +void flex_string_append(flex_string *fs, const char *more) { > + fs->string_length += strlen(more); > + how do we handle non null terminated strings ... @@ +185,5 @@ > + > + flex_string_check_alloc(fs, fs->string_length + 1); > + > + sstrncat(fs->buffer, more, fs->buffer_length - strlen(fs->buffer)); > +} please update string_length after either check_alloc or sstrncat ... Also are we truncating the characters that exceed existing chunk size of flex_string ?
Comment on attachment 670043 [details] [diff] [review] Signaling SDP construction uses flex_string Review of attachment 670043 [details] [diff] [review]: ----------------------------------------------------------------- ::: media/webrtc/signaling/src/sipcc/core/sdp/sdp_attr.c @@ +65,5 @@ > + * Helper function for adding nv-pair where value is unsigned. > + */ > +static void sdp_append_name_and_unsigned(flex_string *fs, > + const char *name, > + unsigned value, "unsigned int"? ::: media/webrtc/signaling/src/sipcc/cpr/common/cpr_string.c @@ +144,5 @@ > +void flex_string_init(flex_string *fs) { > + fs->buffer_length = FLEX_STRING_CHUNK_SIZE; > + fs->string_length = 0; > + fs->buffer = cpr_malloc(fs->buffer_length); > + fs->buffer[0] = '\0'; I actually prefer the original, since it has less chance of typos @@ +169,5 @@ > + */ > +void flex_string_check_alloc(flex_string *fs, int new_min_length) { > + if (new_min_length > fs->buffer_length) { > + /* Oversize, allocate more */ > + fs->buffer_length = (new_min_length / FLEX_STRING_CHUNK_SIZE + 1) * FLEX_STRING_CHUNK_SIZE; I assume you want to compute: CHUNK_SIZE * ((new_min_length/CHUNK_SIZE) + 1) So that if I pass in new_min_length == chunk_size I get a result of 2 * chunk_size? If so, I would use parentheses rather than rely on precedence. Also, check for integer overflow here. @@ +181,5 @@ > + * Not thread-safe > + */ > +void flex_string_append(flex_string *fs, const char *more) { > + fs->string_length += strlen(more); > + non null terminated strings generally don't belong in C code. @@ +185,5 @@ > + > + flex_string_check_alloc(fs, fs->string_length + 1); > + > + sstrncat(fs->buffer, more, fs->buffer_length - strlen(fs->buffer)); > +} How could that happen? The whole point here is to resize up to the right point. @@ +209,5 @@ > + va_start(ap, format); > + vsnprintf_result = vsnprintf(fs->buffer + fs->string_length, fs->buffer_length - fs->string_length, format, ap); > + PR_ASSERT(vsnprintf_result > 0 && vsnprintf_result < (fs->buffer_length - fs->string_length)); > + va_end(ap); > + fs->string_length += vsnprintf_result; Can't you move this out of the if/else so you just need it once? ::: media/webrtc/signaling/src/sipcc/cpr/include/cpr_string.h @@ +39,5 @@ > > #ifndef _CPR_STRING_H_ > #define _CPR_STRING_H_ > > +#include <stdarg.h> I don't believe stdarg.h is required here, since you don't use the va_* macros. @@ +107,5 @@ > + > +typedef struct { > + char *buffer; > + unsigned buffer_length; > + unsigned string_length; I would use size_t. If you want unsigned int, then at least use "unsigned int" not just unsigned.
Attachment #670043 - Flags: review?(ekr) → review+
Comment on attachment 670043 [details] [diff] [review] Signaling SDP construction uses flex_string Review of attachment 670043 [details] [diff] [review]: ----------------------------------------------------------------- ::: media/webrtc/signaling/src/sipcc/core/sdp/sdp_attr.c @@ +3402,3 @@ > } > + > + flex_string_append(fs, "\r\n"); Good eye, I'm pretty sure the original one is wrong is this case so I changed it. Every other line of SDP ends in \r\n. ::: media/webrtc/signaling/src/sipcc/cpr/common/cpr_string.c @@ +144,5 @@ > +void flex_string_init(flex_string *fs) { > + fs->buffer_length = FLEX_STRING_CHUNK_SIZE; > + fs->string_length = 0; > + fs->buffer = cpr_malloc(fs->buffer_length); > + fs->buffer[0] = '\0'; I wanted the minimum chance that someone could edit and set the buffer_length and malloc separately. @@ +181,5 @@ > + * Not thread-safe > + */ > +void flex_string_append(flex_string *fs, const char *more) { > + fs->string_length += strlen(more); > + strlen will fly through available memory until encountering a null by chance or causing an access violation, or did you mean something else by non-null-terminated string? @@ +185,5 @@ > + > + flex_string_check_alloc(fs, fs->string_length + 1); > + > + sstrncat(fs->buffer, more, fs->buffer_length - strlen(fs->buffer)); > +} setting string_length at the end would require a new uint on the stack like "unsigned int new_length = fs->string_length + strlen(more);" I just avoided the extra var by doing it this way. It's not re-entrant so no one is going to try to use the flex_string until after the fcn completes. @@ +209,5 @@ > + va_start(ap, format); > + vsnprintf_result = vsnprintf(fs->buffer + fs->string_length, fs->buffer_length - fs->string_length, format, ap); > + PR_ASSERT(vsnprintf_result > 0 && vsnprintf_result < (fs->buffer_length - fs->string_length)); > + va_end(ap); > + fs->string_length += vsnprintf_result; Sure. Hidden here is what we do with a vsnprintf return of -1. I'm currently doing nothing assuming the format string was bogus. ::: media/webrtc/signaling/src/sipcc/cpr/include/cpr_string.h @@ +39,5 @@ > > #ifndef _CPR_STRING_H_ > #define _CPR_STRING_H_ > > +#include <stdarg.h> Yes,that should be moved to the .c
Whiteboard: [blocking-webrtc+] → [WebRTC] [blocking-webrtc+]
Comment on attachment 670043 [details] [diff] [review] Signaling SDP construction uses flex_string Review of attachment 670043 [details] [diff] [review]: ----------------------------------------------------------------- ::: media/webrtc/signaling/src/sipcc/cpr/common/cpr_string.c @@ +144,5 @@ > +void flex_string_init(flex_string *fs) { > + fs->buffer_length = FLEX_STRING_CHUNK_SIZE; > + fs->string_length = 0; > + fs->buffer = cpr_malloc(fs->buffer_length); > + fs->buffer[0] = '\0'; ekr/ehugg++ @@ +166,5 @@ > + * Allocate enough chunks to hold the new minimum size. > + * > + * Not thread-safe > + */ > +void flex_string_check_alloc(flex_string *fs, int new_min_length) { size_t for length? @@ +169,5 @@ > + */ > +void flex_string_check_alloc(flex_string *fs, int new_min_length) { > + if (new_min_length > fs->buffer_length) { > + /* Oversize, allocate more */ > + fs->buffer_length = (new_min_length / FLEX_STRING_CHUNK_SIZE + 1) * FLEX_STRING_CHUNK_SIZE; Which makes sense, since you probably want to allocate more than needed in these cases. But how do you get a buffer_length < 1*FLEX_STRING_CHUNK_SIZE? We only reallocate if new_min_length > fs->buffer_length, so if buffer_length == FLEX_STRING_CHUNK_SIZE the case you mention won't happen. And in general, if new_min_length % FLEX_STRING_CHUNK_SIZE == 0, then it's also unlikely (perhaps impossible) that buffer_length isn't a multiple of FLEX_STRING_CHUNK_SIZE. Agreed on parens overflow: We only bump the size by FLEX_STRING_CHUNK_SIZE at most above new_min_length. Passing in values less than FLEX_STRING_CHUNK_SIZE from MAXINT is likely a pretty serious error... and unlikely to be successful in allocating negative values (if int). If it's size_t, it would wrap around to a small allocation, but the question is how something could cause such a large allocation. However: put some unreasonable limit on the string buffer size. @@ +181,5 @@ > + * Not thread-safe > + */ > +void flex_string_append(flex_string *fs, const char *more) { > + fs->string_length += strlen(more); > + As in, an unterminated string is an API error in the caller, and hard to check here. If you need to support unterminated strings (buffer+length), use a separate function. ::: media/webrtc/signaling/src/sipcc/cpr/include/cpr_string.h @@ +107,5 @@ > + > +typedef struct { > + char *buffer; > + unsigned buffer_length; > + unsigned string_length; size_t please
Comment on attachment 670043 [details] [diff] [review] Signaling SDP construction uses flex_string Review of attachment 670043 [details] [diff] [review]: ----------------------------------------------------------------- ::: media/webrtc/signaling/src/sipcc/cpr/common/cpr_string.c @@ +169,5 @@ > + */ > +void flex_string_check_alloc(flex_string *fs, int new_min_length) { > + if (new_min_length > fs->buffer_length) { > + /* Oversize, allocate more */ > + fs->buffer_length = (new_min_length / FLEX_STRING_CHUNK_SIZE + 1) * FLEX_STRING_CHUNK_SIZE; Also one thing I now see is I am doing the +1 for NULL in two places, the check_alloc and the calls to it. I'll removed the +1 in the check_alloc. (or maybe put two NULLs for safety ;-)) Jesup do you have a suggestion for an unreasonable limit to the string buffer size? I've changed it to a size_t, but I'm not sure what would be a good value to use as a limit, and what is the best way to do an abort from here. Also, I'm considering putting in an overflow check by doing a divide of SIZE_MAX now that it's a size_t. Like this: /* Overflow check */ MOZ_ASSERT((SIZE_MAX / FLEX_STRING_CHUNK_SIZE) >= ((new_min_length / FLEX_STRING_CHUNK_SIZE) + 1)); Opinions?
Comment on attachment 670043 [details] [diff] [review] Signaling SDP construction uses flex_string Review of attachment 670043 [details] [diff] [review]: ----------------------------------------------------------------- ::: media/webrtc/signaling/src/sipcc/cpr/common/cpr_string.c @@ +169,5 @@ > + */ > +void flex_string_check_alloc(flex_string *fs, int new_min_length) { > + if (new_min_length > fs->buffer_length) { > + /* Oversize, allocate more */ > + fs->buffer_length = (new_min_length / FLEX_STRING_CHUNK_SIZE + 1) * FLEX_STRING_CHUNK_SIZE; Wait, ignore that bit about the +1s - I'm losing my mind.
Attachment #670043 - Attachment is obsolete: true
Attachment #670043 - Flags: review?(snandaku)
Attachment #670183 - Attachment is obsolete: true
Comment on attachment 670185 [details] [diff] [review] Signaling SDP construction uses flex_string Addressed the review comments and a couple more things. Changed PR_ASSERTs to MOZ_ASSERTs flex_string will no longer alloc an extra CHUNK_SIZE when alloc mod CHUNK_SIZE == 0 TRY build here - https://tbpl.mozilla.org/?tree=Try&rev=fe15ec3b29a0
Attachment #670185 - Flags: review?(rjesup)
(In reply to Ethan Hugg [:ehugg] from comment #19) > Jesup do you have a suggestion for an unreasonable limit to the string > buffer size? I've changed it to a size_t, but I'm not sure what would be a > good value to use as a limit, and what is the best way to do an abort from > here. Since it's done only when doing a malloc, I'm ok with a runtime check here. It also protects us against unreasonable-size allocation attacks (not super likely, and you'd have to get there one malloc at a time, though in theory a single malloc could be very large...) It has the side-benefit of semi-blocking attempts to DoS the browser using expanding allocations. Shall we say max of 1MB? 2MB? Can you see >1MB SDP as ever being reasonable? I can see 10's of K in some cases, maybe in crazy-extreme cases you could find a use for 100K (though you'd probably need to support CapNeg to do so... ;-) Hard to see 1MB. > Also, I'm considering putting in an overflow check by doing a divide of > SIZE_MAX now that it's a size_t. Like this: Not needed if we put a limit in. Or we put no limit in, and just do: MOZ_ASSERT(new_size > old_size);
Comment on attachment 670185 [details] [diff] [review] Signaling SDP construction uses flex_string Review of attachment 670185 [details] [diff] [review]: ----------------------------------------------------------------- I really like how this cleans up the code and removes an entire class of otherwise-recurring problems. If you want to macro-ize parts, that's great, but r+ ::: media/webrtc/signaling/src/sipcc/core/sdp/sdp_attr.c @@ +228,5 @@ > SDP_WARN("%s Invalid attribute type to build (%u)", > sdp_p->debug_str, attr_p->type); > } > } else { > + probably remove this blank line - super-minor @@ +271,5 @@ > return (SDP_SUCCESS); > } > } > > +sdp_result_e sdp_build_attr_simple_string (sdp_t *sdp_p, sdp_attr_t *attr_p, flex_string *fs) wrap @@ +276,2 @@ > { > + flex_string_sprintf(fs, "a=%s:%s\r\n", sdp_attr[attr_p->type].name, attr_p->attr.string_val); wrap - not a big deal; I'm not a stickler for line length (and violate it myself), but splinter is happier with < 80 char lines I think. On the other hand, if a longer length is already typical in the file - forget this comment, be consistent with the file. @@ +1964,5 @@ > + semicolon = TRUE; > + } > + > + if (fmtp_p->qcif > 0) { > + sdp_append_name_and_unsigned(fs, "QCIF", attr_p->attr.fmtp.qcif, semicolon); Very tempted to make a macro: #define UNSIGNED_PARAM(cond,name,value) \ if ((cond)) { \ sdp_append_name_and_unsigned(fs,(name),(value),semicolon); \ semicolon = TRUE; \ } UNSIGNED_PARAM(fmtp->qcif > 0, "QCIF", attr_p->attr.fmtp.qcif) UNSIGNED_PARAM(fmtp->cif > 0, "CIF", attr_p->attr.fmtp.cif) ... But honestly it doesn't save space, just lines of cut-and-paste, so in the end it may not be worth it unless there are a LOT of these. On the other hand, maybe there are enough to make a few macros like this to make it easier to read, vet and add new value to fmtp/etc lines. And it's easier to concentrate on the few that don't fit any of the macros.
Attachment #670185 - Flags: review?(rjesup) → review+
Attachment #670185 - Attachment is obsolete: true
Attachment #670465 - Attachment is obsolete: true
Comment on attachment 670475 [details] [diff] [review] Signaling SDP construction uses flex_string Added macros for simplifying the repetitive code in sdp_build_attr_fmtp. Also wrapped a bunch of long lines for those of you still using your VT100s.
Attachment #670475 - Flags: review?(rjesup)
Comment on attachment 670475 [details] [diff] [review] Signaling SDP construction uses flex_string Review of attachment 670475 [details] [diff] [review]: ----------------------------------------------------------------- Our VT100's (and splinter) thank you
Attachment #670475 - Flags: review?(rjesup) → review+
https://hg.mozilla.org/mozilla-central/rev/b02035b70698
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
This definitely could use a test; perhaps by using ridiculously long strings where we have some ability to control the SDP generated from JS (otherwise it will need to be added to the C++ unit tests, and might be better there since more of the functionality can be tested).
So I put together a crashtest for this crash. But sadly we can't get it landed until the leaks it discovers are getting fixed. I will file this as a follow-up bug.
Attached patch Crashtest v1Splinter Review
First crashtest for WebRTC! It will be disabled for now on m-c due to leakage (see bug 801682). Results without it being disabled you can find here: https://tbpl.mozilla.org/?tree=Try&rev=afd532de4f16
Attachment #669136 - Attachment is obsolete: true
Attachment #671472 - Flags: review?(rjesup)
Comment on attachment 671472 [details] [diff] [review] Crashtest v1 Unfortunately this cannot be known to reliably reproduce the crash as it's dependent on the number of interfaces and ICE candidates generated.
Attachment #671472 - Flags: review?(rjesup) → review-
As given by Randell on IRC we probably have to wait until appropriate interfaces are available so that it can be done as a crashtest (reftest). For now there should be a way to do it via an unit test. So I will hold off from further work on this crashtest for now.
No longer blocks: 801682
Is this going to land on Aurora? Bug 791702 is marked tracking for 18, and is fixed by the patch here, apparently.
Reopening. Bug found in flex_string_sprintf on Windows builds. Windows version of vsnprintf is different than Linux/OSX.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment on attachment 672636 [details] [diff] [review] Patch 3 - flex_string fix for Windows vsnprintf Using derf's suggestion because PR_vsnprintf does not return formatted size.
Attachment #672636 - Flags: review?(rjesup)
Attachment #672636 - Flags: review?(rjesup) → review+
https://hg.mozilla.org/mozilla-central/rev/cb573b9307e5
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
status-firefox19: --- → affected
Resolution: --- → FIXED
Once we're verified with the Windows fix, I plan to ask for uplift to Aurora.
I'll note that the standard loopback demo at http://people.mozilla.com/~anarayanan/webrtc/pc_test.html provokes the last issue on Windows, and that now appears to work.
Whiteboard: [WebRTC] [blocking-webrtc+] → [WebRTC], [blocking-webrtc+], [blocking-gum+], [qa-]
Comment on attachment 670475 [details] [diff] [review] Signaling SDP construction uses flex_string [Approval Request Comment] Bug caused by (feature/regressing bug #): main webrtc signaling landing just before 18 uplift. User impact if declined: Failure to create useful offers or answers if the user has too many interfaces, possible security impact. Testing completed (on m-c, etc.): Tested on m-c and baked for several weeks, with one regression fix (on this same bug, patch #3). Risk to taking this patch (and alternatives if risky): Pretty low risk; patch is large but largely mechanical API change. Basic code is quite clean and it removes tons of error paths, as the only size-related error left is OOM and we use infallible malloc. String or UUID changes made by this patch: None
Attachment #670475 - Flags: approval-mozilla-aurora?
Comment on attachment 670475 [details] [diff] [review] Signaling SDP construction uses flex_string Approving because the patch is low risk for a new feature landed in 18, baked on m-c for several weeks and fixes a regression tracking 18 .
Attachment #670475 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Blocks: 865774
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: