Closed
Bug 813435
Opened 13 years ago
Closed 13 years ago
Heap-use-after-free in mozilla::MediaDecoderStateMachine::StopAudioThread
Categories
(Core :: Audio/Video, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: inferno, Unassigned)
References
Details
(5 keywords, Whiteboard: [asan] fixed by 794426)
Attachments
(1 file)
|
321.79 KB,
application/java-archive
|
Details |
Reproduces on trunk if run on simultaneous firefox instances(like 12-15) (timing related)
=================================================================
==24793== ERROR: AddressSanitizer: heap-use-after-free on address 0x7fbe8d1c2ab8 at pc 0x7fbed150c5c6 bp 0x7fffeab041b0 sp 0x7fffeab041a8
READ of size 8 at 0x7fbe8d1c2ab8 thread T0
#0 0x7fbed150c5c5 in Enter src/../../dist/include/mozilla/ReentrantMonitor.h:71
#1 0x7fbed150c5c5 in ~ReentrantMonitorAutoExit src/content/media/VideoUtils.h:60
#2 0x7fbed150c5c5 in ~ReentrantMonitorAutoExit src/content/media/VideoUtils.h:59
#3 0x7fbed150c5c5 in mozilla::MediaDecoderStateMachine::StopAudioThread() src/content/media/MediaDecoderStateMachine.cpp:1559
0x7fbe8d1c2ab8 is located 120 bytes inside of 240-byte region [0x7fbe8d1c2a40,0x7fbe8d1c2b30)
freed by thread T0 here:
#0 0x426020 in __interceptor_free
#1 0x7fbed14f0a76 in mozilla::MediaDecoder::Release() src/content/media/MediaDecoder.cpp:106
#2 0x7fbed2cba232 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:221
#3 0x7fbed2d82068 in nsThread::Shutdown() src/xpcom/threads/nsThread.cpp:474
#4 0x7fbed150c510 in mozilla::MediaDecoderStateMachine::StopAudioThread() src/content/media/MediaDecoderStateMachine.cpp:1558
previously allocated by thread T0 here:
#0 0x4260e0 in malloc
#1 0x7fbed6e35148 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
Shadow byte and word:
0x1ff7d1a38557: fd
0x1ff7d1a38550: fd fd fd fd fd fd fd fd
More shadow bytes:
0x1ff7d1a38530: fa fa fa fa fa fa fa fa
0x1ff7d1a38538: fa fa fa fa fa fa fa fa
0x1ff7d1a38540: fa fa fa fa fa fa fa fa
0x1ff7d1a38548: fd fd fd fd fd fd fd fd
=>0x1ff7d1a38550: fd fd fd fd fd fd fd fd
0x1ff7d1a38558: fd fd fd fd fd fd fd fd
0x1ff7d1a38560: fd fd fd fd fd fd fd fd
0x1ff7d1a38568: fa fa fa fa fa fa fa fa
0x1ff7d1a38570: fa fa fa fa fa fa fa fa
Stats: 653M malloced (602M for red zones) by 1191669 calls
Stats: 66M realloced by 70405 calls
Stats: 535M freed by 838501 calls
Stats: 500M really freed by 795436 calls
Stats: 357M (91608 full pages) mmaped in 678 calls
mmaps by size class: 7:315315; 8:102350; 9:18414; 10:12264; 11:9435; 12:3328; 13:1344; 14:2528; 15:304; 16:992; 17:468; 18:50; 19:37; 20:21; 21:2; 22:1;
mallocs by size class: 7:743566; 8:286483; 9:56838; 10:33027; 11:42678; 12:8754; 13:6193; 14:5405; 15:924; 16:4873; 17:2672; 18:124; 19:103; 20:25; 21:3; 22:1;
frees by size class: 7:497847; 8:212678; 9:43393; 10:23153; 11:38569; 12:6380; 13:5544; 14:3020; 15:685; 16:4609; 17:2431; 18:88; 19:78; 20:23; 21:2; 22:1;
rfrees by size class: 7:470873; 8:202292; 9:41303; 10:22061; 11:37485; 12:5954; 13:5276; 14:2904; 15:636; 16:4109; 17:2380; 18:74; 19:66; 20:22; 21:1;
Stats: malloc large: 8725 small slow: 15650
==24793== ABORTING
|
||
Comment 1•13 years ago
|
||
Fwiw, I can't reproduce it in a local Linux64 debug ASAN build.
|
Reporter | |
Comment 2•13 years ago
|
||
(In reply to Mats Palmgren [:mats] from comment #1)
> Fwiw, I can't reproduce it in a local Linux64 debug ASAN build.
It reproduces reliably on two of my physical boxes when run with like 14 instances on a -O2 optimized release build. it was giving me trouble on -O1 build, so does not surprise me that a even slower debug build is not reproducing. Some of the instances crash on a null as well.
|
||
Updated•13 years ago
|
Attachment #683444 -
Attachment mime type: application/x-zip-compressed → application/java-archive
|
|
||
Comment 3•13 years ago
|
||
going to call this sec-high rather than sec-critical only because it appears to require getting the timing right in order to trigger.
Keywords: sec-high
|
||
Comment 4•13 years ago
|
||
Can we get this assigned to someone to work on? There hasn't been real activity in a month here.
The patch in bug 794426 might fix this.
|
|
Reporter | |
Comment 6•13 years ago
|
||
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #5)
> The patch in bug 794426 might fix this.
If you can cc me on that bug, i can help to verify the patch (since Mats was having trouble reproducing this).
|
|
Reporter | |
Comment 7•13 years ago
|
||
Verified on trunk (which has the fix) that this testcase does not crash.
Great, thanks!
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
||
Updated•13 years ago
|
Flags: sec-bounty?
|
|
||
Updated•13 years ago
|
status-b2g18:
--- → fixed
status-firefox-esr17:
--- → fixed
tracking-firefox-esr17:
--- → 18+
Depends on: 794426
Whiteboard: [asan] → [asan] fixed by 794426
|
|
||
Updated•12 years ago
|
Flags: sec-bounty? → sec-bounty-
|
|
||
Comment 9•12 years ago
|
||
Bounty non-qual because it was fixed by an earlier security bug's fix.
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•10 years ago
|
Group: core-security-release
|
|
||
Updated•9 years ago
|
Keywords: csectype-uaf
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•