Closed Bug 854086 Opened 13 years ago Closed 12 years ago

WebVTT crash [@mozilla::dom::WebVTTLoadListener::ConvertNodeToCueTextContent]

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: rforbes, Unassigned)

References

Details

(Keywords: crash, csectype-nullptr, testcase, Whiteboard: [asan])

Attachments

(1 file)

testcase
3.40 MB, application/zip
Details
Crash was found using peach fuzzer and an asan build. I was not able to repro. ==59102==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000106bcf16b sp 0x7fff5fbfb550 bp 0x7fff5fbfb550 T0) AddressSanitizer can not provide additional info. #0 0x106bcf16a in nsAString_internal::IsDependentOn const nsTSubstring.h:775 #1 0x106bc8059 in nsAString_internal::Assign nsTSubstring.cpp:306 #2 0x106bc83a8 in nsAString_internal::Assign nsTSubstring.cpp:386 #3 0x106bc84e8 in nsAString_internal::Assign nsTSubstring.cpp:347 #4 0x10388743d in nsAString_internal::operator= nsTSubstring.h:385 #5 0x104b4001d in mozilla::dom::WebVTTLoadListener::ConvertNodeToCueTextContent WebVTTLoadListener.cpp:334 #6 0x104b3f50f in mozilla::dom::WebVTTLoadListener::ConvertNodeListToDocFragment WebVTTLoadListener.cpp:291 #7 0x104b3ef73 in mozilla::dom::WebVTTLoadListener::DisplayCueText WebVTTLoadListener.cpp:204 #8 0x104ef8ca4 in mozilla::dom::TextTrackCueList::Update TextTrackCueList.cpp:41 #9 0x104b20b7e in mozilla::dom::TextTrackList::Update TextTrackList.h:49 #10 0x104b0e5ce in nsHTMLMediaElement::FireTimeUpdate nsHTMLMediaElement.cpp:3475 #11 0x1053379a3 in mozilla::MediaDecoder::PlaybackPositionChanged MediaDecoder.cpp:1209 #12 0x10533eb01 in nsRunnableMethodImpl<void , true>::Run nsThreadUtils.h:367 #13 0x106b72cdb in nsThread::ProcessNextEvent nsThread.cpp:627 #14 0x106ab1afe in NS_ProcessPendingEvents_P nsThreadUtils.cpp:188 #15 0x105fed193 in nsBaseAppShell::NativeEventCallback nsBaseAppShell.cpp:97 #16 0x105f661ed in nsAppShell::ProcessGeckoEvents nsAppShell.mm:387 #17 0x7fff90dea100 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (in CoreFoundation) + 16 #18 0x7fff90de9a24 in __CFRunLoopDoSources0 (in CoreFoundation) + 244 #19 0x7fff90e0cdc4 in __CFRunLoopRun (in CoreFoundation) + 788 #20 0x7fff90e0c6b1 in CFRunLoopRunSpecific (in CoreFoundation) + 289 #21 0x7fff9711e0a3 in RunCurrentEventLoopInMode (in HIToolbox) + 208 #22 0x7fff9711de41 in ReceiveNextEventCommon (in HIToolbox) + 355 #23 0x7fff9711dcd2 in BlockUntilNextEventMatchingListInMode (in HIToolbox) + 61 #24 0x7fff8f93d612 in _DPSNextEvent (in AppKit) + 684 #25 0x7fff8f93ced1 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127 #26 0x105f648db in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] nsAppShell.mm:164 #27 0x7fff8f934282 in -[NSApplication run] (in AppKit) + 516 #28 0x105f66db5 in nsAppShell::Run nsAppShell.mm:741 #29 0x105b0935d in nsAppStartup::Run nsAppStartup.cpp:288 #30 0x10383e593 in XREMain::XRE_mainRun nsAppRunner.cpp:3885 #31 0x10383f6ae in XREMain::XRE_main nsAppRunner.cpp:3952 #32 0x10383fc09 in XRE_main nsAppRunner.cpp:4155 #33 0x100002993 in 0x200002993 #34 0x100001c08 in 0x200001c08 #35 0x100001193 in 0x200001193 #36 0x4 in 0x0000000100000004 (in firefox) ==59102==ABORTING
Keywords: crash
Summary: crash in webvtt → WebVTT crash [@mozilla::dom::WebVTTLoadListener::ConvertNodeToCueTextContent]
Group: core-security
Attached file testcase
Keywords: testcase
Keywords: csec-nullptr
Whiteboard: [asan]
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
This is not reproducible anymore. Tested with https://hg.mozilla.org/integration/mozilla-inbound/rev/e56e8fbacb7c
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
Resolution: FIXED → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: