Closed
Bug 879923
Opened 11 years ago
Closed 11 years ago
Non-null crash at nsCString::CharAt
Categories
(Core :: Audio/Video, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 879924
People
(Reporter: aki.helin, Unassigned)
Details
Opening the attached page with broken WAV data causes Firefox release-, beta- and aurora channels to crash at least on Linux (64-bit Debian wheezy) due to an invalid but heapish address. Filed promptly without much further research since this looks like a potential security issue in release version. $ opt/firefox-aurora-asan/firefox ff-crash-nsCString.html 2>&1 | symbolize | c++filt ASAN:SIGSEGV ================================================================= ==3779== ERROR: AddressSanitizer crashed on unknown address 0x7f69c31e8b87 (pc 0x7f68e00348e8 sp 0x7f68b04fb160 bp 0x7f68b04fb3f0 T20) AddressSanitizer can not provide additional info. #0 0x7f68e00348e7 in nsCString::CharAt(unsigned int) const /home/aki/src/mozilla-aurora/../../../dist/include/nsTString.h:90 #1 0x7f68e0032102 in mozilla::WaveReader::LoadAllChunks(nsAutoPtr<nsDataHashtable<nsCStringHashKey, nsCString> >&) /home/aki/src/mozilla-aurora/content/media/wave/WaveReader.cpp:642 #2 0x7f68e0031616 in mozilla::WaveReader::ReadMetadata(mozilla::VideoInfo*, nsDataHashtable<nsCStringHashKey, nsCString>**) /home/aki/src/mozilla-aurora/content/media/wave/WaveReader.cpp:145 #3 0x7f68df7266af in mozilla::MediaDecoderStateMachine::DecodeMetadata() /home/aki/src/mozilla-aurora/content/media/MediaDecoderStateMachine.cpp:1816 #4 0x7f68df72627f in mozilla::MediaDecoderStateMachine::DecodeThreadRun() /home/aki/src/mozilla-aurora/content/media/MediaDecoderStateMachine.cpp:498 Thread T20 created by T19 here: #0 0x439d84 in pthread_create ??:0 #1 0x7f68e8120176 in _PR_CreateThread /home/aki/src/mozilla-aurora/nsprpub/pr/src/pthreads/ptthread.c:444 #2 0x7f68e811fc77 in PR_CreateThread /home/aki/src/mozilla-aurora/nsprpub/pr/src/pthreads/ptthread.c:527 Thread T19 created by T0 here: #0 0x439d84 in pthread_create ??:0 #1 0x7f68e8120176 in _PR_CreateThread /home/aki/src/mozilla-aurora/nsprpub/pr/src/pthreads/ptthread.c:444 #2 0x7f68e811fc77 in PR_CreateThread /home/aki/src/mozilla-aurora/nsprpub/pr/src/pthreads/ptthread.c:527 Stats: 247M malloced (251M for red zones) by 343876 calls Stats: 50M realloced by 16371 calls Stats: 215M freed by 207394 calls Stats: 78M really freed by 149442 calls Stats: 440M (112721 full pages) mmaped in 110 calls mmaps by size class: 8:229362; 9:32764; 10:12285; 11:16376; 12:2048; 13:1536; 14:1280; 15:384; 16:704; 17:1344; 18:48; 19:40; 20:24; 21:2; mallocs by size class: 8:259684; 9:42719; 10:11536; 11:21111; 12:2363; 13:1984; 14:1570; 15:454; 16:896; 17:1423; 18:70; 19:42; 20:22; 21:2; frees by size class: 8:141180; 9:31851; 10:8122; 11:19392; 12:1538; 13:1339; 14:1380; 15:326; 16:744; 17:1401; 18:61; 19:38; 20:21; 21:1; rfrees by size class: 8:110450; 9:17331; 10:5579; 11:13200; 12:779; 13:636; 14:452; 15:202; 16:531; 17:248; 18:29; 19:3; 20:1; 21:1; Stats: malloc large: 1559 small slow: 2115 ==3779== ABORTING
It seems bugzilla compensated not adding the attachment it asked for by making two bugs... The repro is at 879924.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
Updated•11 years ago
|
Resolution: INVALID → DUPLICATE
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•