Closed
Bug 916836
Opened 11 years ago
Closed 11 years ago
crash in mozilla::MP3Buffer::ExtractFrameHeader(unsigned char const*)
Categories
(Core :: Audio/Video, defect)
Tracking
()
VERIFIED
FIXED
mozilla27
People
(Reporter: tracy, Assigned: cpearce)
Details
(Keywords: crash, regression, topcrash)
Crash Data
Attachments
(1 file)
1.51 KB,
patch
|
padenot
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-1aaa86d6-aee4-43fb-9b8b-684a62130915. ============================================================= This has exploded to #4 topcrasher on Nightly since builds of 20130911030258 Comments and urls point to streaming audio. 21 https://www.facebook.com/ 12 http://www.m2radio.fr/m2-90/player/for-mobile-and-tablet 12 http://blanik.static.abradio.cz/blanik-fm-stream64.html 11 about:blank 10 http://www.cnn.com/?refresh=1 7 http://www.tumblr.com/dashboard 6 http://www.comunicacionessic.com/ 6 https://www.google.com/ 5 http://forecast.weather.gov/MapClick.php?lat=41.63055013678316&lon=-72.871456... 5 http://www.iloveradio.de/ 4 http://lprussia.com/music/altnc_lprussia.mp3 4 about:newtab 3 http://tegos.ru/new/radio_record/Klaas_-_Flight_To_Paris_mix.mp3 3 https://www.facebook.com/?ref=tn_tnmn 3 http://promodj.com/vividj/remixes/4128207/Natali_O_Bozhe_Kakoy_Muzhchina_Vita... 3 http://www.jmccanneyscience.com/JamesMcCanneyScienceHour_September_12_2013.mp3
Updated•11 years ago
|
Component: Web Audio → Video/Audio
Reporter | ||
Comment 1•11 years ago
|
||
pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e5ca10a2b3d0&tochange=9e9f74116749
Comment 2•11 years ago
|
||
The obvious candidate is: Chris Pearce — Bug 910897 - Use MP3FrameParser in DirectShow in order to calculate the duration. r=padenot
Updated•11 years ago
|
Keywords: regression
Updated•11 years ago
|
status-firefox26:
--- → affected
tracking-firefox26:
--- → +
Assignee | ||
Updated•11 years ago
|
Assignee: nobody → cpearce
Assignee | ||
Comment 3•11 years ago
|
||
We're crashing because we're running MP3FrameParser::ParseBuffer() with a very large aLngth. This happens when the first parse in MP3FrameParser::Parse() reads the leftover data from the previous parse (mBuffer) and finds a frame in it that extends off the end of the incoming buffer. The length field passed into MP3FrameParser::ParseBuffer() is unsigned, and so we then overflow and things get messed up from then on in.
Attachment #806339 -
Flags: review?(paul)
Assignee | ||
Comment 4•11 years ago
|
||
I forgot to mention; I could reproduce this by serving an MP3 file to Firefox with a very very slow connection (0.1KBps).
Assignee | ||
Comment 5•11 years ago
|
||
Greenish on try: https://tbpl.mozilla.org/?tree=Try&rev=d8f596e0a52d
Comment 6•11 years ago
|
||
Comment on attachment 806339 [details] [diff] [review] Patch Review of attachment 806339 [details] [diff] [review]: ----------------------------------------------------------------- ::: content/media/MP3FrameParser.cpp @@ +428,5 @@ > + if (mOffset > mLength) { > + mLength = mOffset; > + } > + return; > + } nit: trailing space.
Attachment #806339 -
Flags: review?(paul) → review+
Assignee | ||
Comment 7•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a0073cef7bb9 Will need this on aurora too.
Comment 8•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a0073cef7bb9
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Reporter | ||
Comment 9•11 years ago
|
||
Will this be applied to Aurora (Fx26)? It is currently the #2 (12.72%) crasher closely behind the Empty crash (13.26%)
Updated•11 years ago
|
Flags: needinfo?(cpearce)
Reporter | ||
Comment 10•11 years ago
|
||
There are no reports of this crashing Nightly since the fix was checked in there. (last crashy build was 20130919030202)
Status: RESOLVED → VERIFIED
Assignee | ||
Comment 11•11 years ago
|
||
(In reply to Tracy Walker [:tracy] from comment #9) > Will this be applied to Aurora (Fx26)? Yes. (In reply to Tracy Walker [:tracy] from comment #10) > There are no reports of this crashing Nightly since the fix was checked in > there. (last crashy build was 20130919030202) Thanks! I wanted to wait for a few days so that we could be sure this patch was all that needed to be uplifted.
Flags: needinfo?(cpearce)
Assignee | ||
Comment 12•11 years ago
|
||
Comment on attachment 806339 [details] [diff] [review] Patch [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 861693, MP3 decoding support on WinXP User impact if declined: Crashes when playing MP3 files on slow networks. Testing completed (on m-c, etc.): Been on m-c for several days, crash fixed there. Risk to taking this patch (and alternatives if risky): Low. String or IDL/UUID changes made by this patch: None.
Attachment #806339 -
Flags: approval-mozilla-aurora?
Updated•11 years ago
|
Attachment #806339 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 13•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/e6486528e938
Updated•11 years ago
|
status-firefox27:
--- → fixed
Comment 14•10 years ago
|
||
Couldn't reproduce this crash by using STR from comment 4 on Nightly (from 2013-09-15 and 2013-09-12) with Netlimiter (bandwidth set to 0.1KBps) nor with links from comment 0. In Socorro there are no crashes in the last month for: - Firefox 27 beta: http://goo.gl/Ywlinq - Firefox 26 RC: http://goo.gl/o4ME0r Are the crash stats enough to call this verified? If not, could you please advice how to reproduce in order to verify this is fixed?
Flags: needinfo?(cpearce)
Comment 15•10 years ago
|
||
(In reply to Alexandra Lucinet, QA Mentor [:adalucinet] from comment #14) > In Socorro there are no crashes in the last month for: > - Firefox 27 beta: http://goo.gl/Ywlinq > - Firefox 26 RC: http://goo.gl/o4ME0r > > Are the crash stats enough to call this verified? As it was filed as a topcrash based on Socorro data, I think being absent from there is enough to verify this, yes.
Comment 17•10 years ago
|
||
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #15) > As it was filed as a topcrash based on Socorro data, I think being absent > from there is enough to verify this, yes. Thanks for the reply. Marking as verified on Firefox 26 and 27 beta.
You need to log in
before you can comment on or make changes to this bug.
Description
•