Closed Bug 1048517 Opened 10 years ago Closed 10 years ago

[libstagefright] |MPEG4Source::read| has several potential uninitialized variable errors

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla34
Tracking Flags:
Tracking Status
firefox34 --- fixed
firefox-esr31 --- wontfix

People

(Reporter: erahm, Assigned: ajones)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, sec-moderate, Whiteboard: [CID 1221246] [CID 1221247] [CID 1221248] [CID 1221249] [CID 1221250] [CID 1225496][adv-main34+])

Attachments

(6 files)

CID 1221247
(deleted), text/plain
Details
CID 1221248
(deleted), text/plain
Details
CID 1221249
(deleted), text/plain
Details
CID 1221250
(deleted), text/plain
Details
CID 1225496
(deleted), text/plain
Details
Initialised potentially uninitialised variables
(deleted), patch
cpearce
: review+
Details | Diff | Splinter Review 
Coverity has flagged at least five potential uninitialized variable issues in |MPEG4Source::read| [1].

#1 - |offset| can be used uninitialized in buffer reads [2],[3]
#2 - |size| can be used uninitialized in buffer reads [2],[3]
#3 - |cts| can be used uninitialized when setting buffer metadata [4]
#4 - |duration| can be used uninitialized when setting buffer metadata [5]
#5 - |isSyncSample| can be used uninitialized in an if statement [6]

I will attach the Coverity analysis as well, it's somewhat convoluted but generally the issues arise if we take the false branch of |if (!mIsAVC || mWantsNALFragments)| [7].

[1] - http://hg.mozilla.org/mozilla-central/annotate/71497ed2e0db/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l3079
[2] - http://hg.mozilla.org/mozilla-central/annotate/71497ed2e0db/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l3288
[3] - http://hg.mozilla.org/mozilla-central/annotate/71497ed2e0db/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l3290
[4] - http://hg.mozilla.org/mozilla-central/annotate/71497ed2e0db/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l3349
[5] - http://hg.mozilla.org/mozilla-central/annotate/71497ed2e0db/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l3351
[6] - http://hg.mozilla.org/mozilla-central/annotate/71497ed2e0db/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l3358
[7] - http://hg.mozilla.org/mozilla-central/annotate/71497ed2e0db/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l3280
Attached file CID 1221247 (deleted) — 

    
    

    
  

      
      
      
      

        Attached file
          
        CID 1221248 (deleted)
        — 
      

    


  

    
    

    
  

      
      
      
      

        Attached file
          
        CID 1221249 (deleted)
        — 
      

    


  

    
    

    
  

      
      
      
      

        Attached file
          
        CID 1221250 (deleted)
        — 
      

    


  

    
    

    
  

      
      
      
      

        Attached file
          
        CID 1225496 (deleted)
        — 
      

    


  

    
  
Whiteboard: [CID 1221247] [CID 1221248] [CID 1221249] [CID 1221250] [CID 1225496] → [CID 1221246] [CID 1221247] [CID 1221248] [CID 1221249] [CID 1221250] [CID 1225496]
Assignee: nobody → ajones
Status: NEW → ASSIGNED

        Attachment #8467364 -
        Flags: review?(erahm) → review?(cpearce)

        Attachment #8467364 -
        Flags: review?(cpearce) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/06b830f9b0e7
Status: ASSIGNED → RESOLVED
Closed: 10 years ago

          status-firefox34:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla34

    
    

    
  
How far back does this issue go?

    
    

    
  
(In reply to Al Billings [:abillings] from comment #9)
> How far back does this issue go?

It has always been pref'ed off in Firefox but this code is used on all Android phones in their system libraries. If this bug is exploitable then Fennec is exposed to it until we move away from using the system libstagefright MP4 demuxer.

          status-firefox-esr31:
          ?wontfix

          tracking-firefox-esr31:
          - → ---
Whiteboard: [CID 1221246] [CID 1221247] [CID 1221248] [CID 1221249] [CID 1221250] [CID 1225496] → [CID 1221246] [CID 1221247] [CID 1221248] [CID 1221249] [CID 1221250] [CID 1225496][adv-main34+]

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: