Closed
Bug 1186715
Opened 9 years ago
Closed 9 years ago
Stagefright: heap-buffer-overflow crash [@stagefright::SampleIterator::seekTo]
Categories
(Core :: Audio/Video: Playback, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla43
| Tracking | Status | |
|---|---|---|
| firefox42 | - | unaffected |
| firefox43 | + | fixed |
People
(Reporter: tsmith, Assigned: rillian)
References
Details
(Keywords: crash, csectype-bounds, sec-high)
Attachments
(1 file)
|
(deleted),
patch
|
ajones
:
review+
|
Details | Diff | Splinter Review |
==24671==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060008c85b8 at pc 0x7f32d49a5c73 bp 0x7f325090d690 sp 0x7f325090d688
READ of size 8 at 0x6060008c85b8 thread T351 (MediaPl~back #8)
#0 0x7f32d49a5c72 in seekTo /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/SampleIterator.cpp:127
#1 0x7f32d49adc4a in getMetaDataForSample /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp:1042
#2 0x7f32d499912f in exportIndex /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp:4125
#3 0x7f32d4968493 in ReadTrackIndex /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/binding/MP4Metadata.cpp:259
#4 0x7f32d953ac11 in MP4TrackDemuxer /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/fmp4/MP4Demuxer.cpp:211
#5 0x7f32d95397a1 in GetTrackDemuxer /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/fmp4/MP4Demuxer.cpp:145
#6 0x7f32d9110215 in OnDemuxerInitDone /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/MediaFormatReader.cpp:319
#7 0x7f32d91851f6 in RejectValue /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:433
#8 0x7f32d9182dd2 in DoResolveOrReject /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:383
#9 0x7f32d918277f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:316
#10 0x7f32d9085d0a in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:180
#11 0x7f32d921d995 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/TaskQueue.cpp:257
#12 0x7f32d4b3d3d1 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:228
#13 0x7f32d4b3d78c in _ZThn8_N12nsThreadPool3RunEv /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:242
#14 0x7f32d4b372d7 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
#15 0x7f32d4ba5f1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
#16 0x7f32d540f55f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:326
#17 0x7f32d539b45c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
#18 0x7f32d4b336f5 in ThreadFunc /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:360
#19 0x7f32e3360135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
#20 0x7f32e6887e99 in start_thread /build/buildd/eglibc-2.15/nptl/pthread_create.c:308
#21 0x7f32e598431c in ?? /build/buildd/eglibc-2.15/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:112
0x6060008c85b8 is located 0 bytes to the right of 56-byte region [0x6060008c8580,0x6060008c85b8)
allocated by thread T351 (MediaPl~back #8) here:
#0 0x472271 in __interceptor_malloc _asan_rtl_
#1 0x7f32d49b0c91 in alloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/system/core/libutils/SharedBuffer.cpp:29
#2 0x7f32d4950f89 in _grow /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/system/core/libutils/VectorImpl.cpp:389
#3 0x7f32d4952065 in insertAt /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/system/core/libutils/VectorImpl.cpp:144
#4 0x7f32d49a577f in push /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/system/core/include/utils/Vector.h:323
#5 0x7f32d49adc4a in getMetaDataForSample /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp:1042
#6 0x7f32d499912f in exportIndex /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp:4125
#7 0x7f32d4968493 in ReadTrackIndex /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/binding/MP4Metadata.cpp:259
#8 0x7f32d953ac11 in MP4TrackDemuxer /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/fmp4/MP4Demuxer.cpp:211
#9 0x7f32d95397a1 in GetTrackDemuxer /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/fmp4/MP4Demuxer.cpp:145
#10 0x7f32d9110215 in OnDemuxerInitDone /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/MediaFormatReader.cpp:319
#11 0x7f32d91851f6 in RejectValue /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:433
#12 0x7f32d9182dd2 in DoResolveOrReject /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:383
#13 0x7f32d918277f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:316
#14 0x7f32d9085d0a in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:180
#15 0x7f32d921d995 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/TaskQueue.cpp:257
#16 0x7f32d4b3d3d1 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:228
#17 0x7f32d4b3d78c in _ZThn8_N12nsThreadPool3RunEv /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:242
#18 0x7f32d4b372d7 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
#19 0x7f32d4ba5f1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
#20 0x7f32d540f55f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:326
#21 0x7f32d539b45c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
#22 0x7f32d4b336f5 in ThreadFunc /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:360
#23 0x7f32e3360135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
#24 0x7f32e6887e99 in start_thread /build/buildd/eglibc-2.15/nptl/pthread_create.c:308
Thread T351 (MediaPl~back #8) created by T345 (MediaPl~back #3) here:
#0 0x45eae5 in __interceptor_pthread_create _asan_rtl_
#1 0x7f32e335cabd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
#2 0x7f32e335c63a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
#3 0x7f32d4b34ced in Init /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:470
#4 0x7f32d4b3acee in NewThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:249
#5 0x7f32d4b3c3be in PutEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:109
#6 0x7f32d4b3dc97 in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:276
#7 0x7f32d921dd30 in operator nsIEventTarget * /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsIEventTarget.h:37
#8 0x7f32d4b3d3d1 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:228
#9 0x7f32d4b3d78c in _ZThn8_N12nsThreadPool3RunEv /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:242
#10 0x7f32d4b372d7 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
#11 0x7f32d4ba5f1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
#12 0x7f32d540f55f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:326
#13 0x7f32d539b45c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
#14 0x7f32d4b336f5 in ThreadFunc /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:360
#15 0x7f32e3360135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
#16 0x7f32e6887e99 in start_thread /build/buildd/eglibc-2.15/nptl/pthread_create.c:308
Thread T345 (MediaPl~back #3) created by T343 (MediaPl~back #2) here:
#0 0x45eae5 in __interceptor_pthread_create _asan_rtl_
#1 0x7f32e335cabd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
#2 0x7f32e335c63a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
#3 0x7f32d4b34ced in Init /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:470
#4 0x7f32d4b3acee in NewThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:249
#5 0x7f32d4b3c3be in PutEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:109
#6 0x7f32d4b3dc97 in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:276
#7 0x7f32d921dd30 in operator nsIEventTarget * /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsIEventTarget.h:37
#8 0x7f32d4b3d3d1 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:228
#9 0x7f32d4b3d78c in _ZThn8_N12nsThreadPool3RunEv /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:242
#10 0x7f32d4b372d7 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
#11 0x7f32d4ba5f1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
#12 0x7f32d540f6f8 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:355
#13 0x7f32d539b45c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
#14 0x7f32d4b336f5 in ThreadFunc /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:360
#15 0x7f32e3360135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
#16 0x7f32e6887e99 in start_thread /build/buildd/eglibc-2.15/nptl/pthread_create.c:308
Thread T343 (MediaPl~back #2) created by T0 here:
#0 0x45eae5 in __interceptor_pthread_create _asan_rtl_
#1 0x7f32e335cabd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
#2 0x7f32e335c63a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
#3 0x7f32d4b34ced in Init /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:470
#4 0x7f32d4b3acee in NewThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:249
#5 0x7f32d4b3c3be in PutEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:109
#6 0x7f32d4b3dc97 in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:276
#7 0x7f32d921c0f9 in operator nsIEventTarget * /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsIEventTarget.h:37
#8 0x7f32d91e0bec in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/platforms/../../../dist/include/mozilla/TaskQueue.h:47
#9 0x7f32d908567c in DispatchTaskGroup /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:232
#10 0x7f32d9084322 in ~AutoTaskDispatcher /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:87
#11 0x7f32d9083471 in reset /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/Maybe.h:373
#12 0x7f32d9083610 in apply<mozilla::XPCOMThreadWrapper, void (mozilla::XPCOMThreadWrapper::*)()> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsThreadUtils.h:621
#13 0x7f32da0dd125 in assign_assuming_AddRef /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/widget/../dist/include/nsCOMPtr.h:336
#14 0x7f32da0ddccd in AfterProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.h:95
#15 0x7f32d4b377a0 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:881
#16 0x7f32d4ba5f1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
#17 0x7f32d540e5e9 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:95
#18 0x7f32d539b45c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
#19 0x7f32da0db8d7 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:165
#20 0x7f32dbe380f8 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:280
#21 0x7f32dbf40e17 in XRE_mainRun /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4288
#22 0x7f32dbf41e75 in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4385
#23 0x7f32dbf42cf5 in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4474
#24 0x48a6e4 in do_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:212
#25 0x7f32e58b176c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x0c0c80111060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80111070: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c80111080: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
0x0c0c80111090: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c801110a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c801110b0: 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
0x0c0c801110c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c801110d0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c801110e0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
0x0c0c801110f0: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c80111100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==24671==ABORTING
|
||
Comment 1•9 years ago
|
||
Anthony, is there somebody who can look at this?
I'm marking this sec-high for now until proven otherwise.
Flags: needinfo?(ajones)
Keywords: sec-high
Jean-Yves or Ralph - can one of you guys take this?
Flags: needinfo?(jyavenard)
Flags: needinfo?(giles)
|
||
Updated•9 years ago
|
Assignee: nobody → jyavenard
Flags: needinfo?(jyavenard)
|
||
Updated•9 years ago
|
Flags: needinfo?(ajones)
|
Assignee | |
Comment 4•9 years ago
|
||
Looking at the code, it's running off the end of SampleIterator::mCurrentChunkSampleSizes, which is a Vector<size_t> but not used in an iterator construct.
This may be because in the previous stanza a getSampleSizeDirect() failure can return without pushing a full mSamplesPerChunk set of indicies when building the array. If the error isn't propagated, or cleanup doesn't happen properly, we could come back with a short array in another seek.
|
|
Assignee | |
Comment 5•9 years ago
|
||
Ergo chunkRelativeSampleIndex is larger than mSamplesPerChunk, or mSamplesPerChunk is larger than the actual vector capacity. This patch adds two asserts to distinguish the two cases. It should also convert the overflow to a 'safe' (denial of service) crash.
Which versions of Firefox does this affect? Should I assume all of them with stagefright bugs?
status-firefox42:
--- → ?
status-firefox43:
--- → affected
tracking-firefox42:
--- → ?
tracking-firefox43:
--- → +
|
|
Assignee | |
Comment 7•9 years ago
|
||
(In reply to Liz Henry (:lizzard) from comment #6)
> Which versions of Firefox does this affect? Should I assume all of them with
> stagefright bugs?
I expect so. Without the testcase it's hard to verify, but unless it happens to be a regression from other bug fixes all versions are likely vulnerable.
Flags: needinfo?(giles)
|
||
Updated•9 years ago
|
Priority: -- → P1
|
Reporter | |
Comment 8•9 years ago
|
||
(In reply to Ralph Giles (:rillian) from comment #3)
> Can you attach a testcase?
I have been trying for the last few days to reproduce this issue with the new debug assertions with no luck. I'll close this and I can reopen it if I come across it again.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(twsmith)
Resolution: --- → WORKSFORME
|
|
Assignee | |
Comment 9•9 years ago
|
||
Comment on attachment 8649995 [details] [diff] [review]
Add diagnostic asserts
Review of attachment 8649995 [details] [diff] [review]:
-----------------------------------------------------------------
Might as well land the asserts so it's easier to track if it re-occurs.
Attachment #8649995 -
Flags: review?(ajones)
|
|
||
Updated•9 years ago
|
Attachment #8649995 -
Flags: review?(ajones) → review+
ralph: can you request sec approval? I think we may also need to reopen the bug for it to show for sec approval and to the sheriffs.
Flags: needinfo?(giles)
|
|
Assignee | |
Updated•9 years ago
|
Status: RESOLVED → REOPENED
Flags: needinfo?(giles)
Resolution: WORKSFORME → ---
|
|
Assignee | |
Comment 11•9 years ago
|
||
Comment on attachment 8649995 [details] [diff] [review]
Add diagnostic asserts
Requesting security approval to land the debug asserts I added for testing. We're unable to reproduce the original report, so I just want this for better reporting should something similar come up in the future.
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
We add guards, but the crash is not longer reproducible.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
The commit message just mentions diagnosic asserts with no details.
Which older supported branches are affected by this flaw?
None as far as we can tell.
If not all supported branches, which bug introduced the flaw?
N/A
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Backport with be straightforward. I don't propose to do that though.
How likely is this patch to cause regressions; how much testing does it need?
Changes are debug-only and don't affect release code behaviour.
Attachment #8649995 -
Flags: sec-approval?
|
||
Comment 12•9 years ago
|
||
(In reply to Ralph Giles (:rillian) from comment #11)
> Which older supported branches are affected by this flaw?
>
> None as far as we can tell.
This is trunk only?
|
|
||
Comment 13•9 years ago
|
||
Because, if it is only on trunk and we need no patches anywhere else, we don't need sec-approval. See https://wiki.mozilla.org/Security/Bug_Approval_Process
|
||
Updated•9 years ago
|
Group: core-security → media-core-security
|
|
||
Updated•9 years ago
|
Flags: needinfo?(giles)
|
|
Assignee | |
Comment 14•9 years ago
|
||
Yes, this is trunk-only. I wasn't sure if the diagnostics were something we'd worry about as signalling an issue.
Flags: needinfo?(giles)
|
|
Assignee | |
Comment 15•9 years ago
|
||
Comment on attachment 8649995 [details] [diff] [review]
Add diagnostic asserts
Removing sec-approval? per comment #13.
Attachment #8649995 -
Flags: sec-approval?
|
|
Assignee | |
Comment 16•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/bd04c5f21ca25c4b96cf86261e251f37c45bd12f
Bug 1186715 - Add diagnostic asserts. r=k17e
|
|
Assignee | |
Updated•9 years ago
|
Assignee: jyavenard → giles
|
||
Comment 17•9 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 9 years ago → 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
|
||
Updated•9 years ago
|
Group: media-core-security → core-security-release
|
||
Comment 18•9 years ago
|
||
Not tracking: cf comment #14
|
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•