Closed
Bug 1351098
Opened 8 years ago
Closed 7 years ago
Stagefright: Assertion failure in [@ mp4_demuxer::Edts::Edts]
Categories
(Core :: Audio/Video: Playback, defect, P3)
Core
Audio/Video: Playback
Tracking
()
RESOLVED
DUPLICATE
of bug 1387793
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
|
(deleted),
video/mp4
|
Details |
Assertion failure: false, at /home/worker/workspace/build/src/media/libstagefright/binding/include/mp4_demuxer/ByteReader.h:129
Found with mozilla-central asan debug buildID=20170327212148
Looks like this could possibly trigger an invalid read, marking s-s
==59547==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f72293c7a8a bp 0x7f71f49f6b30 sp 0x7f71f49f6b30 T55)
==59547==The signal is caused by a WRITE memory access.
==59547==Hint: address points to the zero page.
#0 0x7f72293c7a89 in mp4_demuxer::ByteReader::ReadU32() /home/worker/workspace/build/src/media/libstagefright/binding/include/mp4_demuxer/ByteReader.h:129:7
#1 0x7f72293e96a7 in mp4_demuxer::Edts::Edts(mp4_demuxer::Box&) /home/worker/workspace/build/src/media/libstagefright/binding/MoofParser.cpp:836:34
#2 0x7f72293e3992 in mp4_demuxer::MoofParser::ParseTrak(mp4_demuxer::Box&) /home/worker/workspace/build/src/media/libstagefright/binding/MoofParser.cpp:271:15
#3 0x7f72293e1f4d in mp4_demuxer::MoofParser::ParseMoov(mp4_demuxer::Box&) /home/worker/workspace/build/src/media/libstagefright/binding/MoofParser.cpp:251:7
#4 0x7f72293e172c in mp4_demuxer::MoofParser::RebuildFragmentedIndex(mp4_demuxer::BoxContext&) /home/worker/workspace/build/src/media/libstagefright/binding/MoofParser.cpp:50:7
#5 0x7f72293d70c3 in mp4_demuxer::MoofParser::RebuildFragmentedIndex(mozilla::media::IntervalSet<long> const&) /home/worker/workspace/build/src/media/libstagefright/binding/MoofParser.cpp:38:10
#6 0x7f722db4a95b in mozilla::MP4TrackDemuxer::EnsureUpToDateIndex() /home/worker/workspace/build/src/dom/media/fmp4/MP4Demuxer.cpp:322:11
#7 0x7f722db4a1fd in mozilla::MP4TrackDemuxer::MP4TrackDemuxer(mozilla::MP4Demuxer*, mozilla::UniquePtr<mozilla::TrackInfo, mozilla::DefaultDelete<mozilla::TrackInfo> >&&, mp4_demuxer::IndiceWrapper const&) /home/worker/workspace/build/src/dom/media/fmp4/MP4Demuxer.cpp:279:3
#8 0x7f722db48fe6 in mozilla::MP4Demuxer::Init() /home/worker/workspace/build/src/dom/media/fmp4/MP4Demuxer.cpp:173:35
#9 0x7f722d6ce1a5 in mozilla::MediaFormatReader::DemuxerProxy::Init()::$_10::operator()() const /home/worker/workspace/build/src/dom/media/MediaFormatReader.cpp:1008:47
...
see log.txt
|
Reporter | |
Comment 1•8 years ago
|
||
Assignee: nobody → twsmith
|
|
Reporter | |
Updated•8 years ago
|
Flags: in-testsuite?
|
|
Reporter | |
Updated•8 years ago
|
Assignee: twsmith → nobody
|
|
Reporter | |
Updated•8 years ago
|
Summary: Stagefright: Assertion failure in [@ mp4_demuxer::ByteReader::ReadU32] → Stagefright: Assertion failure in [@ mp4_demuxer::Edts::Edts]
It's just a `MOZ_ASSERT(false)`, which does `*((volatile int*) NULL) = line;` (i.e., writing the line number at 0x0) in debug builds to force a crash.
So this is not a sec issue.
The problem is in MoofParser.cpp:836, reader->ReadU32() probably goes too far.
The test at line 821 above may be incorrect, or we need another kind of check here.
Group: media-core-security
We should probably just remove the assertion from ByteReader.
|
||
Updated•7 years ago
|
Priority: -- → P3
|
||
Comment 4•7 years ago
|
||
(:kentuckyfriedtakahe, :k17e) from comment #3)
> We should probably just remove the assertion from ByteReader.
Looks like bug 1387793 took care of that.
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox55:
affected → ---
Flags: in-testsuite? → in-testsuite-
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•