Closed Bug 1351123 Opened 8 years ago Closed 5 years ago

Stagefright: Assertion failure in [@ mp4_demuxer::AnnexB::ConvertSPSOrPPS(mp4_demuxer::ByteReader &,unsigned char,mozilla::MediaByteBuffer *)]

Categories

(Core :: Audio/Video: Playback, defect, P3)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- ?

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

log.txt
(deleted), text/plain
Details
test_case.mp4
(deleted), video/mp4
Details
Attached file log.txt (deleted) —
Assertion failure: false, at /home/worker/workspace/build/src/media/libstagefright/binding/include/mp4_demuxer/ByteReader.h:195 Found with mozilla-central asan debug buildID=20170327212148 Looks like this could possibly trigger an invalid read, marking s-s ==64853==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe7117bf777 bp 0x7fe6dcd48110 sp 0x7fe6dcd48110 T54) ==64853==The signal is caused by a WRITE memory access. ==64853==Hint: address points to the zero page. #0 0x7fe7117bf776 in mp4_demuxer::ByteReader::PeekU8() /home/worker/workspace/build/src/media/libstagefright/binding/include/mp4_demuxer/ByteReader.h:195:7 #1 0x7fe7117c7429 in mp4_demuxer::H264::DecodePPSDataSetFromExtraData(mozilla::MediaByteBuffer const*, AutoTArray<mp4_demuxer::SPSData, 32ul> const&, AutoTArray<mp4_demuxer::PPSData, 256ul>&) /home/worker/workspace/build/src/media/libstagefright/binding/H264.cpp:737:17 #2 0x7fe7117c6d58 in mp4_demuxer::H264::DecodeSPSFromExtraData(mozilla::MediaByteBuffer const*, mp4_demuxer::SPSData&) /home/worker/workspace/build/src/media/libstagefright/binding/H264.cpp:616:7 #3 0x7fe715f3e710 in mozilla::AccumulateSPSTelemetry(mozilla::MediaByteBuffer const*) /home/worker/workspace/build/src/dom/media/fmp4/MP4Demuxer.cpp:84:7 #4 0x7fe715f402c3 in mozilla::MP4TrackDemuxer::MP4TrackDemuxer(mozilla::MP4Demuxer*, mozilla::UniquePtr<mozilla::TrackInfo, mozilla::DefaultDelete<mozilla::TrackInfo> >&&, mp4_demuxer::IndiceWrapper const&) /home/worker/workspace/build/src/dom/media/fmp4/MP4Demuxer.cpp:288:28 #5 0x7fe715f3efe6 in mozilla::MP4Demuxer::Init() /home/worker/workspace/build/src/dom/media/fmp4/MP4Demuxer.cpp:173:35 #6 0x7fe715ac41a5 in mozilla::MediaFormatReader::DemuxerProxy::Init()::$_10::operator()() const /home/worker/workspace/build/src/dom/media/MediaFormatReader.cpp:1008:47 ... see log.txt
Attached video test_case.mp4 (deleted) —
Flags: in-testsuite?
It's just a `MOZ_ASSERT(false)`, which does `*((volatile int*) NULL) = line;` (i.e., writing the line number at 0x0) in debug builds to force a crash. So this is not a sec issue. The problem is in H264.cpp:737, reader->ReadU32() probably goes too far. There doesn't seem to be any size checks before Peeks&Reads! We need more `reader->Remaining() >= n` or `!reader->Peek(n)` checks. Or functions like ReadU32() could return Maybe<...>. That would be much more work to rework all calls, but would give better peace of mind. (Alternatively, we could add ByteReader::TryU32(), so we can limit changes for now.) Jean-Yves, you wrote most of this last year; any recommendations regarding solutions?
Group: media-core-security
Flags: needinfo?(jyavenard)
Yes... Remove all the PPS parsing related code, we don't use it.
Flags: needinfo?(jyavenard)
Still reproducible on trunk.
Has Regression Range: --- → no
status-firefox55: affectedwontfix
status-firefox56: --- → wontfix
status-firefox57: --- → wontfix
status-firefox58: --- → fix-optional
status-firefox-esr52: --- → wontfix
(In reply to Ryan VanderMeulen [:RyanVM] from comment #4) > Still reproducible on trunk. Doubtful it has the same stack trace, seeing that this code no longer exist... DecodePPSDataSetFromExtraData Was completely removed.
Stack from m-c tip: Assertion failure: false, at z:/build/build/src/media/libstagefright/binding/AnnexB.cpp:128 #01: mp4_demuxer::AnnexB::ConvertSPSOrPPS(mp4_demuxer::ByteReader &,unsigned char,mozilla::MediaByteBuffer *) [media/libstagefright/binding/AnnexB.cpp:128] #02: mp4_demuxer::AnnexB::ConvertExtraDataToAnnexB(mozilla::MediaByteBuffer const *) [media/libstagefright/binding/AnnexB.cpp:111] #03: mp4_demuxer::AnnexB::ConvertSampleToAnnexB(mozilla::MediaRawData *,bool) [media/libstagefright/binding/AnnexB.cpp:68] #04: mozilla::H264Converter::Decode(mozilla::MediaRawData *) [dom/media/platforms/wrappers/H264Converter.cpp:123] #05: mozilla::MediaFormatReader::DecoderFactory::Wrapper::Decode(mozilla::MediaRawData *) [dom/media/MediaFormatReader.cpp:625] #06: mozilla::MediaFormatReader::DecodeDemuxedSamples(mozilla::TrackInfo::TrackType,mozilla::MediaRawData *) [dom/media/MediaFormatReader.cpp:2016] #07: mozilla::MediaFormatReader::HandleDemuxedSamples(mozilla::TrackInfo::TrackType,mozilla::FrameStatistics::AutoNotifyDecoded &) [dom/media/MediaFormatReader.cpp:2132] #08: mozilla::MediaFormatReader::Update(mozilla::TrackInfo::TrackType) [dom/media/MediaFormatReader.cpp:2492] #09: mozilla::detail::RunnableMethodImpl<mozilla::MediaFormatReader * const,void ( mozilla::MediaFormatReader::*)(mozilla::TrackInfo::TrackType),1,0,mozilla::TrackInfo::TrackType>::Run() [xpcom/threads/nsThreadUtils.h:1195] #10: mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() [xpcom/threads/TaskDispatcher.h:212] #11: mozilla::TaskQueue::Runner::Run() [xpcom/threads/TaskQueue.cpp:247] #12: nsThreadPool::Run() [xpcom/threads/nsThreadPool.cpp:230] #13: nsThread::ProcessNextEvent(bool,bool *) [xpcom/threads/nsThread.cpp:1038] #14: NS_ProcessNextEvent(nsIThread *,bool) [xpcom/threads/nsThreadUtils.cpp:524] #15: mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate *) [ipc/glue/MessagePump.cpp:338] #16: MessageLoop::RunInternal() [ipc/chromium/src/base/message_loop.cc:326] #17: MessageLoop::RunHandler() [ipc/chromium/src/base/message_loop.cc:320] #18: MessageLoop::Run() [ipc/chromium/src/base/message_loop.cc:300] #19: nsThread::ThreadFunc(void *) [xpcom/threads/nsThread.cpp:427] #20: _PR_NativeRunThread [nsprpub/pr/src/threads/combined/pruthr.c:397] #21: pr_root [nsprpub/pr/src/md/windows/w95thred.c:95] #22: ucrtbase.DLL + 0x3d5ef #23: kernel32.dll + 0x53c45 #24: patched_BaseThreadInitThunk [mozglue/build/WindowsDllBlocklist.cpp:824] #25: ntdll.dll + 0x637f5 #26: ntdll.dll + 0x637c8
Summary: Stagefright: Assertion failure in [@ mp4_demuxer::H264::DecodePPSDataSetFromExtraData] → Stagefright: Assertion failure in [@ mp4_demuxer::AnnexB::ConvertSPSOrPPS(mp4_demuxer::ByteReader &,unsigned char,mozilla::MediaByteBuffer *)]

libstagefright is gone.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: