Closed
Bug 1351196
Opened 8 years ago
Closed 7 years ago
Use of uninitialized memory in libavcodec-ffmpeg
Categories
(Core :: Audio/Video: Playback, defect, P1)
Tracking
()
RESOLVED
INVALID
| Tracking | Status | |
|---|---|---|
| firefox55 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-uninitialized, sec-moderate, testcase)
Attachments
(1 file)
|
(deleted),
video/mp4
|
Details |
Found using Valgrind with mozilla-central build:
20170328001342
https://hg.mozilla.org/mozilla-central/rev/5182b2c4b963ed87d038c7d9a4021463917076cd
https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.latest.firefox/gecko.v2.mozilla-central.latest.firefox.linux64-valgrind-opt
Conditional jump or move depends on uninitialised value(s)
at 0x3D5FCC18: ??? (in /usr/lib/x86_64-linux-gnu/libavcodec-ffmpeg.so.56.60.100)
by 0x3D5FCF58: ??? (in /usr/lib/x86_64-linux-gnu/libavcodec-ffmpeg.so.56.60.100)
by 0x3D5FDE2F: ??? (in /usr/lib/x86_64-linux-gnu/libavcodec-ffmpeg.so.56.60.100)
by 0x3D5FEC2A: ??? (in /usr/lib/x86_64-linux-gnu/libavcodec-ffmpeg.so.56.60.100)
by 0x3D41CD61: ??? (in /usr/lib/x86_64-linux-gnu/libavcodec-ffmpeg.so.56.60.100)
by 0x3D8AE0B5: ??? (in /usr/lib/x86_64-linux-gnu/libavcodec-ffmpeg.so.56.60.100)
by 0x3D98B497: avcodec_open2 (in /usr/lib/x86_64-linux-gnu/libavcodec-ffmpeg.so.56.60.100)
by 0x12418425: mozilla::FFmpegDataDecoder<55>::InitDecoder() (FFmpegDataDecoder.cpp:77)
by 0x12419707: mozilla::FFmpegVideoDecoder<55>::Init() (FFmpegVideoDecoder.cpp:122)
by 0x1240295B: mozilla::H264Converter::Init() (H264Converter.cpp:47)
by 0x1234F4CE: mozilla::MediaFormatReader::DecoderFactory::Wrapper::Init() (MediaFormatReader.cpp:545)
by 0x1237537A: mozilla::MediaFormatReader::DecoderFactory::DoInitDecoder(mozilla::MediaFormatReader::DecoderFactory::Data&) (MediaFormatReader.cpp:727)
Uninitialised value was created by a heap allocation
at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x405730: moz_xrealloc (mozalloc.cpp:105)
by 0x11335EC4: Realloc (nsTArray.h:211)
by 0x11335EC4: nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) (nsTArray-inl.h:183)
by 0x124183D6: AppendElements<nsTArrayInfallibleAllocator> (nsTArray.h:1622)
by 0x124183D6: mozilla::FFmpegDataDecoder<55>::InitDecoder() (FFmpegDataDecoder.cpp:67)
by 0x12419707: mozilla::FFmpegVideoDecoder<55>::Init() (FFmpegVideoDecoder.cpp:122)
by 0x1240295B: mozilla::H264Converter::Init() (H264Converter.cpp:47)
by 0x1234F4CE: mozilla::MediaFormatReader::DecoderFactory::Wrapper::Init() (MediaFormatReader.cpp:545)
by 0x1237537A: mozilla::MediaFormatReader::DecoderFactory::DoInitDecoder(mozilla::MediaFormatReader::DecoderFactory::Data&) (MediaFormatReader.cpp:727)
by 0x1238331E: mozilla::MediaFormatReader::DecoderFactory::RunStage(mozilla::MediaFormatReader::DecoderFactory::Data&) (MediaFormatReader.cpp:626)
by 0x12384A9C: InvokeCallbackMethod<mozilla::MediaFormatReader::DecoderFactory::RunStage(mozilla::MediaFormatReader::DecoderFactory::Data&)::<lambda(mozilla::MediaFormatReader::DecoderFactory::Token*)>, void (mozilla::MediaFormatReader::DecoderFactory::RunStage(mozilla::MediaFormatReader::DecoderFactory::Data&)::<lambda(mozilla::MediaFormatReader::DecoderFactory::Token*)>::*)(mozilla::GlobalAllocPolicy::Token*) const, const RefPtr<mozilla::GlobalAllocPolicy::Token>&> (MozPromise.h:477)
by 0x12384A9C: mozilla::MozPromise<RefPtr<mozilla::GlobalAllocPolicy::Token>, bool, true>::FunctionThenValue<mozilla::MediaFormatReader::DecoderFactory::RunStage(mozilla::MediaFormatReader::DecoderFactory::Data&)::{lambda(mozilla::GlobalAllocPolicy::Token*)#1}, mozilla::MediaFormatReader::DecoderFactory::RunStage(mozilla::MediaFormatReader::DecoderFactory::Data&)::{lambda()#2}>::DoResolveOrRejectInternal(mozilla::MozPromise<RefPtr<mozilla::GlobalAllocPolicy::Token>, bool, true>::ResolveOrRejectValue const&) (MozPromise.h:628)
by 0x123827C2: mozilla::MozPromise<RefPtr<mozilla::GlobalAllocPolicy::Token>, bool, true>::ThenValueBase::DoResolveOrReject(mozilla::MozPromise<RefPtr<mozilla::GlobalAllocPolicy::Token>, bool, true>::ResolveOrRejectValue const&) (MozPromise.h:433)
by 0x123828DB: mozilla::MozPromise<RefPtr<mozilla::GlobalAllocPolicy::Token>, bool, true>::ThenValueBase::ResolveOrRejectRunnable::Run() (MozPromise.h:339)
Flags: in-testsuite?
|
||
Comment 1•8 years ago
|
||
Guessing sec-moderate, though if the conditions are right memory can be manipulated to force a useful value into the uninitialized slot.
Keywords: sec-moderate
I think Jean-Yves would be better able to deal with this.
(Jean-Yves, please reassign to me if you don't have time -- but I'm quite busy too at the moment!)
Flags: needinfo?(gsquelart) → needinfo?(jyavenard)
|
||
Comment 5•8 years ago
|
||
Can't reproduce with current ffmpeg
|
||
Updated•7 years ago
|
Flags: needinfo?(twsmith)
Priority: -- → P1
|
Reporter | |
Comment 6•7 years ago
|
||
I cannot reproduce this with the latest FFmpeg
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(twsmith)
Resolution: --- → INVALID
|
|
||
Updated•5 years ago
|
Group: media-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•