Found with m-c:
BuildID=20190806161505
SourceStamp=747f5a90f7d8a627d157b6b21861a8ec309d31b7

Fuzzing on Android is under development, tools to automatically collect stacks are not 100% yet.

eip = 0xea2aeeab   esp = 0x607fa948   ebp = 0x607fa968   ebx = 0x85bf7d60
esi = 0x98df8680   edi = 0xa0d43080   eax = 0x6d8db000   ecx = 0x00002763
edx = 0x9d3ea000   efl = 0x00210202
OS|Android|0.0.0 Linux 4.4.124+ #1 SMP PREEMPT Wed Jan 30 07:13:09 UTC 2019 i686
CPU|x86|GenuineIntel family 6 model 6 stepping 3|4
GPU|||
Crash|SIGSEGV|0x9d3ec753|60
60|0|libc.so||||0x1aeab
60|1|libart.so||||0x634318
60|2|||||0x9d3ea000
60|3|dalvik-main space (region space) (deleted)||||0x783080
60|4|||||0x9d3ea000
60|5|dalvik-main space (region space) (deleted)||||0x802088
60|6|dalvik-main space (region space) (deleted)||||0x783080
60|7|dalvik-jit-code-cache (deleted)||||0xae197
60|8|dalvik-LinearAlloc (deleted)||||0x10518
60|9|dalvik-main space (region space) (deleted)||||0x8020d0
60|10|system@framework@boot-framework.art||||0x19d90
60|11|dalvik-jit-code-cache (deleted)||||0xcd9
60|12|dalvik-main space (region space) (deleted)||||0x8020d0
60|13|||||0x9d3ea000
60|14|dalvik-main space (region space) (deleted)||||0x801e88
60|15|dalvik-jit-code-cache (deleted)||||0x6f619
60|16|dalvik-main space (region space) (deleted)||||0x801e30
60|17|dalvik-main space (region space) (deleted)||||0x802088
60|18|system@framework@boot-framework.art||||0x19d90
60|19|dalvik-jit-code-cache (deleted)||||0xadd3d
60|20|dalvik-LinearAlloc (deleted)||||0x19520
60|21|dalvik-main space (region space) (deleted)||||0x802088
60|22|dalvik-main space (region space) (deleted)||||0x1368000
60|23|system@framework@boot-framework.art||||0x19d90
60|24|dalvik-main space (region space) (deleted)||||0x5c1cc0
60|25|dalvik-main space (region space) (deleted)||||0x801d50
60|26|dalvik-main space (region space) (deleted)||||0x801e30
60|27|dalvik-jit-code-cache (deleted)||||0x9e111
60|28|dalvik-LinearAlloc (deleted)||||0x19590
60|29|dalvik-main space (region space) (deleted)||||0x801e20
60|30|dalvik-main space (region space) (deleted)||||0x783080
60|31|boot-framework.vdex||||0xa55c95
60|32|libart.so||||0x6f286c
60|33|libart.so||||0x6f286c
60|34|libart.so||||0x6f286c
60|35|base.vdex||||0x3a2250
60|36|system@framework@boot-framework.art||||0x1e57d8
60|37|||||0x98df8680
60|38|libart.so||||0x643dab
60|39|dalvik-LinearAlloc (deleted)||||0x19590
60|40|libart.so||||0x6f286c
60|41|libart.so||||0x644052
60|42|libart.so||||0xc785a
60|43|libxul.so|long long mozilla::jni::Method<mozilla::java::CodecProxy::Input_t, long long>::Call<mozilla::jni::Ref<mozilla::jni::ByteBuffer, _jobject*>, mozilla::jni::Ref<mozilla::jni::Object, _jobject*>, mozilla::jni::Ref<mozilla::jni::Object, _jobject*> >(mozilla::jni::Context<mozilla::java::CodecProxy, _jobject*> const&, nsresult*, mozilla::jni::Ref<mozilla::jni::ByteBuffer, _jobject*> const&, mozilla::jni::Ref<mozilla::jni::Object, _jobject*> const&, mozilla::jni::Ref<mozilla::jni::Object, _jobject*> const&)|hg:hg.mozilla.org/mozilla-central:widget/android/jni/Accessors.h:747f5a90f7d8a627d157b6b21861a8ec309d31b7|114|0x12
60|44|libxul.so|mozilla::java::CodecProxy::Input(mozilla::jni::Ref<mozilla::jni::ByteBuffer, _jobject*> const&, mozilla::jni::Ref<mozilla::jni::Object, _jobject*> const&, mozilla::jni::Ref<mozilla::jni::Object, _jobject*> const&) const|s3:gecko-generated-sources:271e456bc2ee3cc00dc37842ca08182a8ab764498cfcca2e89b48b6868582699a7cfc834897140b5a017ba3b6143b167025372e0d38ba6527a94e8a5a98a58db/widget/android/GeneratedJNIWrappers.cpp:|1749|0x15
60|45|libxul.so|mozilla::RemoteDataDecoder::ProcessDecode(mozilla::MediaRawData*)|hg:hg.mozilla.org/mozilla-central:dom/media/platforms/android/RemoteDataDecoder.cpp:747f5a90f7d8a627d157b6b21861a8ec309d31b7|744|0xf
60|46|libxul.so|mozilla::RemoteAudioDecoder::Decode(mozilla::MediaRawData*)::{lambda()#1}::operator()() const|hg:hg.mozilla.org/mozilla-central:dom/media/platforms/android/RemoteDataDecoder.cpp:747f5a90f7d8a627d157b6b21861a8ec309d31b7|388|0x1b
60|47|libxul.so|mozilla::detail::ProxyFunctionRunnable<mozilla::RemoteAudioDecoder::Decode(mozilla::MediaRawData*)::{lambda()#1}, mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> >::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/MozPromise.h:747f5a90f7d8a627d157b6b21861a8ec309d31b7|1440|0x15
60|48|libxul.so|mozilla::TaskQueue::Runner::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskQueue.cpp:747f5a90f7d8a627d157b6b21861a8ec309d31b7|199|0x10
60|49|libxul.so|nsThreadPool::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadPool.cpp:747f5a90f7d8a627d157b6b21861a8ec309d31b7|244|0x13
60|50|libxul.so|non-virtual thunk to nsThreadPool::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadPool.cpp:747f5a90f7d8a627d157b6b21861a8ec309d31b7|0|0x1f
60|51|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:747f5a90f7d8a627d157b6b21861a8ec309d31b7|1224|0x16
60|52|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:747f5a90f7d8a627d157b6b21861a8ec309d31b7|486|0x11
60|53|libxul.so|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:747f5a90f7d8a627d157b6b21861a8ec309d31b7|333|0x10
60|54|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:747f5a90f7d8a627d157b6b21861a8ec309d31b7|315|0x16
60|55|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:747f5a90f7d8a627d157b6b21861a8ec309d31b7|290|0xb
60|56|libxul.so|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:747f5a90f7d8a627d157b6b21861a8ec309d31b7|458|0x13
60|57|libnss3.so|_pt_root|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/pthreads/ptthread.c:747f5a90f7d8a627d157b6b21861a8ec309d31b7|198|0x9
60|58|libc.so||||0x9cce6
60|59|libc.so||||0x33c1c
60|60|libc.so||||0x1fa27
60|61|libc.so||||0x9ccb0
60|62|libnss3.so|pt_recvfrom_cont|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/pthreads/ptio.c:747f5a90f7d8a627d157b6b21861a8ec309d31b7|0|0x5

John could you please have a brief look what is going on here?

https://crash-stats.mozilla.org/report/index/258e361e-157b-4f53-9519-48be50190815

https://crash-stats.mozilla.org/report/index/02b41bf7-25a3-46cc-81ae-0dac10190815 another from my Pixel XL (1st gen)

sec-low on the assumption this is more of a DoS. Maybe if we get ASAN builds we will find out if this is worse than it looks.

Not sure if this is much more helpful, but it appears we are crashing in a call to memcpy which could be bad.

This is a buffer overrun. CodecProxy stores a list of seen SampleBuffers and reuses them to avoid shared memory allocation for each input data, but it fails to check whether the input size exceeds the buffer capacity.

https://hg.mozilla.org/integration/autoland/rev/5fbb2ad7039366fcda4f8ec5aa608194b1c16f55
https://hg.mozilla.org/mozilla-central/rev/5fbb2ad70393

Please nominate this for Beta uplift when you get a chance.

Comment on attachment 9132677 [details]
Bug 1572541 - ensure buffer capacity. r?bryce

Beta/Release Uplift Approval Request

• User impact if declined: Content process crashes when playing malformed contents.
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): It is a very simple change.
• String changes made/needed:

Comment on attachment 9132677 [details]
Bug 1572541 - ensure buffer capacity. r?bryce

Fixes a crash. Approved for 75.0b5.

https://hg.mozilla.org/releases/mozilla-beta/rev/8e4a98b53a82

updating rating per Tyson's ASAN trace and comment 6 (not to mention the patch).

This code exists on the ESR68 tree and the movie crashes Fennec also: bp-823c530a-c8a9-4114-927d-c9d910200316

Is it the same crash or does Fennec use something else that just happens to also die with this testcase? (setting status flags assuming the worst)

(In reply to Daniel Veditz [:dveditz] from comment #13)

updating rating per Tyson's ASAN trace and comment 6 (not to mention the patch).

This code exists on the ESR68 tree and the movie crashes Fennec also: bp-823c530a-c8a9-4114-927d-c9d910200316

Is it the same crash or does Fennec use something else that just happens to also die with this testcase? (setting status flags assuming the worst)

It is the same. The code is the same, and I clicked the link above and got the same video file that causes the crash.

Given the change in severity, please nominate this for ESR68 approval too.

Comment on attachment 9132677 [details]
Bug 1572541 - ensure buffer capacity. r?bryce

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration: Malformed file could cause buffer overrun and crash content process.
• User impact if declined: Web page stop working after playing a malformed video.
• Fix Landed on Version: 76
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): The change is simple.
• String or UUID changes made by this patch:

Comment on attachment 9132677 [details]
Bug 1572541 - ensure buffer capacity. r?bryce

Approved for 68.7esr also.

https://hg.mozilla.org/releases/mozilla-esr68/rev/075b1d87f230

Thank you @Petru!
Verified as fixed on 68.7esr build with Google Pixel 4 XL (Android 10) and Samsung Galaxy S10+ (Android 10).
Note that when opening the corrupted video no crash occurred and the "Video can't be played because the file is corrupt." text was displayed on the video.