mp4 file triggers crash on Android
Categories
(Core :: Audio/Video: Playback, defect, P2)
Tracking
()
People
(Reporter: tsmith, Assigned: jhlin)
References
(Blocks 1 open bug)
Details
(5 keywords, Whiteboard: [adv-main75+r][adv-esr68.7+r])
Attachments
(3 files)
(deleted),
video/mp4
|
Details | |
(deleted),
text/plain
|
Details | |
(deleted),
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr68+
|
Details |
Found with m-c:
BuildID=20190806161505
SourceStamp=747f5a90f7d8a627d157b6b21861a8ec309d31b7
Fuzzing on Android is under development, tools to automatically collect stacks are not 100% yet.
eip = 0xea2aeeab esp = 0x607fa948 ebp = 0x607fa968 ebx = 0x85bf7d60
esi = 0x98df8680 edi = 0xa0d43080 eax = 0x6d8db000 ecx = 0x00002763
edx = 0x9d3ea000 efl = 0x00210202
OS|Android|0.0.0 Linux 4.4.124+ #1 SMP PREEMPT Wed Jan 30 07:13:09 UTC 2019 i686
CPU|x86|GenuineIntel family 6 model 6 stepping 3|4
GPU|||
Crash|SIGSEGV|0x9d3ec753|60
60|0|libc.so||||0x1aeab
60|1|libart.so||||0x634318
60|2|||||0x9d3ea000
60|3|dalvik-main space (region space) (deleted)||||0x783080
60|4|||||0x9d3ea000
60|5|dalvik-main space (region space) (deleted)||||0x802088
60|6|dalvik-main space (region space) (deleted)||||0x783080
60|7|dalvik-jit-code-cache (deleted)||||0xae197
60|8|dalvik-LinearAlloc (deleted)||||0x10518
60|9|dalvik-main space (region space) (deleted)||||0x8020d0
60|10|system@framework@boot-framework.art||||0x19d90
60|11|dalvik-jit-code-cache (deleted)||||0xcd9
60|12|dalvik-main space (region space) (deleted)||||0x8020d0
60|13|||||0x9d3ea000
60|14|dalvik-main space (region space) (deleted)||||0x801e88
60|15|dalvik-jit-code-cache (deleted)||||0x6f619
60|16|dalvik-main space (region space) (deleted)||||0x801e30
60|17|dalvik-main space (region space) (deleted)||||0x802088
60|18|system@framework@boot-framework.art||||0x19d90
60|19|dalvik-jit-code-cache (deleted)||||0xadd3d
60|20|dalvik-LinearAlloc (deleted)||||0x19520
60|21|dalvik-main space (region space) (deleted)||||0x802088
60|22|dalvik-main space (region space) (deleted)||||0x1368000
60|23|system@framework@boot-framework.art||||0x19d90
60|24|dalvik-main space (region space) (deleted)||||0x5c1cc0
60|25|dalvik-main space (region space) (deleted)||||0x801d50
60|26|dalvik-main space (region space) (deleted)||||0x801e30
60|27|dalvik-jit-code-cache (deleted)||||0x9e111
60|28|dalvik-LinearAlloc (deleted)||||0x19590
60|29|dalvik-main space (region space) (deleted)||||0x801e20
60|30|dalvik-main space (region space) (deleted)||||0x783080
60|31|boot-framework.vdex||||0xa55c95
60|32|libart.so||||0x6f286c
60|33|libart.so||||0x6f286c
60|34|libart.so||||0x6f286c
60|35|base.vdex||||0x3a2250
60|36|system@framework@boot-framework.art||||0x1e57d8
60|37|||||0x98df8680
60|38|libart.so||||0x643dab
60|39|dalvik-LinearAlloc (deleted)||||0x19590
60|40|libart.so||||0x6f286c
60|41|libart.so||||0x644052
60|42|libart.so||||0xc785a
60|43|libxul.so|long long mozilla::jni::Method<mozilla::java::CodecProxy::Input_t, long long>::Call<mozilla::jni::Ref<mozilla::jni::ByteBuffer, _jobject*>, mozilla::jni::Ref<mozilla::jni::Object, _jobject*>, mozilla::jni::Ref<mozilla::jni::Object, _jobject*> >(mozilla::jni::Context<mozilla::java::CodecProxy, _jobject*> const&, nsresult*, mozilla::jni::Ref<mozilla::jni::ByteBuffer, _jobject*> const&, mozilla::jni::Ref<mozilla::jni::Object, _jobject*> const&, mozilla::jni::Ref<mozilla::jni::Object, _jobject*> const&)|hg:hg.mozilla.org/mozilla-central:widget/android/jni/Accessors.h:747f5a90f7d8a627d157b6b21861a8ec309d31b7|114|0x12
60|44|libxul.so|mozilla::java::CodecProxy::Input(mozilla::jni::Ref<mozilla::jni::ByteBuffer, _jobject*> const&, mozilla::jni::Ref<mozilla::jni::Object, _jobject*> const&, mozilla::jni::Ref<mozilla::jni::Object, _jobject*> const&) const|s3:gecko-generated-sources:271e456bc2ee3cc00dc37842ca08182a8ab764498cfcca2e89b48b6868582699a7cfc834897140b5a017ba3b6143b167025372e0d38ba6527a94e8a5a98a58db/widget/android/GeneratedJNIWrappers.cpp:|1749|0x15
60|45|libxul.so|mozilla::RemoteDataDecoder::ProcessDecode(mozilla::MediaRawData*)|hg:hg.mozilla.org/mozilla-central:dom/media/platforms/android/RemoteDataDecoder.cpp:747f5a90f7d8a627d157b6b21861a8ec309d31b7|744|0xf
60|46|libxul.so|mozilla::RemoteAudioDecoder::Decode(mozilla::MediaRawData*)::{lambda()#1}::operator()() const|hg:hg.mozilla.org/mozilla-central:dom/media/platforms/android/RemoteDataDecoder.cpp:747f5a90f7d8a627d157b6b21861a8ec309d31b7|388|0x1b
60|47|libxul.so|mozilla::detail::ProxyFunctionRunnable<mozilla::RemoteAudioDecoder::Decode(mozilla::MediaRawData*)::{lambda()#1}, mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> >::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/MozPromise.h:747f5a90f7d8a627d157b6b21861a8ec309d31b7|1440|0x15
60|48|libxul.so|mozilla::TaskQueue::Runner::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskQueue.cpp:747f5a90f7d8a627d157b6b21861a8ec309d31b7|199|0x10
60|49|libxul.so|nsThreadPool::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadPool.cpp:747f5a90f7d8a627d157b6b21861a8ec309d31b7|244|0x13
60|50|libxul.so|non-virtual thunk to nsThreadPool::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadPool.cpp:747f5a90f7d8a627d157b6b21861a8ec309d31b7|0|0x1f
60|51|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:747f5a90f7d8a627d157b6b21861a8ec309d31b7|1224|0x16
60|52|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:747f5a90f7d8a627d157b6b21861a8ec309d31b7|486|0x11
60|53|libxul.so|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:747f5a90f7d8a627d157b6b21861a8ec309d31b7|333|0x10
60|54|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:747f5a90f7d8a627d157b6b21861a8ec309d31b7|315|0x16
60|55|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:747f5a90f7d8a627d157b6b21861a8ec309d31b7|290|0xb
60|56|libxul.so|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:747f5a90f7d8a627d157b6b21861a8ec309d31b7|458|0x13
60|57|libnss3.so|_pt_root|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/pthreads/ptthread.c:747f5a90f7d8a627d157b6b21861a8ec309d31b7|198|0x9
60|58|libc.so||||0x9cce6
60|59|libc.so||||0x33c1c
60|60|libc.so||||0x1fa27
60|61|libc.so||||0x9ccb0
60|62|libnss3.so|pt_recvfrom_cont|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/pthreads/ptio.c:747f5a90f7d8a627d157b6b21861a8ec309d31b7|0|0x5
Comment 1•5 years ago
|
||
John could you please have a brief look what is going on here?
Comment 2•5 years ago
|
||
Reporter | ||
Comment 3•5 years ago
|
||
https://crash-stats.mozilla.org/report/index/02b41bf7-25a3-46cc-81ae-0dac10190815 another from my Pixel XL (1st gen)
Comment 4•5 years ago
|
||
sec-low on the assumption this is more of a DoS. Maybe if we get ASAN builds we will find out if this is worse than it looks.
Reporter | ||
Comment 5•5 years ago
|
||
Not sure if this is much more helpful, but it appears we are crashing in a call to memcpy which could be bad.
Assignee | ||
Comment 6•4 years ago
|
||
This is a buffer overrun. CodecProxy
stores a list of seen SampleBuffer
s and reuses them to avoid shared memory allocation for each input data, but it fails to check whether the input size exceeds the buffer capacity.
Assignee | ||
Comment 7•4 years ago
|
||
Comment 8•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/5fbb2ad7039366fcda4f8ec5aa608194b1c16f55
https://hg.mozilla.org/mozilla-central/rev/5fbb2ad70393
Updated•4 years ago
|
Comment 9•4 years ago
|
||
Please nominate this for Beta uplift when you get a chance.
Assignee | ||
Comment 10•4 years ago
|
||
Comment on attachment 9132677 [details]
Bug 1572541 - ensure buffer capacity. r?bryce
Beta/Release Uplift Approval Request
- User impact if declined: Content process crashes when playing malformed contents.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It is a very simple change.
- String changes made/needed:
Comment 11•4 years ago
|
||
Comment on attachment 9132677 [details]
Bug 1572541 - ensure buffer capacity. r?bryce
Fixes a crash. Approved for 75.0b5.
Comment 12•4 years ago
|
||
uplift |
Comment 13•4 years ago
|
||
updating rating per Tyson's ASAN trace and comment 6 (not to mention the patch).
This code exists on the ESR68 tree and the movie crashes Fennec also: bp-823c530a-c8a9-4114-927d-c9d910200316
Is it the same crash or does Fennec use something else that just happens to also die with this testcase? (setting status flags assuming the worst)
Assignee | ||
Comment 14•4 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #13)
updating rating per Tyson's ASAN trace and comment 6 (not to mention the patch).
This code exists on the ESR68 tree and the movie crashes Fennec also: bp-823c530a-c8a9-4114-927d-c9d910200316
Is it the same crash or does Fennec use something else that just happens to also die with this testcase? (setting status flags assuming the worst)
It is the same. The code is the same, and I clicked the link above and got the same video file that causes the crash.
Comment 15•4 years ago
|
||
Given the change in severity, please nominate this for ESR68 approval too.
Assignee | ||
Comment 16•4 years ago
|
||
Comment on attachment 9132677 [details]
Bug 1572541 - ensure buffer capacity. r?bryce
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Malformed file could cause buffer overrun and crash content process.
- User impact if declined: Web page stop working after playing a malformed video.
- Fix Landed on Version: 76
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The change is simple.
- String or UUID changes made by this patch:
Comment 17•4 years ago
|
||
Comment on attachment 9132677 [details]
Bug 1572541 - ensure buffer capacity. r?bryce
Approved for 68.7esr also.
Comment 18•4 years ago
|
||
uplift |
Comment hidden (obsolete) |
Comment 20•4 years ago
|
||
Thank you @Petru!
Verified as fixed on 68.7esr build with Google Pixel 4 XL (Android 10) and Samsung Galaxy S10+ (Android 10).
Note that when opening the corrupted video no crash occurred and the "Video can't be played because the file is corrupt." text was displayed on the video.
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Description
•