Closed
Bug 1603296
Opened 5 years ago
Closed 4 years ago
null pointer passed as argument 2, which is declared to never be null in media/webrtc/trunk/webrtc/rtc_base/buffer.h:348
Categories
(Core :: WebRTC: Audio/Video, defect, P2)
Core
WebRTC: Audio/Video
Tracking
()
RESOLVED
FIXED
mozilla78
People
(Reporter: tsmith, Assigned: dminor)
References
(Blocks 2 open bugs)
Details
(Keywords: csectype-undefined, testcase)
Attachments
(1 file)
(deleted),
text/x-phabricator-request
|
Details |
Found with m-c 20191211-b823b005f00e
This is triggered with an UBSan build while running gtests. To enable this check add the following to your mozconfig:
ac_add_options --enable-undefined-sanitizer="nonnull-attribute"
[ RUN ] MediaPipelineTest.TestAudioSendNoMux
src/media/webrtc/trunk/webrtc/rtc_base/buffer.h:348:33: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:43:28: note: nonnull attribute specified here
#0 0x7f4d7a5b5aca in rtc::BufferT<unsigned char>::EnsureCapacityWithHeadroom(unsigned long, bool) src/media/webrtc/trunk/webrtc/rtc_base/buffer.h:348:5
#1 0x7f4d7a5b207b in rtc::BufferT<unsigned char>::SetSize(unsigned long) src/media/webrtc/trunk/webrtc/rtc_base/buffer.h:304:5
#2 0x7f4d7a78adcc in unsigned long rtc::BufferT<unsigned char>::AppendData<unsigned char, webrtc::AudioEncoderOpusImpl::EncodeImpl(unsigned int, rtc::ArrayView<short const, -4711l>, rtc::BufferT<unsigned char>*)::$_2, (void*)0>(unsigned long, webrtc::AudioEncoderOpusImpl::EncodeImpl(unsigned int, rtc::ArrayView<short const, -4711l>, rtc::BufferT<unsigned char>*)::$_2&&) src/media/webrtc/trunk/webrtc/rtc_base/buffer.h:289:5
#3 0x7f4d7a78a0f2 in webrtc::AudioEncoderOpusImpl::EncodeImpl(unsigned int, rtc::ArrayView<short const, -4711l>, rtc::BufferT<unsigned char>*) src/media/webrtc/trunk/webrtc/modules/audio_coding/codecs/opus/audio_encoder_opus.cc:617:16
#4 0x7f4d7a489f42 in webrtc::AudioEncoder::Encode(unsigned int, rtc::ArrayView<short const, -4711l>, rtc::BufferT<unsigned char>*) src/media/webrtc/trunk/webrtc/api/audio_codecs/audio_encoder.cc:44:22
#5 0x7f4d7a629a0a in webrtc::(anonymous namespace)::AudioCodingModuleImpl::Encode(webrtc::(anonymous namespace)::AudioCodingModuleImpl::InputData const&) src/media/webrtc/trunk/webrtc/modules/audio_coding/acm2/audio_coding_module.cc:496:34
#6 0x7f4d7a6240a6 in webrtc::(anonymous namespace)::AudioCodingModuleImpl::Add10MsData(webrtc::AudioFrame const&) src/media/webrtc/trunk/webrtc/modules/audio_coding/acm2/audio_coding_module.cc:662:22
#7 0x7f4d7ace9d77 in webrtc::voe::Channel::ProcessAndEncodeAudioOnTaskQueue(webrtc::AudioFrame*) src/media/webrtc/trunk/webrtc/voice_engine/channel.cc:1763:22
#8 0x7f4d7ad06592 in webrtc::voe::Channel::ProcessAndEncodeAudioTask::Run() src/media/webrtc/trunk/webrtc/voice_engine/channel.cc:535:15
#9 0x7f4d7ac0f6f3 in rtc::TaskQueue::Impl::OnWakeup(int, short, void*) src/media/webrtc/trunk/webrtc/rtc_base/task_queue_libevent.cc:438:18
#10 0x7f4d705d1218 in event_persist_closure src/ipc/chromium/src/third_party/libevent/event.c:1580:9
#11 0x7f4d705d024b in event_process_active_single_queue src/ipc/chromium/src/third_party/libevent/event.c:1639:4
#12 0x7f4d705ae502 in event_process_active src/ipc/chromium/src/third_party/libevent/event.c
#13 0x7f4d705aca2b in event_base_loop src/ipc/chromium/src/third_party/libevent/event.c:1961:12
#14 0x7f4d7ac0ed56 in rtc::TaskQueue::Impl::ThreadMain(void*) src/media/webrtc/trunk/webrtc/rtc_base/task_queue_libevent.cc:407:5
#15 0x7f4d7abdf63a in rtc::PlatformThread::Run() src/media/webrtc/trunk/webrtc/rtc_base/platform_thread.cc:246:5
#16 0x7f4d7abdee0f in rtc::PlatformThread::StartThread(void*) src/media/webrtc/trunk/webrtc/rtc_base/platform_thread.cc:162:40
#17 0x7f4d9f8736da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
Assignee | ||
Updated•5 years ago
|
Assignee: nobody → dminor
Updated•5 years ago
|
Priority: -- → P2
Assignee | ||
Comment 1•4 years ago
|
||
Since this passes IsConsistent() and data_ is null, capacity_ must be zero,
which implies size_ is zero, and so we attempt to copy zero bytes from a null
pointer. This doesn't seem to crash, but is still undefined behaviour.
Assignee | ||
Comment 2•4 years ago
|
||
Filed https://bugs.chromium.org/p/webrtc/issues/detail?id=11613 upstream.
Assignee | ||
Comment 3•4 years ago
|
||
Upstream review here: https://webrtc-review.googlesource.com/c/src/+/176280
Pushed by dminor@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/232db1f2b77d
Check for null data_ in EnsureCapacityWithHeadroom; r=ng
Comment 5•4 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox78:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
Assignee | ||
Comment 6•4 years ago
|
||
Merged upstream here: https://webrtc.googlesource.com/src/+/b164e704505fc16cf0e6c0f471dd02010b8e6e2c
Updated•4 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•