Closed Bug 1760905 Opened 3 years ago Closed 3 years ago

AddressSanitizer: heap-buffer-overflow [@ LockVAAPIData] with READ of size 8

Categories

(Core :: Audio/Video: Playback, defect)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
100 Branch
Tracking Status
firefox-esr91 --- disabled
firefox98 --- disabled
firefox99 --- disabled
firefox100 --- fixed

People

(Reporter: decoder, Assigned: stransky)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [sec-survey][post-critsmash-triage])

Attachments

(1 file)

The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 100.0a1-20220308220159-https://hg.mozilla.org/mozilla-central/rev/c06bbb0ddc24d3d1605e5f67c1b875aad60e26c5.

For detailed crash information, see attachment.

Attached file Detailed Crash Information (deleted) —
Flags: sec-bounty?

It looks like Stransky wrote a lot of this code, so I'll needinfo them in case they can take a look.

Group: core-security → media-core-security
Component: Audio/Video → Audio/Video: Playback
Flags: needinfo?(stransky)
Keywords: csectype-bounds
Keywords: sec-high

va-api is disabled by default.

Flags: needinfo?(stransky)

This fixed by Bug 1758610 - we used wrong AVFrame layout for ffmpeg 5.0.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 100 Branch
Assignee: nobody → stransky
Group: media-core-security → core-security-release

Looking at the dependencies on bug 1610199 we are nowhere near turning this on by default, even in nightly (there's not even an "enable on nightly" placeholder bug yet). Experimental features that are disabled by default are not part of the bug bounty program yet -- we can't afforde to cover incomplete and not fully tested code.

Flags: sec-bounty? → sec-bounty-

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(stransky)
Whiteboard: [sec-survey]
Flags: needinfo?(stransky)
Flags: qe-verify-
Whiteboard: [sec-survey] → [sec-survey][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: