Closed Bug 468293 Opened 16 years ago Closed 15 years ago

Audit alloc failure in fishsound annodex

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: timeless, Assigned: cajbir)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [sg:audit])

Attachments

(1 file, 1 obsolete file)

Update to libfishound git
(deleted), patch
Details | Diff | Splinter Review
http://mxr-test.konigsberg.mozilla.org/mozilla-central/source/media/libfishsound/src/libfishsound/fishsound_vorbis.c?rev=a2c9bc656ed5&mark=165-166,173,475-477, note that realloc is generally used incorrectly http://mxr-test.konigsberg.mozilla.org/mozilla-central/source/media/libfishsound/src/libfishsound/fs_vector.c?rev=a2c9bc656ed5&mark=60-62, http://mxr-test.konigsberg.mozilla.org/mozilla-central/source/media/libfishsound/src/libfishsound/fishsound_comments.c?rev=a2c9bc656ed5&mark=48-49,58-59,117-126, http://mxr-test.konigsberg.mozilla.org/mozilla-central/source/media/libfishsound/src/libfishsound/fishsound_comments.c?rev=a2c9bc656ed5&mark=48-49,58-59,117-126,186-188,231,487-489,496-497, _fs_comment_add returns NULL on OOM, this isn't checked. Marking it isn't practical, and it's guarded by FS_ENCODE which hopefully isn't true for us. Sadly fish_sound_comments_decode isn't if FS_ENCODE, and so this is a problem. http://mxr-test.konigsberg.mozilla.org/mozilla-central/source/media/libfishsound/src/libfishsound/fishsound.c?rev=a2c9bc656ed5&mark=107-109,119 showing comments crashing is too hard, but the init method can fail and should be checked http://mxr-test.konigsberg.mozilla.org/mozilla-central/source/media/libfishsound/src/libfishsound/fishsound_speex.c?rev=a2c9bc656ed5&mark=397-399,416-417,598-599,614-614,696-698 http://mxr-test.konigsberg.mozilla.org/mozilla-central/source/media/libfishsound/src/libfishsound/fishsound_flac.c?rev=a2c9bc656ed5&mark=171-176,176-181,283-284,289,306,356-357,374-375,465-469,505-509,518-519,538-539,570-575,603-606,740-742,
Flags: blocking1.9.1?
Whiteboard: [sg:investigate]
Flags: wanted1.9.1+
Flags: blocking1.9.1?
Flags: blocking1.9.1-
these are now fixed in upstream svn.annodex.net/libfishsound/trunk Changesets: 3849, 3851, 3853, 3854: http://trac.annodex.net/changeset/3849 http://trac.annodex.net/changeset/3851 http://trac.annodex.net/changeset/3853 http://trac.annodex.net/changeset/3854 afaiu. flac, speex and all encode support is not enabled in the firefox build, but these are also fixed in the above changesets. Please test/apply. (Probably easiest to just update to this trunk).
Attached patch Update to libfishsound svn r3854 (obsolete) (deleted) — Splinter Review
Updates to libfishsound svn tip to get changesets identified in comment 1. Requires bug 477899 to be applied first.
Assignee: nobody → chris.double
Status: NEW → ASSIGNED
Depends on: 477899
Attached patch Update to libfishound git (deleted) — Splinter Review
Update to latest libfishsound git revision. Pulls in fixes for issues identified. Now that bug 477899 is fixed and landed (as mentioned in comment 2) this should resolve this bug when landed.
Attachment #365112 - Attachment is obsolete: true
Whiteboard: [sg:investigate] → [sg:audit]
Bug 511584 updated libfishsound to 20b5cdf6fe38f6 on all branches, so we can close this.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Depends on: 511584
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: