Closed Bug 606288 Opened 14 years ago Closed 14 years ago

Malformed WebM file leads to assertion/crash: offset == static_cast<int32_t>(offset)

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 602333

People

(Reporter: posidron, Unassigned)

References

Details

Attachments

(2 files)

testcase
(deleted), application/zip
Details
callstack
(deleted), text/plain
Details
Attached file testcase (deleted) —
ASSERTION FAILED: offset == static_cast<int32_t>(offset) (/home/cdiehl/Mozilla/trunk/js/src/assembler/assembler/X86Assembler.h:2253 static void JSC::X86Assembler::setRel32(void*, void*)) Content: EBML Number of values: 8 Offset: 1212/0x0004bc Value: ['66', 'a5'] Offset: 10284/0x00282c Value: ['50', '32'] Offset: 15632/0x003d10 Value: ['89'] Offset: 24702/0x00607e Value: ['3a', '96', '97'] Offset: 55890/0x00da52 Value: ['10', '43', 'a7', '70'] Offset: 76397/0x012a6d Value: ['ba'] Offset: 95722/0x0175ea Value: ['66', '24'] Offset: 100502/0x018896 Value: ['cb']
Attached file callstack (deleted) —
This crash looks identical to bug 602333, which I thought was a bug in the JS, not in WebM.
Nice -- valgrind time? /be
This is almost definitely a dupe of bug 602333. CC'ing sstangl to make sure before dupeing. That bug should block final, it happens with out of range addresses on x64.
Yes, it's the same. Great that we have a testcase!
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Blocks: fuzzing-webm
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: