Closed
Bug 853589
Opened 12 years ago
Closed 11 years ago
WebVTT crash [@parse_cueparams]
Categories
(Core :: Audio/Video, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox21 | --- | unaffected |
| firefox22 | --- | unaffected |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: posidron, Assigned: rillian)
References
Details
(4 keywords, Whiteboard: [asan])
Attachments
(2 files)
...Trying to add mTrack to media element's TextTrackList...
nsHTMLMediaElement::AddTextTrack
Done
WebVTTLoadListener::onParsedCue aCue->from=11000, aCue->until=13000
TextTrackCue::TextTrackCue aStartTime=11.000000 aEndTime=13.000000WebVTTLoadListener::onParsedCue aCue->from=13000, aCue->until=16000
TextTrackCue::TextTrackCue aStartTime=13.000000 aEndTime=16.000000WebVTTLoadListener::onParsedCue aCue->from=16000, aCue->until=18000
TextTrackCue::TextTrackCue aStartTime=16.000000 aEndTime=18.000000WebVTTLoadListener::onParsedCue aCue->from=18000, aCue->until=20000
TextTrackCue::TextTrackCue aStartTime=18.000000 aEndTime=20.000000WebVTTLoadListener::onParsedCue aCue->from=20000, aCue->until=22000
TextTrackCue::TextTrackCue aStartTime=20.000000 aEndTime=22.000000
OnReportError aLine=20 aCol=1 aError=7
WebVTTLoadListener::onParsedCue aCue->from=24000, aCue->until=26000
TextTrackCue::TextTrackCue aStartTime=24.000000 aEndTime=26.000000
OnReportError aLine=26 aCol=15 aError=7
ASAN:SIGSEGV
media/webvtt/parser.c:731
case CP_T5:
if( token == WHITESPACE ) {
/* no problem, just ignore it and continue */
} else if( token == TIMESTAMP )
if( !parse_timestamp( self->token, &cue->until ) ) {
ERROR_AT_COLUMN(
( BAD_TIMESTAMP( cue->until )
? WEBVTT_EXPECTED_TIMESTAMP
: WEBVTT_MALFORMED_TIMESTAMP ), last_column );
* if( !webvtt_isdigit( self->token[self->token_pos - 1] ) ) {
Tested with https://github.com/RickEyre/mozilla-central/commit/5103eed4e6a90671343c193e4e5a95268cf794ff
|
Reporter | |
Comment 1•12 years ago
|
||
|
Assignee | |
Comment 2•12 years ago
|
||
This can be blocked by a self->token_pos guard like the CP_T1 case above.
|
|
Assignee | |
Comment 3•12 years ago
|
||
Ok, I remember now. We can't simply add the guard in the new clause because it results in an infinite loop. Need to actually fix the problem where this is reachable with an unparsed token.
|
||
Updated•12 years ago
|
Whiteboard: [asan]
|
|
Reporter | |
Updated•12 years ago
|
Blocks: fuzzing-webvtt
|
|
||
Comment 4•12 years ago
|
||
Guessing at sec-high -- looks like at the very least random memory contents might be incorporated into web-accessible content. Could be overrating out of paranoia, but we'll know more when we get a patch.
Keywords: sec-high
|
||
Comment 5•12 years ago
|
||
Ralph it sounds like you might want to take this one?
|
|
Assignee | |
Updated•12 years ago
|
Assignee: nobody → giles
|
||
Comment 6•12 years ago
|
||
Is this producible on Rick Eyre's coordinating branch with the most recent code? This looks like a duplicate of the other infinite loop bug, which had been resolved
|
||
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox21:
--- → unaffected
status-firefox22:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Keywords: regression
|
|
Reporter | |
Comment 7•11 years ago
|
||
Re-tested against https://github.com/RickEyre/mozilla-central/commit/1344e315e74cf89528d53fef74b9257684b97a70
Fixed.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•