I've created an html file with audio tag and inserted in it .mp4 video file as 'src' attribute: <audio src="http://sladex.org/placeholders/demo.mp4"></audio> When I set preload attribute to none (<audio src="..." preload="none"></audio>), browser doesn't crashes. So the issue happens right after browser has just started download the file. I tested it with several .mp4 files, and not all of them lead to crash. Tested in Windows 7 x64, Firefox 25.0.1. Doesn't reproduce in Ubuntu 13.10 and Android 4.3. Demo: *be careful, it may crash your browser!* http://sladex.org/xbugzilla/ff.html

I am getting no repro on OS X 10.9, Firefox 25.0.1 We really need a crash report attached to this, could you check about:crashes in your browser and attach the crash report link?

I can't reproduce it either on Windows 7 x64 with Firefox 25.0.1. Do you have any codec related plugins enabled in Firefox?

I can reproduce on Win7-64 with nightly. Looks like a null deref bp-4584d092-40e0-4128-b962-dc5522131203 Just for kicks I flipped the layers.acceleration.disabled pref to true (because D3D9DXVA2Manager was in the stack) and it still crashed bp-b7e787a2-e2eb-4eb4-9350-2380a2131203 Here's my graphics info from about:support in case it's relevant (especially since Christoph did NOT crash on a similar-sounding config) Adapter Description Intel(R) HD Graphics Family Adapter Description (GPU #2) NVIDIA Quadro 1000M Adapter Drivers igdumd64 igd10umd64 igd10umd64 igdumdx32 igd10umd32 igd10umd32 Adapter Drivers (GPU #2) nvd3dumx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um Adapter RAM Unknown Adapter RAM (GPU #2) 2048 ClearType Parameters DISPLAY1 [ Gamma: 2200 Pixel Structure: RGB ClearType Level: 50 Enhanced Contrast: 300 ] DISPLAY3 [ Gamma: 2200 Pixel Structure: RGB ClearType Level: 50 Enhanced Contrast: 100 ] Device ID 0x0126 Device ID (GPU #2) 0x0dfa Direct2D Enabled true DirectWrite Enabled true (6.2.9200.16571) Driver Date 9-26-2011 Driver Date (GPU #2) 1-10-2013 Driver Version 8.15.10.2538 Driver Version (GPU #2) 9.18.13.1100 GPU #2 Active false GPU Accelerated Windows 0/1 Basic Vendor ID 0x8086 Vendor ID (GPU #2) 0x10de WebGL Renderer Google Inc. -- ANGLE (Intel(R) HD Graphics Family Direct3D9Ex vs_3_0 ps_3_0) windowLayerManagerRemote false AzureCanvasBackend direct2d AzureContentBackend direct2d AzureFallbackCanvasBackend cairo AzureSkiaAccelerated 0

I tried on three different computers that crash link above. And all of them has lead to crash. Here the last one (Windows 2008 x64): https://crash-stats.mozilla.com/report/index/7bc36ef1-b0ea-48f2-b70d-dc9f92131203

The MediaDecoder doesn't have an image container for the video frame because it's being loaded inside an <audio> element. D'oh!

Don't initialize video decoding if the image container is null during WMFReader::ReadMetadata(). It is only non-null if we have somewhere to play the video anyway. This means we don't null-deref the image container later, which prevents the crash.

Comment on attachment 8342065 [details] [diff] [review] Patch Review of attachment 8342065 [details] [diff] [review]: ----------------------------------------------------------------- D'oh! Forgot to set requestee on review... Paul?

https://hg.mozilla.org/integration/mozilla-inbound/rev/b276b4e0bbcf We'll want to uplift this too...

For the record, regression range: good=2013-05-04 bad=2013-05-05 http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=69008b1fd6eb&tochange=c8e47b184aba Suspected bug: bug 847267.

Comment on attachment 8342065 [details] [diff] [review] Patch [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 847267, hardware accelerated H.264 decoding on Windows. Regressed in Firefox 23. User impact if declined: non-exploitable crash when user loads an MP4 video inside an HTML <audio> element on Windows Vista and later. Testing completed (on m-c, etc.): This has been on m-c since 2014-01-07. Risk to taking this patch (and alternatives if risky): Patch is very low risk. It disables video decoding if we're decoding for an <audio> element. String or IDL/UUID changes made by this patch: None.

Checkin needed on aurora and beta.

Reproduced the crash on nightly 2013-12-19 using the test URL http://sladex.org/xbugzilla/ff.html Verified fixed 29.0a1 2014-01-09, Win 7 x64.

https://hg.mozilla.org/releases/mozilla-aurora/rev/c0cb72104db6 https://hg.mozilla.org/releases/mozilla-beta/rev/542ad447aa50 Is this something we need on esr24 as well?

Yes! We need this on ESR24.

Comment on attachment 8342065 [details] [diff] [review] Patch [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: This patch fixes a non-exploitable crash when user loads an MP4 video inside an HTML <audio> element on Windows Vista and later. User impact if declined: Crashes when user loads an MP4 video inside an HTML <audio> element on Windows Vista and later. Fix Landed on Version: 27 Risk to taking this patch (and alternatives if risky): Low. String or UUID changes made by this patch: None.

Verified as fixed on Firefox 27 beta 5 and the 01/09 Nightly. The bug still reproduces on the 01/09 Aurora. The fix might not have gotten into this Aurora build, so I'll retest this next week.

Tested again on Aurora with the following results: - 01/12 Windows 7 64bit build - bug fixed - 01/13 Mac OS X 10.8.5 build - bug fixed - 01/13 Ubuntu 13.04 32bit build - crash: https://crash-stats.mozilla.com/report/index/5a952bdb-378b-4063-b67b-f27d72140113 The Linux crash looks like another bug to me, but I'm not sure of it. Chris, can you please take a look and let me know if I should file a separate bug for it?

about crash on Linux, probably this is Bug 959007

Ioana: this bug is Windows only. The crash you're seeing is a different bug, possibly bug 959007 as Alice suggests.

Thanks guys! Updating aurora status per the above comments...

Comment on attachment 8342065 [details] [diff] [review] Patch This sounds like an edge case and there's no crash volume on ESR 24 to support making an exception to the landing criteria for that branch. See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process