Closed Bug 1413750 Opened 8 years ago Closed 6 years ago

UBSan: shift exponent is too large [@ mp4_demuxer::BitReader::ReadBits]

Categories

(Core :: Audio/Video: Playback, defect, P3)

Product:
Core
Component:
Audio/Video: Playback
Version:
58 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox-esr68 --- wontfix
firefox58 --- wontfix
firefox65 --- wontfix
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- wontfix
firefox71 --- fixed

People

(Reporter: tsmith, Assigned: jya)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: csectype-undefined, regression, testcase)

Attachments

(2 files, 1 obsolete file)

test_case.mp4
1.55 KB, video/mp4
Details
Bug 1413750 - Handle shift by 32 bits. r?alwu
47 bytes, text/x-phabricator-request
Details | Review
Attached video test_case.mp4
This was found with a Firefox build built with -fsanitize=shift /mozilla-central/media/libstagefright/binding/BitReader.cpp:55:22: runtime error: shift exponent 32 is too large for 32-bit type 'uint32_t' (aka 'unsigned int') #0 mp4_demuxer::BitReader::ReadBits(unsigned long) /mozilla-central/media/libstagefright/binding/BitReader.cpp:55:22 #1 mp4_demuxer::H264::vui_parameters(mp4_demuxer::BitReader&, mp4_demuxer::SPSData&) /mozilla-central/media/libstagefright/binding/H264.cpp:743:9 #2 mp4_demuxer::H264::DecodeSPS(mozilla::MediaByteBuffer const*, mp4_demuxer::SPSData&) /mozilla-central/media/libstagefright/binding/H264.cpp:508:10 #3 mp4_demuxer::H264::DecodeSPSFromExtraData(mozilla::MediaByteBuffer const*, mp4_demuxer::SPSData&) /mozilla-central/media/libstagefright/binding/H264.cpp:758:16 #4 mozilla::AccumulateSPSTelemetry(mozilla::MediaByteBuffer const*) /mozilla-central/dom/media/fmp4/MP4Demuxer.cpp:87:7 #5 mozilla::MP4TrackDemuxer::MP4TrackDemuxer(mozilla::MP4Demuxer*, mozilla::UniquePtr<mozilla::TrackInfo, mozilla::DefaultDelete<mozilla::TrackInfo> >&&, mp4_demuxer::IndiceWrapper const&) /mozilla-central/dom/media/fmp4/MP4Demuxer.cpp:366:28 #6 mozilla::MP4Demuxer::Init() /mozilla-central/dom/media/fmp4/MP4Demuxer.cpp:255:13 #7 operator() /mozilla-central/dom/media/MediaFormatReader.cpp:1115:47 #8 mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_10, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, true> >::Run() /mozilla-central/objdir-ff-ubsan/dist/include/mozilla/MozPromise.h:1511 #9 mozilla::TaskQueue::Runner::Run() /mozilla-central/xpcom/threads/TaskQueue.cpp:246:12 #10 nsThreadPool::Run() /mozilla-central/xpcom/threads/nsThreadPool.cpp:228:14 #11 non-virtual thunk to nsThreadPool::Run() /mozilla-central/xpcom/threads/nsThreadPool.cpp #12 nsThread::ProcessNextEvent(bool, bool*) /mozilla-central/xpcom/threads/nsThread.cpp:1037:14 #13 NS_ProcessNextEvent(nsIThread*, bool) /mozilla-central/xpcom/threads/nsThreadUtils.cpp:513:10 #14 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /mozilla-central/ipc/glue/MessagePump.cpp:334:20 #15 RunHandler /mozilla-central/ipc/chromium/src/base/message_loop.cc:319:3 #16 MessageLoop::Run() /mozilla-central/ipc/chromium/src/base/message_loop.cc:299 #17 nsThread::ThreadFunc(void*) /mozilla-central/xpcom/threads/nsThread.cpp:425:11 #18 _pt_root /mozilla-central/nsprpub/pr/src/pthreads/ptthread.c:216:5 #19 start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb) #20 clone /build/glibc-CxtIbX/glibc-2.26/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?
Has Regression Range: --- → irrelevant
Blocks: ubsan

This is triggered with an UBSan build. To enable this check add the following to your mozconfig:

ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer="shift"
ac_add_options --disable-jemalloc

INFO - TEST-START | browser/components/resistfingerprinting/test/mochitest/test_bug1354633_media_error.html
...
src/dom/media/BitReader.cpp:44:22: runtime error: shift exponent 32 is too large for 32-bit type 'uint32_t' (aka 'unsigned int')
    #0 0x7faf95184aa7 in mozilla::BitReader::ReadBits(unsigned long) src/dom/media/BitReader.cpp:44:22
    #1 0x7faf9585030d in mozilla::H264::vui_parameters(mozilla::BitReader&, mozilla::SPSData&) src/dom/media/platforms/agnostic/bytestreams/H264.cpp:888:9
    #2 0x7faf9584f1d1 in mozilla::H264::DecodeSPS(mozilla::MediaByteBuffer const*, mozilla::SPSData&) src/dom/media/platforms/agnostic/bytestreams/H264.cpp:646:10
    #3 0x7faf9585071a in GetSPSData src/dom/media/platforms/agnostic/bytestreams/H264.cpp:378:12
    #4 0x7faf9585071a in mozilla::H264::DecodeSPSFromExtraData(mozilla::MediaByteBuffer const*, mozilla::SPSData&) src/dom/media/platforms/agnostic/bytestreams/H264.cpp:902
    #5 0x7faf95b12cfe in mozilla::MP4TrackDemuxer::MP4TrackDemuxer(mozilla::MediaResource*, mozilla::UniquePtr<mozilla::TrackInfo, mozilla::DefaultDelete<mozilla::TrackInfo> >&&, mozilla::IndiceWrapper const&) src/dom/media/mp4/MP4Demuxer.cpp:323:9
    #6 0x7faf95b0a4b4 in mozilla::MP4Demuxer::Init() src/dom/media/mp4/MP4Demuxer.cpp:225:45
    #7 0x7faf953945e9 in operator() src/dom/media/MediaFormatReader.cpp:722:47
    #8 0x7faf953945e9 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_13, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, true> >::Run() src/obj-firefox/dist/include/mozilla/MozPromise.h:1450
    #9 0x7faf8fbc8cbb in mozilla::TaskQueue::Runner::Run() src/xpcom/threads/TaskQueue.cpp:199:12
    #10 0x7faf8fc03f58 in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:246:14
    #11 0x7faf8fc04c4c in non-virtual thunk to nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp
    #12 0x7faf8fbf9106 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
    #13 0x7faf8fc004dd in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #14 0x7faf90bc1cea in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:303:20
    #15 0x7faf90af5767 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #16 0x7faf90af5767 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #17 0x7faf90af5767 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #18 0x7faf8fbf24e2 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:458:11
    #19 0x7fafac1d272e in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:198:5
    #20 0x7fafaff4a6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #21 0x7fafaefd341c in clone /build/glibc-LK5gWL/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
Blocks: 1580918
status-firefox66: affectedwontfix
status-firefox67: affectedwontfix
status-firefox69: --- → wontfix
status-firefox70: --- → affected
status-firefox71: --- → affected
status-firefox-esr68: --- → affected
Flags: needinfo?(jyavenard)
Regressed by: 1323081
Keywords: regression
Assignee: nobody → jyavenard
Flags: needinfo?(jyavenard)
Attachment #9101168 - Attachment is obsolete: true

https://hg.mozilla.org/mozilla-central/rev/e620adbcbb8e

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox71: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
QA Whiteboard: [good first verify]
Has Regression Range: irrelevant → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: