Open Bug 1536243 Opened 6 years ago Updated 7 months ago

Conditional jump or move depends on uninitialized values created by mozilla::FFmpegDataDecoder<57>::InitDecoder

Categories

(Core :: Audio/Video: Playback, defect, P4)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox67 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uninitialized, sec-low, testcase)

Attachments

(1 file)

testcase.mp4
2.37 KB, video/mp4
Details
Attached video testcase.mp4 
==76355== Thread 55 MediaPD~oder #1:
==76355== Conditional jump or move depends on uninitialised value(s)
==76355==    at 0x2D87F9D8: ff_h2645_extract_rbsp (h2645_parse.c:56)
==76355==    by 0x2D87FEA3: ff_h2645_packet_split (h2645_parse.c:329)
==76355==    by 0x2D8BCBAE: decode_extradata_ps (h264_parse.c:358)
==76355==    by 0x2D8BE37F: ff_h264_decode_extradata (h264_parse.c:399)
==76355==    by 0x2D63DCCE: h264_decode_init (h264dec.c:416)
==76355==    by 0x2DC45A15: avcodec_open2 (utils.c:1023)
==76355==    by 0x11C975C4: mozilla::FFmpegDataDecoder<57>::InitDecoder() (FFmpegDataDecoder.cpp:99)
==76355==    by 0x11C99B81: mozilla::FFmpegVideoDecoder<57>::Init() (FFmpegVideoDecoder.cpp:141)
==76355==    by 0x11C67E75: mozilla::detail::ProxyFunctionRunnable<mozilla::MediaChangeMonitor::Init()::$_0, mozilla::MozPromise<mozilla::TrackInfo::TrackType, mozilla::MediaResult, true> >::Run() (MediaChangeMonitor.cpp:235)
==76355==    by 0xFD43DB3: mozilla::TaskQueue::Runner::Run() (TaskQueue.cpp:199)
==76355==    by 0xFD54423: nsThreadPool::Run() (nsThreadPool.cpp:241)
==76355==    by 0xFD5456C: non-virtual thunk to nsThreadPool::Run() (nsThreadPool.cpp:0)
==76355==  Uninitialised value was created by a heap allocation
==76355==    at 0x4C32373: memalign (vg_replace_malloc.c:908)
==76355==    by 0x4C32476: posix_memalign (vg_replace_malloc.c:1072)
==76355==    by 0x2EF27762: av_malloc (in /usr/lib/x86_64-linux-gnu/libavutil.so.55.78.100)
==76355==    by 0x11C9750A: mozilla::FFmpegDataDecoder<57>::InitDecoder() (FFmpegDataDecoder.cpp:82)
==76355==    by 0x11C99B81: mozilla::FFmpegVideoDecoder<57>::Init() (FFmpegVideoDecoder.cpp:141)
==76355==    by 0x11C67E75: mozilla::detail::ProxyFunctionRunnable<mozilla::MediaChangeMonitor::Init()::$_0, mozilla::MozPromise<mozilla::TrackInfo::TrackType, mozilla::MediaResult, true> >::Run() (MediaChangeMonitor.cpp:235)
==76355==    by 0xFD43DB3: mozilla::TaskQueue::Runner::Run() (TaskQueue.cpp:199)
==76355==    by 0xFD54423: nsThreadPool::Run() (nsThreadPool.cpp:241)
==76355==    by 0xFD5456C: non-virtual thunk to nsThreadPool::Run() (nsThreadPool.cpp:0)
==76355==    by 0xFD50D47: nsThread::ProcessNextEvent(bool, bool*) (nsThread.cpp:1179)
==76355==    by 0xFD52EA7: NS_ProcessNextEvent(nsIThread*, bool) (nsThreadUtils.cpp:482)
==76355==    by 0x101E464C: mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) (MessagePump.cpp:333)
Flags: in-testsuite?
Group: media-core-security
Keywords: sec-low

Nils, who should take a look?

Rank: 10
Flags: needinfo?(drno)
Priority: -- → P2
Blocks: media-triage
Flags: needinfo?(drno)
Priority: P2 → P3

ffmpeg related issue.

No longer blocks: media-triage
Priority: P3 → P4
Severity: normal → S3

I would like to work on this issue and start working on it. Please assign to me if possible. Thanks.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: