==26834==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fa3c6cd0e90 at pc 0x7fa3c1892d37 bp 0x7fa38e139bd0 sp 0x7fa38e139bc8 READ of size 16 at 0x7fa3c6cd0e90 thread T59 (MediaPD~oder #2) #0 0x7fa3c1892d36 in av1_warp_affine_ssse3 third_party/aom/av1/common/x86/warp_plane_ssse3.c:413:31 #1 0x7fa3c17b2fa5 in warp_plane third_party/aom/av1/common/warped_motion.c:1360:5 #2 0x7fa3c17b252b in av1_warp_plane third_party/aom/av1/common/warped_motion.c:1457:5 #3 0x7fa3c179053a in av1_make_inter_predictor third_party/aom/av1/common/reconinter.h:428:5 #4 0x7fa3c1793666 in build_inter_predictors third_party/aom/av1/common/reconinter.c:1195:9 #5 0x7fa3c1794470 in build_inter_predictors_for_planes third_party/aom/av1/common/reconinter.c:1338:7 #6 0x7fa3c1794fbe in av1_build_inter_predictors_sb third_party/aom/av1/common/reconinter.c:1393:3 #7 0x7fa3c18a1a69 in decode_token_and_recon_block third_party/aom/av1/decoder/decodeframe.c:1901:5 #8 0x7fa3c18a1a69 in decode_block third_party/aom/av1/decoder/decodeframe.c:2074 #9 0x7fa3c18a09c5 in decode_partition third_party/aom/av1/decoder/decodeframe.c:2213:9 #10 0x7fa3c18a0946 in decode_partition third_party/aom/av1/decoder/decodeframe.c:2271:9 #11 0x7fa3c18a0961 in decode_partition third_party/aom/av1/decoder/decodeframe.c:2276:9 #12 0x7fa3c189bafc in decode_tiles third_party/aom/av1/decoder/decodeframe.c:3655:11 #13 0x7fa3c189bafc in av1_decode_frame third_party/aom/av1/decoder/decodeframe.c:5173 #14 0x7fa3c18b8c58 in av1_receive_compressed_data third_party/aom/av1/decoder/decoder.c:439:3 #15 0x7fa3c170159a in frame_worker_hook third_party/aom/av1/av1_dx_iface.c:322:31 #16 0x7fa3c16e96a6 in execute third_party/aom/aom_util/aom_thread.c:134:27 #17 0x7fa3c1700ecb in decode_one third_party/aom/av1/av1_dx_iface.c:495:5 #18 0x7fa3c16fa25f in decoder_decode third_party/aom/av1/av1_dx_iface.c:669:13 #19 0x7fa3c14367fb in aom_codec_decode third_party/aom/aom/src/aom_decoder.c:116:11 #20 0x7fa3bee8845d in mozilla::AOMDecoder::ProcessDecode(mozilla::MediaRawData*) dom/media/platforms/agnostic/AOMDecoder.cpp:119:27 #21 0x7fa3beeb86e3 in applyImpl<mozilla::AOMDecoder, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::AOMDecoder::*)(mozilla::MediaRawData *), StoreRefPtrPassByPtr<mozilla::MediaRawData> , 0> obj-firefox/dist/include/nsThreadUtils.h:1138:12 #22 0x7fa3beeb86e3 in apply<mozilla::AOMDecoder, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::AOMDecoder::*)(mozilla::MediaRawData *)> obj-firefox/dist/include/nsThreadUtils.h:1144 #23 0x7fa3beeb86e3 in Invoke obj-firefox/dist/include/mozilla/MozPromise.h:1369 #24 0x7fa3beeb86e3 in mozilla::detail::ProxyRunnable<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true>, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::AOMDecoder::*)(mozilla::MediaRawData*), mozilla::AOMDecoder, mozilla::MediaRawData*>::Run() obj-firefox/dist/include/mozilla/MozPromise.h:1394 #25 0x7fa3b9a9be94 in mozilla::TaskQueue::Runner::Run() xpcom/threads/TaskQueue.cpp:246:12 #26 0x7fa3b9acd558 in nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:225:14 #27 0x7fa3b9acdc9c in non-virtual thunk to nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:154:15 #28 0x7fa3b9ac3b3a in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1437:14 #29 0x7fa3b9ac9cd8 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:489:10 #30 0x7fa3ba8ad410 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:339:20 #31 0x7fa3ba808a60 in RunInternal ipc/chromium/src/base/message_loop.cc:320:10 #32 0x7fa3ba808a60 in RunHandler ipc/chromium/src/base/message_loop.cc:313 #33 0x7fa3ba808a60 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:293 #34 0x7fa3b9abb7fd in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:506:11 #35 0x7fa3d4342423 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:216:5 #36 0x7fa3d793a6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #37 0x7fa3d69c33dc in clone /build/glibc-bfm8X4/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109 0x7fa3c6cd0e90 is located 128 bytes to the right of global variable 'warped_filter' defined in 'third_party/aom/av1/common/warped_motion.c:507:15' (0x7fa3c6cd0200) of size 3088 SUMMARY: AddressSanitizer: global-buffer-overflow third_party/aom/av1/common/x86/warp_plane_ssse3.c:413:31 in av1_warp_affine_ssse3 Shadow bytes around the buggy address: 0x0ff4f8d92180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff4f8d92190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff4f8d921a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff4f8d921b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff4f8d921c0: 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 =>0x0ff4f8d921d0: f9 f9[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0ff4f8d921e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0ff4f8d921f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0ff4f8d92200: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0ff4f8d92210: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0ff4f8d92220: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Thread T59 (MediaPD~oder #2) created by T53 (MediaPl~back #1) here: #0 0x4a3dc6 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:245:3 #1 0x7fa3d433f1c9 in _PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:457:14 #2 0x7fa3d433edde in PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:548:12 #3 0x7fa3b9abdd5e in nsThread::Init(nsACString const&) xpcom/threads/nsThread.cpp:688:8 #4 0x7fa3b9ac8e8f in nsThreadManager::NewNamedThread(nsACString const&, unsigned int, nsIThread**) xpcom/threads/nsThreadManager.cpp:273:22 #5 0x7fa3b9acbd0b in NS_NewNamedThread xpcom/threads/nsThreadUtils.cpp:113:45 #6 0x7fa3b9acbd0b in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) xpcom/threads/nsThreadPool.cpp:107 #7 0x7fa3b9acdf99 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) xpcom/threads/nsThreadPool.cpp:274:5 #8 0x7fa3b9aa48e1 in mozilla::SharedThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) obj-firefox/dist/include/mozilla/SharedThreadPool.h:71:68 #9 0x7fa3b9a9ac0e in mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, mozilla::AbstractThread::DispatchFailureHandling, mozilla::AbstractThread::DispatchReason) xpcom/threads/TaskQueue.cpp:128:26 #10 0x7fa3b9aa5702 in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchFailureHandling, mozilla::AbstractThread::DispatchReason) obj-firefox/dist/include/mozilla/TaskQueue.h:71:21 #11 0x7fa3beb130ae in mozilla::AutoTaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchFailureHandling, mozilla::AbstractThread::DispatchReason) obj-firefox/dist/include/AutoTaskQueue.h:43:17 #12 0x7fa3beb2f3de in mozilla::MediaFormatReader::DemuxerProxy::Wrapper::Reset() dom/media/MediaFormatReader.cpp:929:17 #13 0x7fa3beacbc7e in mozilla::MediaFormatReader::DecoderData::ResetDemuxer() dom/media/MediaFormatReader.h:335:22 #14 0x7fa3beae7298 in mozilla::MediaFormatReader::ResetDecode(mozilla::EnumSet<mozilla::TrackInfo::TrackType>) dom/media/MediaFormatReader.cpp:2537:12 #15 0x7fa3bea6cbfb in applyImpl<mozilla::MediaDecoderReader, nsresult (mozilla::MediaDecoderReader::*)(mozilla::EnumSet<mozilla::TrackInfo::TrackType>), StoreCopyPassByConstLRef<mozilla::EnumSet<mozilla::TrackInfo::TrackType> > , 0> obj-firefox/dist/include/nsThreadUtils.h:1138:12 #16 0x7fa3bea6cbfb in apply<mozilla::MediaDecoderReader, nsresult (mozilla::MediaDecoderReader::*)(mozilla::EnumSet<mozilla::TrackInfo::TrackType>)> obj-firefox/dist/include/nsThreadUtils.h:1144 #17 0x7fa3bea6cbfb in mozilla::detail::RunnableMethodImpl<RefPtr<mozilla::MediaDecoderReader> const, nsresult (mozilla::MediaDecoderReader::*)(mozilla::EnumSet<mozilla::TrackInfo::TrackType>), true, (mozilla::RunnableKind)0, mozilla::EnumSet<mozilla::TrackInfo::TrackType> >::Run() obj-firefox/dist/include/nsThreadUtils.h:1187 #18 0x7fa3b9aaa078 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() obj-firefox/dist/include/mozilla/TaskDispatcher.h:209:37 #19 0x7fa3b9a9be94 in mozilla::TaskQueue::Runner::Run() xpcom/threads/TaskQueue.cpp:246:12 #20 0x7fa3b9acd558 in nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:225:14 #21 0x7fa3b9acdc9c in non-virtual thunk to nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:154:15 #22 0x7fa3b9ac3b3a in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1437:14 #23 0x7fa3b9ac9cd8 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:489:10 #24 0x7fa3ba8ad410 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:339:20 #25 0x7fa3ba808a60 in RunInternal ipc/chromium/src/base/message_loop.cc:320:10 #26 0x7fa3ba808a60 in RunHandler ipc/chromium/src/base/message_loop.cc:313 #27 0x7fa3ba808a60 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:293 #28 0x7fa3b9abb7fd in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:506:11 #29 0x7fa3d4342423 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:216:5 #30 0x7fa3d793a6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) Thread T53 (MediaPl~back #1) created by T0 here: #0 0x4a3dc6 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:245:3 #1 0x7fa3d433f1c9 in _PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:457:14 #2 0x7fa3d433edde in PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:548:12 #3 0x7fa3b9abdd5e in nsThread::Init(nsACString const&) xpcom/threads/nsThread.cpp:688:8 #4 0x7fa3b9ac8e8f in nsThreadManager::NewNamedThread(nsACString const&, unsigned int, nsIThread**) xpcom/threads/nsThreadManager.cpp:273:22 #5 0x7fa3b9acbd0b in NS_NewNamedThread xpcom/threads/nsThreadUtils.cpp:113:45 #6 0x7fa3b9acbd0b in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) xpcom/threads/nsThreadPool.cpp:107 #7 0x7fa3b9acdf99 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) xpcom/threads/nsThreadPool.cpp:274:5 #8 0x7fa3b9aa48e1 in mozilla::SharedThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) obj-firefox/dist/include/mozilla/SharedThreadPool.h:71:68 #9 0x7fa3b9a9ac0e in mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, mozilla::AbstractThread::DispatchFailureHandling, mozilla::AbstractThread::DispatchReason) xpcom/threads/TaskQueue.cpp:128:26 #10 0x7fa3b9aa5702 in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchFailureHandling, mozilla::AbstractThread::DispatchReason) obj-firefox/dist/include/mozilla/TaskQueue.h:71:21 #11 0x7fa3b9aa9c5c in mozilla::AutoTaskDispatcher::DispatchTaskGroup(mozilla::UniquePtr<mozilla::AutoTaskDispatcher::PerThreadTaskGroup, mozilla::DefaultDelete<mozilla::AutoTaskDispatcher::PerThreadTaskGroup> >) obj-firefox/dist/include/mozilla/TaskDispatcher.h:261:13 #12 0x7fa3b9aa820c in mozilla::AutoTaskDispatcher::~AutoTaskDispatcher() obj-firefox/dist/include/mozilla/TaskDispatcher.h:91:7 #13 0x7fa3b9aa7fc0 in reset obj-firefox/dist/include/mozilla/Maybe.h:446:17 #14 0x7fa3b9aa7fc0 in mozilla::EventTargetWrapper::FireTailDispatcher() xpcom/threads/AbstractThread.cpp:95 #15 0x7fa3b9aab1c2 in applyImpl<mozilla::EventTargetWrapper, void (mozilla::EventTargetWrapper::*)()> obj-firefox/dist/include/nsThreadUtils.h:1138:12 #16 0x7fa3b9aab1c2 in apply<mozilla::EventTargetWrapper, void (mozilla::EventTargetWrapper::*)()> obj-firefox/dist/include/nsThreadUtils.h:1144 #17 0x7fa3b9aab1c2 in mozilla::detail::RunnableMethodImpl<mozilla::EventTargetWrapper*, void (mozilla::EventTargetWrapper::*)(), true, (mozilla::RunnableKind)0>::Run() obj-firefox/dist/include/nsThreadUtils.h:1187 #18 0x7fa3b993ee53 in mozilla::CycleCollectedJSContext::ProcessStableStateQueue() xpcom/base/CycleCollectedJSContext.cpp:309:12 #19 0x7fa3bb30b7fd in XPCJSContext::AfterProcessTask(unsigned int) js/xpconnect/src/XPCJSContext.cpp:1007:30 #20 0x7fa3b9ac4066 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1453:24 #21 0x7fa3b9ac9cd8 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:489:10 #22 0x7fa3ba8ac071 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:97:21 #23 0x7fa3ba808a60 in RunInternal ipc/chromium/src/base/message_loop.cc:320:10 #24 0x7fa3ba808a60 in RunHandler ipc/chromium/src/base/message_loop.cc:313 #25 0x7fa3ba808a60 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:293 #26 0x7fa3bfeaf84f in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156:27 #27 0x7fa3c3f0df31 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:287:30 #28 0x7fa3c40dce44 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4589:22 #29 0x7fa3c40de9b0 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4772:8 #30 0x7fa3c40dfd01 in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4867:21 #31 0x4eb613 in do_main browser/app/nsBrowserApp.cpp:237:22 #32 0x4eb613 in main browser/app/nsBrowserApp.cpp:310 #33 0x7fa3d68dc82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 ==26834==ABORTING [Exit code: -6]

Related to bug 1378518 I wonder?

I can take a look at this after I finish my current stylo blocker.

I haven't gotten to this and am away this week. Gerald, do you have time to take a look?

> #19 0x7fa3c14367fb in aom_codec_decode third_party/aom/aom/src/aom_decoder.c:116:11 > #20 0x7fa3bee8845d in mozilla::AOMDecoder::ProcessDecode(mozilla::MediaRawData*) dom/media/platforms/agnostic/AOMDecoder.cpp:119:27 We're just handing a data buffer over to aom_codec_decode(), so I think the issue is in the 3rd party code, which I guess is missing some safety checks along the way... Tim, could you please have a look, and hand over to the appropriate people working on this? (Just in case it's not obvious: This is a file produced through fuzzing, so it's most probably invalid; The decoder should fail graciously in this case.)

I believe there is a patch up to fix this upstream here: https://bugs.chromium.org/p/aomedia/issues/detail?id=712

Looks like the upstream issue is resolved. Can we look into cherry-picking their fix or updating to a newer rev from upstream now? https://aomedia.googlesource.com/aom/+/5c73c003e7cc63aeed0647a434a8bb4462e05460

Yes, that would be good. I've been working on an update. Hopefully next week.

Hi Anthony: I have assigned these security bugs to you to reassign them to appropriate developers in your team to investigate and fix them. Thanks! Wennie

AV1 is a nightly only feature so I've updated the flags accordingly. This issue has been fixed upstream and Ralph will be handling the update.

This is resolved by bug 1413734. Thanks for the report!