Closed
Bug 1535980
Opened 6 years ago
Closed 2 years ago
src/dom/media/webm/WebMDemuxer.cpp:392:28: runtime error: -8.27704e+259 is outside the range of representable values of type 'unsigned int'
Categories
(Core :: Audio/Video: Playback, defect, P2)
Core
Audio/Video: Playback
Tracking
()
RESOLVED
FIXED
107 Branch
People
(Reporter: tsmith, Assigned: az)
References
(Blocks 3 open bugs)
Details
(Keywords: csectype-undefined, testcase)
Attachments
(3 files)
Found in m-c commit 8ae5bb51b141
This was build with undefined behavior sanitizer checks enabled via mozconfig.
ac_add_options --enable-undefined-sanitizer="enum"
mozilla-central/dom/media/webm/WebMDemuxer.cpp:393:28: runtime error: -8.27704e+259 is outside the range of representable values of type 'unsigned int'
#0 0x7f595f0e0a85 in mozilla::WebMDemuxer::ReadMetadata() mozilla-central/dom/media/webm/WebMDemuxer.cpp:393:28
#1 0x7f595f0dea48 in mozilla::WebMDemuxer::Init() mozilla-central/dom/media/webm/WebMDemuxer.cpp:181:7
#2 0x7f595e90c553 in mozilla::MediaFormatReader::DemuxerProxy::Init()::$_15::operator()() const mozilla-central/dom/media/MediaFormatReader.cpp:898:47
#3 0x7f595e90c0d5 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_15, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, true> >::Run() mozilla-central/objdir-ff-ubsan/dist/include/mozilla/MozPromise.h:1419:29
#4 0x7f5958a700a5 in mozilla::TaskQueue::Runner::Run() mozilla-central/xpcom/threads/TaskQueue.cpp:199:12
#5 0x7f5958aac20e in nsThreadPool::Run() mozilla-central/xpcom/threads/nsThreadPool.cpp:241:14
#6 0x7f5958aac79c in non-virtual thunk to nsThreadPool::Run() mozilla-central/xpcom/threads/nsThreadPool.cpp
#7 0x7f5958aa49c8 in nsThread::ProcessNextEvent(bool, bool*) mozilla-central/xpcom/threads/nsThread.cpp:1179:14
#8 0x7f5958aa9456 in NS_ProcessNextEvent(nsIThread*, bool) mozilla-central/xpcom/threads/nsThreadUtils.cpp:482:10
#9 0x7f5959c25a73 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) mozilla-central/ipc/glue/MessagePump.cpp:303:20
#10 0x7f5959ac0da4 in MessageLoop::Run() mozilla-central/ipc/chromium/src/base/message_loop.cc:290:3
#11 0x7f5958a9ff8d in nsThread::ThreadFunc(void*) mozilla-central/xpcom/threads/nsThread.cpp:454:11
#12 0x7f597d08ed38 in _pt_root mozilla-central/nsprpub/pr/src/pthreads/ptthread.c:201:5
Flags: in-testsuite?
|
||
Comment 1•6 years ago
|
||
Is there a test-case for this?
Prioritizing like bug 1532858.
Rank: 15
Flags: needinfo?(twsmith)
Priority: -- → P2
|
Reporter | |
Comment 2•6 years ago
|
||
I guess I forgot to attach it after unpacking it, sorry about that.
Flags: needinfo?(twsmith)
|
|
Reporter | |
Updated•6 years ago
|
status-firefox68:
--- → affected
status-firefox69:
--- → affected
|
|
Reporter | |
Comment 3•3 years ago
|
||
This is also caught by the float-cast-overflow UBSan check.
To enable this check add the following to your mozconfig:
ac_add_options --enable-undefined-sanitizer="float-cast-overflow"
Blocks: float-cast-overflow
status-firefox100:
--- → affected
status-firefox68:
affected → ---
status-firefox69:
affected → ---
status-firefox98:
--- → wontfix
status-firefox99:
--- → affected
status-firefox-esr91:
--- → affected
Summary: UBSan: value outside the range of representable values in [@ mozilla::WebMDemuxer::ReadMetadata] → src/dom/media/webm/WebMDemuxer.cpp:392:28: runtime error: -8.27704e+259 is outside the range of representable values of type 'unsigned int'
|
|
Reporter | |
Comment 4•3 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/DwiNny1wgIwYx-SqmOoePg/index.html
|
|
Reporter | |
Updated•3 years ago
|
status-firefox101:
--- → wontfix
status-firefox102:
--- → affected
status-firefox103:
--- → affected
status-firefox-esr102:
--- → affected
|
|
Reporter | |
Comment 5•3 years ago
|
||
This issue is currently triggered while fuzzing with the 'float-cast-overflow' UBSan check enabled. This issue will need to be addressed before the check can be enabled by default.
If it requires too much effort to fix immediately please ni? me and let me know. If necessary it will be added to a suppression list. Thank you :)
Flags: needinfo?(jmathies)
|
||
Updated•2 years ago
|
Blocks: media-triage
Flags: needinfo?(jmathies)
|
|
||
Updated•2 years ago
|
Flags: needinfo?(azebrowski)
|
|
||
Updated•2 years ago
|
No longer blocks: media-triage
|
Assignee | |
Comment 6•2 years ago
|
||
|
||
Updated•2 years ago
|
Assignee: nobody → azebrowski
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 7•2 years ago
|
||
Depends on D154176
|
|
||
Updated•2 years ago
|
Attachment #9295019 -
Attachment description: WIP: Bug 1535980 - Add crashtest for webm demuxer audio rate sanity check → Bug 1535980 - Add crashtest for webm demuxer audio rate sanity check
Pushed by azebrowski@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4c8dfff616b0
Ensure that the audio rate read by WebMDemuxer is correctly compared against the maximum allowable rate during metadata sanity checking to avoid out of range errors that could be produced by malformed media files. r=tsmith,media-playback-reviewers,alwu
https://hg.mozilla.org/integration/autoland/rev/2389cfd09084
Add crashtest for webm demuxer audio rate sanity check r=alwu
|
||
Comment 9•2 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/4c8dfff616b0
https://hg.mozilla.org/mozilla-central/rev/2389cfd09084
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox107:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 107 Branch
|
|
Assignee | |
Updated•2 years ago
|
Flags: needinfo?(azebrowski)
|
||
Updated•2 years ago
|
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•