Your message dated Wed, 28 Jan 2015 13:17:56 +0900
with message-id <[email protected]>
and subject line Re: Bug#776423: iceweasel: OOM on OGG file
has caused the Debian Bug report #776423,
regarding iceweasel: OOM on OGG file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
776423: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776423
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: iceweasel
Version: 35.0-1
Usertags: afl
Iceweasel runs out of memory and crashes on the attached OGG file:
$ ulimit -v 1000000
$ iceweasel oom.ogg
(process:4029): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size
== 0' failed
out of memory: 0x000000004B139378 bytes requested
Segmentation fault (core dumped)
This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages iceweasel depends on:
ii debianutils 4.4+b1
ii fontconfig 2.11.0-6.3
ii libasound2 1.0.28-1
ii libatk1.0-0 2.14.0-1
ii libc6 2.19-13
ii libcairo2 1.14.0-2.1
ii libdbus-1-3 1.8.14-1
ii libdbus-glib-1-2 0.102-1
ii libevent-2.0-5 2.0.21-stable-2
ii libffi6 3.1-2+b2
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.5.2-2
ii libgcc1 1:4.9.2-10
ii libgdk-pixbuf2.0-0 2.31.1-2+b1
ii libglib2.0-0 2.42.1-1
ii libgtk2.0-0 2.24.25-1
ii libhunspell-1.3-0 1.3.3-3
ii libnspr4 2:4.10.7-1
ii libnss3 2:3.17.2-1.1
ii libpango-1.0-0 1.36.8-3
ii libsqlite3-0 3.8.7.4-1
ii libstartup-notification0 0.12-4
ii libstdc++6 4.9.2-10
ii libvpx1 1.3.0-3
ii libx11-6 2:1.6.2-3
ii libxcomposite1 1:0.4.4-1
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.1-2+b2
ii libxrender1 1:0.9.8-1+b1
ii libxt6 1:1.1.4-1+b1
ii procps 2:3.3.9-8
ii zlib1g 1:1.2.8.dfsg-2+b1
--
Jakub Wilk
oom.ogg
Description: audio/ogg
--- End Message ---
--- Begin Message ---
On Tue, Jan 27, 2015 at 10:58:44PM +0100, Jakub Wilk wrote:
> Package: iceweasel
> Version: 35.0-1
> Usertags: afl
>
> Iceweasel runs out of memory and crashes on the attached OGG file:
>
> $ ulimit -v 1000000
> $ iceweasel oom.ogg
>
> (process:4029): GLib-CRITICAL **: g_slice_set_config: assertion
> 'sys_page_size == 0' failed
> out of memory: 0x000000004B139378 bytes requested
> Segmentation fault (core dumped)
That's an error allocating a 1.2GB buffer for whatever reason your
fuzzed ogg triggers. I'd say crashing in that case is the right thing to
do, especially considering you're ulimitting under 1GiB.
Your file gives a sample rate of 1768059503 and 118 channels. While it
could be argued that iceweasel could gracefully reject those, the
current behavior is "fine".
If you feel strongly about getting this fixed, please file an upstream
bug.
Mike
--- End Message ---
