Ubuntu
chromium-browser package

Chromium 83 on xenial − consistent renderer crash when playing back video

Bug #1881751 reported by Olivier Tilloy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Fix Released
High
Olivier Tilloy

Bug Description

I'm testing the latest stable release update for chromium-browser on xenial (83.0.4103.61-0ubuntu0.16.04.1 from ppa:canonical-chromium-builds/stage), and I'm observing that the renderer process consistently crashes when attempting to play back video.

This was reported by whoopsie as https://errors.ubuntu.com/oops/34ab8952-a4cc-11ea-9bfd-fa163e102db1.

The bionic build in the same PPA is not affected.

Revision history for this message
Olivier Tilloy (osomon) wrote :

This is the full stacktrace:

#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x00005572c2032aee in length () at ../../buildtools/third_party/libc++/trunk/include/__string:217
#2 basic_string<nullptr_t> () at ../../buildtools/third_party/libc++/trunk/include/string:819
#3 Value () at ../../base/values.cc:217
#4 0x00005572bfb35e2c in Serialize () at ../../media/base/media_serializers_base.h:22
#5 MediaSerialize<char const*> () at ../../media/base/media_serializers_base.h:29
#6 Serialize () at ../../media/base/media_serializers.h:380
#7 MediaSerialize<base::Location> () at ../../media/base/media_serializers_base.h:29
#8 AddFrame () at ../../media/base/status.cc:69
#9 0x00005572bfb35db1 in Status () at ../../media/base/status.cc:19
#10 0x00005572bfbab4d1 in Initialize () at ../../media/filters/decrypting_video_decoder.cc:58
#11 0x00005572bfba514a in InitializeDecoder () at ../../media/filters/decoder_stream_traits.cc:186
#12 0x00005572bfb9ad70 in InitializeDecoder () at ../../media/filters/decoder_selector.cc:154
#13 0x00005572bfb9aa32 in SelectDecoder () at ../../media/filters/decoder_selector.cc:91
#14 0x00005572bfb9c956 in SelectDecoder () at ../../media/filters/decoder_stream.cc:321
#15 0x00005572bfb9c807 in Initialize () at ../../media/filters/decoder_stream.cc:172
#16 0x00005572bfbebb43 in Initialize () at ../../media/renderers/video_renderer_impl.cc:208
#17 0x00005572bfbe85e1 in InitializeVideoRenderer () at ../../media/renderers/renderer_impl.cc:448
#18 0x00005572bfb209f1 in Run () at ../../base/callback.h:98
#19 Invoke<base::OnceCallback<void (media::PipelineStatus)>, media::PipelineStatus> ()
    at ../../base/bind_internal.h:584
#20 MakeItSo<base::OnceCallback<void (media::PipelineStatus)>, media::PipelineStatus> ()
    at ../../base/bind_internal.h:623
#21 RunImpl<base::OnceCallback<void (media::PipelineStatus)>, std::__1::tuple<media::PipelineStatus>, 0> ()
    at ../../base/bind_internal.h:696
#22 RunOnce () at ../../base/bind_internal.h:665
#23 0x00005572bf0f3a1c in Run () at ../../base/callback.h:98
#24 RunTask () at ../../base/task/common/task_annotator.cc:142
#25 0x00005572bf0f98f8 in DoWorkImpl ()
    at ../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:324
#26 0x00005572c200c7af in DoWork () at ../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:248
#27 0x00005572c1fc8fb6 in Run () at ../../base/message_loop/message_pump_default.cc:39
#28 0x00005572c200c95f in Run () at ../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:429
#29 0x00005572c1fea7c9 in Run () at ../../base/run_loop.cc:124
#30 0x00005572c20178bb in ThreadMain () at ../../base/threading/thread.cc:380
#31 0x00005572c204f8a5 in ThreadFunc () at ../../base/threading/platform_thread_posix.cc:81
#32 0x00007ff7bbc826ba in start_thread (arg=0x7ff790b39700) at pthread_create.c:333
#33 0x00007ff7b57dd41d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Revision history for this message
Olivier Tilloy (osomon) wrote :

At frame #6, in Serialize() (media/base/media_serializers.h:380):

    FIELD_SERIALIZE("file", value.file_name());

It appears that value.file_name() is nullptr (which is subsequently causing the Value(const char*) constructor to crash).

Revision history for this message
Olivier Tilloy (osomon) wrote :

This upstream commit fixes the crash: https://chromium.googlesource.com/chromium/src/+/5fc11d04896442c8941ca0afba364a4d641c926e

Revision history for this message
Olivier Tilloy (osomon) wrote :

Fixed with https://bazaar.launchpad.net/~chromium-team/chromium-browser/xenial-stable/revision/1484.

Changed in chromium-browser (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chromium-browser - 84.0.4147.105-0ubuntu0.16.04.1

---------------
chromium-browser (84.0.4147.105-0ubuntu0.16.04.1) xenial; urgency=medium

  * Upstream release: 84.0.4147.105
    - CVE-2020-6537: Type Confusion in V8.
    - CVE-2020-6538: Inappropriate implementation in WebView.
    - CVE-2020-6532: Use after free in SCTP.
    - CVE-2020-6539: Use after free in CSS.
    - CVE-2020-6540: Heap buffer overflow in Skia.
    - CVE-2020-6541: Use after free in WebUSB.

 -- Olivier Tilloy <email address hidden> Tue, 28 Jul 2020 11:21:33 +0200

Changed in chromium-browser (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.