RESOLVED DUPLICATE of bug 289946289974
[GTK] Crash in WebCore::PlatformRawAudioDataGStreamer::duration() 
https://bugs.webkit.org/show_bug.cgi?id=289974
Summary [GTK] Crash in WebCore::PlatformRawAudioDataGStreamer::duration()
pubmailaddr
Reported 2025-03-18 10:15:03 PDT
Created attachment 474610 [details] testcase to trigger crash Version: webkitgtk-2.48.0 (latest stable version) OS: Linux/ubuntu Step to reproduce: 1. build default version webkitgtk-2.48.0 2. Open the testcase 154.html attached below with webkitgtk Minibrowser 3. with several seconds, WebProcess would crash with Log Info: ** (MiniBrowser:2374592): WARNING **: 17:06:10.042: WebProcess CRASHED Stacktrace: addr2line: DWARF error: invalid or unhandled FORM value: 0x23 addr2line: DWARF error: invalid or unhandled FORM value: 0x23 UndefinedBehaviorSanitizer:DEADLYSIGNAL ==2==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000048 (pc 0x7d74deefe0b5 bp 0x7ffc7665b3b0 sp 0x7ffc7665b370 T2) ==2==The signal is caused by a READ memory access. ==2==Hint: address points to the zero page. ==2==WARNING: invalid path to external symbolizer! ==2==WARNING: Failed to use and restart external symbolizer! #0 0x7d74deefe0b5 in WebCore::PlatformRawAudioDataGStreamer::duration() const UnifiedSource-3c72abbe-20.cpp:? #1 0x7d74dbd3d723 in WebCore::WebCodecsAudioData::duration() UnifiedSource-f8afad56-57.cpp:? #2 0x7d74dae46db3 in WebCore::jsWebCodecsAudioData_durationGetter(JSC::JSGlobalObject&, WebCore::JSWebCodecsAudioData&) UnifiedSource-3a52ce78-170.cpp:? #3 0x7d74dae13d7a in long WebCore::IDLAttribute<WebCore::JSWebCodecsAudioData>::get<&WebCore::jsWebCodecsAudioData_timestampGetter, (WebCore::CastedThisErrorBehavior)3>(JSC::JSGlobalObject&, long, JSC::PropertyName) UnifiedSource-3a52ce78-170.cpp:? #4 0x7d74dae13bc0 in long WebCore::IDLAttribute<WebCore::JSWebCodecsAudioData>::get<&WebCore::jsWebCodecsAudioData_durationGetter, (WebCore::CastedThisErrorBehavior)3>(JSC::JSGlobalObject&, long, JSC::PropertyName) UnifiedSource-3a52ce78-170.cpp:? #5 0x7d74ca3c280d in JSC::JSCustomGetterFunction::propertyName() const UnifiedSource-f2e18ffc-20.cpp:? #6 0x7d74ca7c2ade in JSC::PropertySlot::customGetter(JSC::VM&, JSC::PropertyName) const ??:? #7 0x7d74c7da91a9 in JSC::JSCallbackObject<JSC::JSAPIWrapperGlobalObject>::asCallbackObject(long) JSAPIWrapperGlobalObject.cpp:? #8 0x7d74c7db4f26 in JSC::JSValue::get(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) const JSCCallbackFunction.cpp:? #9 0x7d74c9dad671 in JSC::LLInt::performLLIntGetByID(JSC::BytecodeIndex, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&) UnifiedSource-6e4525b9-1.cpp:? #10 0x7d74c9dad396 in llint_slow_path_get_by_id UnifiedSource-6e4525b9-1.cpp:? #11 0x7d74c7cfe3e5 in llint_op_get_by_id LowLevelInterpreter.cpp:? UndefinedBehaviorSanitizer can not provide additional info. SUMMARY: UndefinedBehaviorSanitizer: SEGV (/home/rdfuzz/tmp/WebKit/WebKitBuild/GTK/Debug/lib/libwebkitgtk-6.0.so.4+0x11efe0b5) (BuildId: 43de4f3453231a55) ==2==ABORTING ** (MiniBrowser:2374592): WARNING **: 17:06:10.042: WebProcess CRASHED
Attachments
testcase to trigger crash (852 bytes, text/html)
2025-03-18 10:15 PDT, pubmailaddr 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Philippe Normand
Comment 1 2025-03-19 13:25:34 PDT
Can you check if this happens with https://commits.webkit.org/292300@main ?
Philippe Normand
Comment 2 2025-03-19 13:26:29 PDT
And please file security bugs for this type of fuzzing test-case.
Philippe Normand
Comment 3 2025-03-19 13:33:05 PDT
With current main: WARN webkitaudiodata PlatformRawAudioDataGStreamer.cpp:84:create: Invalid audio info, unable to create AudioData for it Closing. *** This bug has been marked as a duplicate of bug 289946 ***
Note You need to log in before you can comment on or make changes to this bug.