I looked at this last week but got distracted and lost my comment: The "remote peer" can only be a local process bootstrapped by the Gecko parent since audioipc is restricted to anonymous local socket pairs (Unix domain sockets, specifically). So I don't think this is a security issue, but we should add validation for this anyway. The unsafe is unfortunately used to reinterpret the shared memory between u8 and the actual sample type of i16 or f32, e.g. a [u8; 100] becomes [f32; 25]. It'd be good to find a nicer way to handle this.
Bug 1512450 Comment 1 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I looked at this last week but got distracted and lost my comment: Just to clarify: the "remote peer" can only be a local process bootstrapped by the Gecko parent since audioipc is restricted to anonymous local socket pairs (Unix domain sockets, specifically). Still, definitely needs fixing. The unsafe is unfortunately used to reinterpret the shared memory between u8 and the actual sample type of i16 or f32, e.g. a [u8; 100] becomes [f32; 25]. I think I have an idea to improve the safety of this.