Closed
Bug 1045650
Opened 10 years ago
Closed 10 years ago
Out of Bounds read in AudioNodeStream::ObtainInputBlock
Categories
(Core :: Web Audio, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1041466
People
(Reporter: hofusec, Assigned: hofusec)
Details
Attachments
(1 file)
396 bytes,
text/html
|
Details |
Asan Log: (with optimize build) ==17540==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140001cc618 at pc 0x7fc481964760 bp 0x7fc449db9530 sp 0x7fc449db9528 READ of size 8 at 0x6140001cc618 thread T43 (MediaStreamGrph) #0 0x7fc48196475f in IsNull /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/content/media/../../dist/include/nsAutoPtr.h:1017 #1 0x7fc481965d88 in ProcessInput /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/AudioNodeStream.cpp:453 #2 0x7fc4819fddb6 in ProduceDataForStreamsBlockByBlock /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:1269 ... 0x6140001cc618 is located 24 bytes to the right of 448-byte region [0x6140001cc440,0x6140001cc600) allocated by thread T0 here: #0 0x471d71 in __interceptor_malloc _asan_rtl_ #1 0x7fc48a500bed in moz_xmalloc /builds/slave/m-cen-l64-asan-ntly-0000000000/build/memory/mozalloc/mozalloc.cpp:52 #2 0x7fc481a0d122 in operator new /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/content/media/../../dist/include/mozilla/mozalloc.h:201 #3 0x7fc481aeb9d8 in ChannelSplitterNode /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/webaudio/ChannelSplitterNode.cpp:63 #4 0x7fc481ad5be8 in CreateChannelSplitter /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/webaudio/AudioContext.cpp:358 ...
Comment 1•10 years ago
|
||
I can reproduce this reliably in the 3b682051f3ad mozilla-central-linux64-asan build, thank you, but not in the f61a27b00e05 build, so I think this is fixed by the patch in bug 1041466. The asan logs are a bit different, but the testcases are similar, both producing graphs with 2 cycles.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: in-testsuite?
Resolution: --- → DUPLICATE
Comment 2•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/f59fb21369d5
Flags: in-testsuite? → in-testsuite+
Updated•9 years ago
|
Group: core-security
Comment 3•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/f59fb21369d5
Assignee: nobody → hofusec
You need to log in
before you can comment on or make changes to this bug.
Description
•