Out of Bounds read in AudioNodeStream::ObtainInputBlock

RESOLVED DUPLICATE of bug 1041466

Status

()

defect
RESOLVED DUPLICATE of bug 1041466
5 years ago
4 years ago

People

(Reporter: hofusec, Assigned: hofusec)

Tracking

34 Branch
x86_64
Linux
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

Assignee

Description

5 years ago
Posted file testcase.html
Asan Log:
(with optimize build)

==17540==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140001cc618 at pc 0x7fc481964760 bp 0x7fc449db9530 sp 0x7fc449db9528
READ of size 8 at 0x6140001cc618 thread T43 (MediaStreamGrph)
    #0 0x7fc48196475f in IsNull /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/content/media/../../dist/include/nsAutoPtr.h:1017
    #1 0x7fc481965d88 in ProcessInput /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/AudioNodeStream.cpp:453
    #2 0x7fc4819fddb6 in ProduceDataForStreamsBlockByBlock /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:1269
...

0x6140001cc618 is located 24 bytes to the right of 448-byte region [0x6140001cc440,0x6140001cc600)
allocated by thread T0 here:
    #0 0x471d71 in __interceptor_malloc _asan_rtl_
    #1 0x7fc48a500bed in moz_xmalloc /builds/slave/m-cen-l64-asan-ntly-0000000000/build/memory/mozalloc/mozalloc.cpp:52
    #2 0x7fc481a0d122 in operator new /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/content/media/../../dist/include/mozilla/mozalloc.h:201
    #3 0x7fc481aeb9d8 in ChannelSplitterNode /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/webaudio/ChannelSplitterNode.cpp:63
    #4 0x7fc481ad5be8 in CreateChannelSplitter /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/webaudio/AudioContext.cpp:358
...
I can reproduce this reliably in the 3b682051f3ad mozilla-central-linux64-asan build, thank you, but not in the f61a27b00e05 build, so I think this is fixed by the patch in bug 1041466.  The asan logs are a bit different, but the testcases are similar, both producing graphs with 2 cycles.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite?
Resolution: --- → DUPLICATE
Duplicate of bug: 1041466
Group: core-security
You need to log in before you can comment on or make changes to this bug.