Closed
Bug 1123882
Opened 11 years ago
Closed 11 years ago
MediaDecoderStateMachine::SendStreamAudio passes an incorrect buffer size to AudioSegment::AppendFrames when |offset| is non-zero
Categories
(Core :: Audio/Video, defect)
Core
Audio/Video
Tracking
()
RESOLVED
FIXED
mozilla38
People
(Reporter: bwc, Assigned: bwc)
Details
(Keywords: sec-high, Whiteboard: [adv-main36+][adv-esr31.5+])
Attachments
(2 files, 1 obsolete file)
|
1.92 KB,
patch
|
derf
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
|
1.90 KB,
patch
|
bwc
:
review+
bkerensa
:
approval-mozilla-esr31+
|
Details | Diff | Splinter Review |
Observed multiple ASAN crashes (buffer overflow, read) with the failure here:
https://treeherder.mozilla.org/logviewer.html#?job_id=4289100&repo=try
It looks like our problem is here:
https://dxr.mozilla.org/mozilla-central/source/dom/media/MediaDecoderStateMachine.cpp#348
aOutput->AppendFrames(buffer.forget(), channels, aAudio->mFrames);
Should probably be
aOutput->AppendFrames(buffer.forget(), channels, aAudio->mFrames - offset);
correct?
|
Assignee | |
Comment 1•11 years ago
|
||
|
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → docfaraday
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 2•11 years ago
|
||
Consolidate some code.
|
|
Assignee | |
Updated•11 years ago
|
Attachment #8552510 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•11 years ago
|
Attachment #8552512 -
Flags: review?(tterribe)
|
||
Comment 3•11 years ago
|
||
Comment on attachment 8552512 [details] [diff] [review]
Fix case where offset != 0
Review of attachment 8552512 [details] [diff] [review]:
-----------------------------------------------------------------
::: dom/media/MediaDecoderStateMachine.cpp
@@ +332,5 @@
>
> if (offset >= aAudio->mFrames)
> return;
>
> + size_t framesToWrite = aAudio->mFrames - offset;
I'd prefer to have this declaration right next to the code that uses it, but that's just personal preference.
Attachment #8552512 -
Flags: review?(tterribe) → review+
|
|
Assignee | |
Comment 4•11 years ago
|
||
(In reply to Timothy B. Terriberry (:derf) from comment #3)
> Comment on attachment 8552512 [details] [diff] [review]
> Fix case where offset != 0
>
> Review of attachment 8552512 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> ::: dom/media/MediaDecoderStateMachine.cpp
> @@ +332,5 @@
> >
> > if (offset >= aAudio->mFrames)
> > return;
> >
> > + size_t framesToWrite = aAudio->mFrames - offset;
>
> I'd prefer to have this declaration right next to the code that uses it, but
> that's just personal preference.
Yeah, I was torn between doing that and keeping it near the checking code that ensured the calculation was valid.
|
|
Assignee | |
Comment 5•11 years ago
|
||
try (includes patches from multistream which made this bug happen much more often, plus patches for other bugs the multistream code triggers):
https://treeherder.mozilla.org/#/jobs?repo=try&revision=cfca214e0135
|
|
Assignee | |
Comment 6•11 years ago
|
||
Also have verified that signaling_unittests works on linux ASAN.
|
|
Assignee | |
Comment 7•11 years ago
|
||
I'll go ahead and do a dedicated try push for this, since it seems we still have more bugs that multistream is tripping over.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=3a65a9afeb06
|
|
Assignee | |
Comment 8•11 years ago
|
||
Comment on attachment 8552512 [details] [diff] [review]
Fix case where offset != 0
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Looks extremely hard, even to cause a segfault.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
A smart reader could figure out what was being fixed pretty easily, since it is such a small fix. Another matter entirely to figure out how to hit the bug.
Which older supported branches are affected by this flaw?
All.
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Not yet, but they should be quite easy.
How likely is this patch to cause regressions; how much testing does it need?
Seems really unlikely.
Approval Request Comment
[Feature/regressing bug #]:
Bug 827537
[User impact if declined]:
Extremely rare crashes while playing back audio, and audio corruption more commonly. Has only happened on e10s mochitests, don't see any sign of this in crash-stats.
[Describe test coverage new/current, TreeHerder]:
No new tests.
[Risks and why]:
Risk seems pretty low, change is simple.
[String/UUID change made/needed]:
None.
Attachment #8552512 -
Flags: sec-approval?
Attachment #8552512 -
Flags: approval-mozilla-beta?
Attachment #8552512 -
Flags: approval-mozilla-aurora?
|
||
Comment 9•11 years ago
|
||
We need to figure out a security rating for this before we can checkin. Do you have any ideas on that?
|
|
Assignee | |
Comment 10•11 years ago
|
||
It is possible that we could leak information that lies beyond the end of the buffer to content (granted, that data has been passed through a resampler first, which might make it hard to use, or even determine what it is).
Flags: needinfo?(tterribe)
|
|
||
Comment 11•11 years ago
|
||
Given comment 10, I'd suggest sec-moderate or sec-high (sec-high is probably safest).
Flags: needinfo?(tterribe)
|
|
||
Comment 12•11 years ago
|
||
sec-approval+ for trunk and I'll approve it for branches. Can we get an ESR31 patch as well, please?
status-firefox36:
--- → affected
status-firefox37:
--- → affected
status-firefox38:
--- → affected
status-firefox-esr31:
--- → affected
tracking-firefox36:
--- → +
tracking-firefox37:
--- → +
tracking-firefox38:
--- → +
tracking-firefox-esr31:
--- → 36+
|
|
||
Updated•11 years ago
|
Attachment #8552512 -
Flags: sec-approval?
Attachment #8552512 -
Flags: sec-approval+
Attachment #8552512 -
Flags: approval-mozilla-beta?
Attachment #8552512 -
Flags: approval-mozilla-beta+
Attachment #8552512 -
Flags: approval-mozilla-aurora?
Attachment #8552512 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 13•11 years ago
|
||
Patches apply cleanly to aurora and beta, not sure about esr31 yet, will have to wait until I can pull it down.
|
|
Assignee | |
Comment 14•11 years ago
|
||
|
|
Assignee | |
Comment 15•11 years ago
|
||
Is it preferred to allow sheriffs to handle landing on aurora/beta?
|
|
Assignee | |
Comment 16•11 years ago
|
||
|
|
Assignee | |
Updated•11 years ago
|
Attachment #8553898 -
Flags: review+
Attachment #8553898 -
Flags: approval-mozilla-esr31?
|
|
||
Comment 17•11 years ago
|
||
(In reply to Byron Campen [:bwc] from comment #15)
> Is it preferred to allow sheriffs to handle landing on aurora/beta?
I have no idea. They certainly will land approved things there.
Keywords: checkin-needed
|
||
Comment 18•11 years ago
|
||
*shrug* If you don't beat me to it, I certainly will :)
Keywords: checkin-needed
|
||
Comment 19•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
|
|
||
Updated•11 years ago
|
status-b2g-v1.4:
--- → affected
status-b2g-v2.0:
--- → affected
status-b2g-v2.0M:
--- → affected
status-b2g-v2.1:
--- → affected
status-b2g-v2.1S:
--- → affected
status-b2g-v2.2:
--- → affected
status-b2g-master:
--- → fixed
status-firefox35:
--- → wontfix
|
|
||
Comment 20•11 years ago
|
||
|
||
Updated•11 years ago
|
Attachment #8553898 -
Flags: approval-mozilla-esr31? → approval-mozilla-esr31+
|
|
||
Comment 21•11 years ago
|
||
|
|
||
Comment 22•11 years ago
|
||
|
|
||
Comment 23•11 years ago
|
||
|
|
||
Updated•10 years ago
|
Whiteboard: [adv-main36+][adv-esr31.5+]
|
|
||
Comment 24•10 years ago
|
||
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•