Closed
Bug 1225352
Opened 9 years ago
Closed 9 years ago
global-buffer-overflow past nsTArrayHeader::sEmptyHdr [@ mozilla::dom::SpeechSynthesis::Pause]
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla45
People
(Reporter: jruderman, Assigned: eeejay)
References
Details
(6 keywords, Whiteboard: [post-critsmash-triage])
Attachments
(4 files)
Debug: Assertion failure: aIndex < Length() (invalid array index), at nsTArray.h:984 (Called by mozilla::dom::SpeechSynthesis::Pause) ASan: global-buffer-overflow past nsTArrayHeader::sEmptyHdr [@ mozilla::dom::SpeechSynthesis::Pause] Release: Does not crash for me
|
Reporter | |
Comment 1•9 years ago
|
||
|
|
Reporter | |
Comment 2•9 years ago
|
||
|
||
Comment 3•9 years ago
|
||
So Pause() does:
199 if (mCurrentTask &&
200 mSpeechQueue.ElementAt(0)->GetState() != SpeechSynthesisUtterance::STATE_ENDED) {
Sounds like mSpeechQueue is empty?
|
Assignee | |
Comment 4•9 years ago
|
||
I was trying to look at the attachment, and the browser kept freezing. doh!
Flags: needinfo?(eitan)
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → eitan
|
||
Comment 5•9 years ago
|
||
It sounds like it isn't an unbounded read, but better safe than sorry, so I'm going to mark it sec-high.
Keywords: sec-high
|
|
Assignee | |
Comment 6•9 years ago
|
||
Attachment #8688703 -
Flags: review?(bugs)
|
||
Comment 7•9 years ago
|
||
Comment on attachment 8688703 [details] [diff] [review] Check that mSpeechQueue is not empty before referencing first element. oops. Looks like we do check IsEmpty in other cases in that file. But, should we do something to the mCurrentTask? Like, should SpeechSynthesis::Cancel() set mCurrentTask to nullptr after mCurrentTask->Cancel() call or something? Though, I guess OnEnd's MOZ_ASSERT(mCurrentTask == aTask); might fire then. However, we're missing to clear mCurrentTask somewhere, right? Hmm, do we end up using InitIndirectAudio() so nsSpeechTask::Cancel() never ends up triggering OnEnd() (under DispatchEndInner() ) ? Or am I missing something here?
Attachment #8688703 -
Flags: review?(bugs) → review-
|
|
Assignee | |
Comment 8•9 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #7) > Comment on attachment 8688703 [details] [diff] [review] > Check that mSpeechQueue is not empty before referencing first element. > > oops. Looks like we do check IsEmpty in other cases in that file. > > But, should we do something to the mCurrentTask? > Like, should SpeechSynthesis::Cancel() set mCurrentTask to nullptr after > mCurrentTask->Cancel() call or something? Cancel() is only a request of the engine to end the utterance. The utterance/task should still be considered active until we get a call for OnEnd. > Though, I guess OnEnd's MOZ_ASSERT(mCurrentTask == aTask); might fire then. > However, we're missing to clear mCurrentTask somewhere, right? > Right, it is cleared on OnEnd. > Hmm, do we end up using InitIndirectAudio() so nsSpeechTask::Cancel() never > ends up triggering OnEnd() (under DispatchEndInner() ) ? > Indirect audio services must call task->DispatchEnd themselves after receiving a cancel request. > Or am I missing something here? Did I answer your question? Not sure I did..
|
|
||
Comment 9•9 years ago
|
||
So DispatchEnd may happen async and we may have cleared the array already at that point?
|
|
Assignee | |
Comment 10•9 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #9) > So DispatchEnd may happen async and we may have cleared the array already at > that point? We clear the array on Cancel() (if it didn't start speaking yet), but we only clear mCurrentTask in OnEnd(). So in this case, Pause() is called in between those two calls where mCurrentTask still exists but the array is cleared.
|
|
Assignee | |
Comment 11•9 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #9) > So DispatchEnd may happen async and we may have cleared the array already at > that point? The array is cleared immediately, DispatchEnd is async and clears mCurrentTask.
|
|
||
Comment 12•9 years ago
|
||
Comment on attachment 8688703 [details] [diff] [review] Check that mSpeechQueue is not empty before referencing first element. Ok, I guess I can live with this then.
Attachment #8688703 -
Flags: review- → review+
|
|
Assignee | |
Comment 13•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/77fc4877bd06
|
||
Comment 14•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/77fc4877bd06
Status: NEW → RESOLVED
Closed: 9 years ago
status-b2g-master:
--- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
|
||
Updated•9 years ago
|
Group: dom-core-security → core-security-release
|
|
||
Comment 15•9 years ago
|
||
The patch for this sec-high security bug landed without sec-approval https://wiki.mozilla.org/Security/Bug_Approval_Process This is marked as a regression, and Boris put it as blocking 1187105. Is that the regressing bug? If so that means this bug affects shipping Firefox 42. * Is that the correct regressor? * Where else do we need to back-port this? Filling out the sec-approval form would have asked these and other questions we need to manage security releases and assess risk should someone reverse-engineer an exploit from the patch. Please request retroactive approval so we can finish that process.
Flags: needinfo?(eitan)
|
|
Assignee | |
Comment 16•9 years ago
|
||
This is only preffed on by default in Nightly. So I don't know how much of a risk this is or isn't. This patch is very easily back-ported since it is a one-liner, so it might not hurt..
Flags: needinfo?(eitan)
|
|
||
Updated•9 years ago
|
status-firefox42:
--- → disabled
status-firefox43:
--- → disabled
status-firefox44:
--- → disabled
status-firefox-esr38:
--- → unaffected
|
||
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage]
|
|
||
Updated•8 years ago
|
Group: core-security-release
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•