Open Bug 1315643 Opened 3 years ago Updated 2 years ago

[Coverity] Uninitialized read in media/webrtc/trunk/webrtc/modules/audio_processing/aecm/aecm_core.c

Categories

(Core :: WebRTC: Audio/Video, defect, P4)

defect

Tracking

()

Tracking Status
firefox52 --- affected

People

(Reporter: cyu, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, Whiteboard: CID 1346255)

WebRtcAecm_CreateCore() creates an instance of struct AecmCore in the following steps:

1. AecmCore* aecm = malloc(sizeof(AecmCore)), leaving its data members uninitialized.
2. Allocate some of its data members with WebRtc_CreateBuffer(), which also malloc()s
3. If it fails in creating the buffer for its data member, free the AecmCore instance with WebRtcAecm_FreeCore(aecm).

WebRtcAecm_FreeCore frees the AecmCore instance with:
4. WebRtc_FreeBuffer(), which calls free() if the argument is not null, to free the data members for WebRtc_CreateBuffer().

Because AecmCore's data members are uninitialized, once it fails in WebRtc_CreateBuffer(), the data members that remain uninitialized may contain random pointer value and gets free()'d in WebRtc_FreeBuffer().

PS.
* This bug is still seen in the upstream.
* The impact on us is small because of our infallible allocator. We'll when failing WebRtc_CreateBuffer() and won't have the chance to free an uninitialized pointer.
(In reply to Cervantes Yu [:cyu] [:cervantes] from comment #0)
> * The impact on us is small because of our infallible allocator. We'll when
                                                                       ^^^ We'll crash when...
> failing WebRtc_CreateBuffer() and won't have the chance to free an
> uninitialized pointer.
Rank: 35
Priority: -- → P3
Mass change P3->P4 to align with new Mozilla triage process.
Priority: P3 → P4
You need to log in before you can comment on or make changes to this bug.