Open Bug 1315643 Opened 3 years ago Updated 2 years ago
[Coverity] Uninitialized read in media/webrtc/trunk/webrtc/modules/audio
_processing/aecm/aecm _core .c
WebRtcAecm_CreateCore() creates an instance of struct AecmCore in the following steps: 1. AecmCore* aecm = malloc(sizeof(AecmCore)), leaving its data members uninitialized. 2. Allocate some of its data members with WebRtc_CreateBuffer(), which also malloc()s 3. If it fails in creating the buffer for its data member, free the AecmCore instance with WebRtcAecm_FreeCore(aecm). WebRtcAecm_FreeCore frees the AecmCore instance with: 4. WebRtc_FreeBuffer(), which calls free() if the argument is not null, to free the data members for WebRtc_CreateBuffer(). Because AecmCore's data members are uninitialized, once it fails in WebRtc_CreateBuffer(), the data members that remain uninitialized may contain random pointer value and gets free()'d in WebRtc_FreeBuffer(). PS. * This bug is still seen in the upstream. * The impact on us is small because of our infallible allocator. We'll when failing WebRtc_CreateBuffer() and won't have the chance to free an uninitialized pointer.
(In reply to Cervantes Yu [:cyu] [:cervantes] from comment #0) > * The impact on us is small because of our infallible allocator. We'll when ^^^ We'll crash when... > failing WebRtc_CreateBuffer() and won't have the chance to free an > uninitialized pointer.
Mass change P3->P4 to align with new Mozilla triage process.
Priority: P3 → P4
You need to log in before you can comment on or make changes to this bug.