Closed Bug 1348931 Opened 3 years ago Closed 3 years ago

Possible integer overflow in allocation size in SilentChunk::SilentChunk?

Categories

(Core :: Audio/Video: Playback, enhancement)

enhancement
Not set

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox-esr52 --- unaffected
firefox55 --- fixed

People

(Reporter: mats, Assigned: jwwang)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uninitialized, sec-audit, Whiteboard: [adv-main55-][post-critsmash-triage])

Attachments

(1 file)

Are the values multiplied here controlled by content?
http://searchfox.org/mozilla-central/rev/557f236c19730116d3bf53c0deef36362cafafcd/dom/media/mediasink/DecodedAudioDataSink.cpp#269-270
If so, it might lead to integer overflow and potential security issues.
Group: core-security → media-core-security
I just found this as well (because of the static analysis in bug 1279569), but I don't see the code being used anywhere.

The integer overflow here would lead to partial uninitialized data in mData.
I will remove the dead code.
Assignee: nobody → jwwang
Component: Audio/Video → Audio/Video: Playback
Attachment #8849812 - Flags: review?(gsquelart)
Attachment #8849812 - Flags: review?(gsquelart) → review+
Thanks!
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/e27e769a70e3
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Group: media-core-security → core-security-release
Whiteboard: [adv-main55-]
Flags: qe-verify-
Whiteboard: [adv-main55-] → [adv-main55-][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.