Closed
Bug 1365225
Opened 7 years ago
Closed 7 years ago
Investigate potential integer overflow in dom/media/AudioStream.cpp
Categories
(Core :: Audio/Video: Playback, defect, P1)
Core
Audio/Video: Playback
Tracking
()
RESOLVED
FIXED
mozilla55
People
(Reporter: decoder, Assigned: chunmin)
Details
(Keywords: sec-audit, sec-want, Whiteboard: [adv-main55-][post-critsmash-triage])
Attachments
(1 file, 2 obsolete files)
1.75 KB,
patch
|
chunmin
:
review+
|
Details | Diff | Splinter Review |
While looking at static analysis results, I also inspected this: http://searchfox.org/mozilla-central/rev/ae24a3c83d22e0e35aecfd9049c2b463ca7e045b/dom/media/AudioStream.cpp#583-585 I am not sure if it is possible for this to overflow, but if it does, then there is a lot of code behind the putSamples call that I can't verify alone. I inspected some of the memcpy calls afterwards and they all use a product of channel * frames * sizeof(...) which should be fine. Problems would arise as soon as we perform any kind of memory operations on the resulting buffers without the original overflowing multiplication. E.g. if channel * frames * sizeof(...) overflows but channel * frames does not, and we then access or write memory based on that, that would be problematic. This is all theoretic because I don't know if the multiplication can overflow at all, so that would be the first thing to check. NI on :jwwang to get started on this :)
Assignee | ||
Comment 2•7 years ago
|
||
The concern is that: if mOutChannels * c->Frames() is overflowed, then its product will be a smaller number than it should be and we will allocate a smaller space for the buffer. Therefore, part of input data will be put into the invalid address because the the length of data will be larger than the space of buffer. The types of both `mOutChannels` and `c->Frames()` are uint32_t. The max value of `uint32_t`, is (2^32 - 1), so the max value of their product is (2^32 - 1)^2 = 2^64 - 2 * 2^32 + 1 = (2^64 - 1) - 2^33 + 2 = (max value of uint64_t) - 2^33 + 2 <= (max value of uint64_t). That is, Max(uint32)^2 <= Max(uint64), where Max(T) is the max value of type T. The type of the product is `AutoTArray<AudioDataValue, *>::size_type`[0] = `size_t`[1]. The size of `size_t` is platform-dependent(it's normally uint64_t nowadays). If the `size_t` is 4 bytes, than the product may be overflowed. If it's 8 bytes, than the current code should be fine. The safest way is to check whether it's overflowed. About the memory allocating mechanism, I found nothing weird so far. Before calling `putSamples`, the `memset` should work if buf.SetLength[0, 2] return true. Inside `putSamples`[3], the `FIFOSampleBuffer::putSamples`[4] will be called. Before memcpy[5], `FIFOSampleBuffer::ensureCapacity` will be fired to check whether there is enough space. If not, it will throw an error[6]. [0] http://searchfox.org/mozilla-central/rev/9a7fbdee1d54f99cd548af95b81231d80e5f9ad1/xpcom/ds/nsTArray.h#1836 [1] http://searchfox.org/mozilla-central/rev/f55349994fdac101d121b11dac769f3f17fbec4b/xpcom/ds/nsTArray.h#394 [2] http://searchfox.org/mozilla-central/rev/9a7fbdee1d54f99cd548af95b81231d80e5f9ad1/dom/media/AudioStream.cpp#583 [3] http://searchfox.org/mozilla-central/rev/9a7fbdee1d54f99cd548af95b81231d80e5f9ad1/media/libsoundtouch/src/SoundTouch.cpp#294 [4] http://searchfox.org/mozilla-central/rev/f55349994fdac101d121b11dac769f3f17fbec4b/media/libsoundtouch/src/FIFOSampleBuffer.cpp#105 [5] http://searchfox.org/mozilla-central/rev/f55349994fdac101d121b11dac769f3f17fbec4b/media/libsoundtouch/src/FIFOSampleBuffer.cpp#107 [6] http://searchfox.org/mozilla-central/rev/f55349994fdac101d121b11dac769f3f17fbec4b/media/libsoundtouch/src/FIFOSampleBuffer.cpp#177
Assignee: nobody → cchang
Flags: needinfo?(cchang)
Assignee | ||
Comment 3•7 years ago
|
||
Attachment #8869331 -
Flags: review?(jwwang)
Comment 4•7 years ago
|
||
Comment on attachment 8869331 [details] [diff] [review] Prevent overflow Review of attachment 8869331 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/media/AudioStream.cpp @@ +579,5 @@ > mTimeStretcher->putSamples(c->Data(), c->Frames()); > } else { > // Write silence if invalid format. > AutoTArray<AudioDataValue, 1000> buf; > + CheckedInt<AutoTArray<AudioDataValue, 1000>::size_type> chs(mOutChannels); You can use CheckedUint32.
Updated•7 years ago
|
Group: core-security → media-core-security
Assignee | ||
Comment 5•7 years ago
|
||
Add a log for debugging if there is an overflow happend.
Attachment #8869331 -
Attachment is obsolete: true
Attachment #8869331 -
Flags: review?(jwwang)
Attachment #8870285 -
Flags: review?(jwwang)
Comment 6•7 years ago
|
||
Comment on attachment 8870285 [details] [diff] [review] Prevent overflow Review of attachment 8870285 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/media/AudioStream.cpp @@ +590,1 @@ > memset(buf.Elements(), 0, buf.Length() * sizeof(AudioDataValue)); Also check overflow for |buf.Length() * sizeof(AudioDataValue)|.
Attachment #8870285 -
Flags: review?(jwwang) → review+
Updated•7 years ago
|
Priority: -- → P1
Assignee | ||
Comment 7•7 years ago
|
||
Add overflow check for memset.
Attachment #8870285 -
Attachment is obsolete: true
Attachment #8870309 -
Flags: review+
Updated•7 years ago
|
Component: Audio/Video → Audio/Video: Playback
Assignee | ||
Comment 8•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=f287075098ec1846b4a4453bdb2edbd64b513e0c
Keywords: checkin-needed
Comment 9•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/7e7596ff55f5c09779f34d5811d2dcdfb5707990
Keywords: checkin-needed
Comment 10•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/7e7596ff55f5 Should we consider this for uplift to 54 or let it ride the 55 train?
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox53:
--- → wontfix
status-firefox54:
--- → affected
status-firefox55:
--- → fixed
status-firefox-esr52:
--- → wontfix
Flags: needinfo?(cchang)
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Updated•7 years ago
|
Group: media-core-security → core-security-release
Assignee | ||
Comment 11•7 years ago
|
||
We can uplift if we found any related crash issues. For now, it's only theoretic, so there is no need to do that.
Flags: needinfo?(cchang)
Updated•7 years ago
|
Updated•7 years ago
|
Whiteboard: [adv-main55-]
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main55-] → [adv-main55-][post-critsmash-triage]
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•