Closed Bug 1583967 Opened 11 months ago Closed 10 months ago

addition of unsigned offset overflowed in media/webrtc/trunk/webrtc/common_audio/signal_processing/downsample_fast.c:45

Categories

(Core :: WebRTC: Audio/Video, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla71
Tracking Status
firefox71 --- fixed

People

(Reporter: tsmith, Assigned: dminor)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-undefined, testcase)

Attachments

(1 file)

This is triggered with an UBSan build. To enable this check add the following to your mozconfig:

ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer="pointer-overflow"
ac_add_options --disable-jemalloc
INFO - TEST-START | dom/media/tests/mochitest/test_peerConnection_webAudio.html
...
src/media/webrtc/trunk/webrtc/common_audio/signal_processing/downsample_fast.c:45:33: runtime error: addition of unsigned offset to 0x619000688da0 overflowed to 0x619000688d9e
    #0 0x7fefbe825478 in WebRtcSpl_DownsampleFastC src/media/webrtc/trunk/webrtc/common_audio/signal_processing/downsample_fast.c:45:33
    #1 0x7fefbe960f57 in webrtc::Expand::Correlation(short const*, unsigned long, short*) const src/media/webrtc/trunk/webrtc/modules/audio_coding/neteq/expand.cc:823:3
    #2 0x7fefbe95def4 in webrtc::Expand::AnalyzeSignal(short*) src/media/webrtc/trunk/webrtc/modules/audio_coding/neteq/expand.cc:407:3
    #3 0x7fefbe95be87 in webrtc::Expand::Process(webrtc::AudioMultiVector*) src/media/webrtc/trunk/webrtc/modules/audio_coding/neteq/expand.cc:85:5
    #4 0x7fefbe97ce2b in webrtc::NetEqImpl::DoExpand(bool) src/media/webrtc/trunk/webrtc/modules/audio_coding/neteq/neteq_impl.cc:1584:33
    #5 0x7fefbe9709d0 in webrtc::NetEqImpl::GetAudioInternal(webrtc::AudioFrame*, bool*) src/media/webrtc/trunk/webrtc/modules/audio_coding/neteq/neteq_impl.cc:899:22
    #6 0x7fefbe96f5cb in webrtc::NetEqImpl::GetAudio(webrtc::AudioFrame*, bool*) src/media/webrtc/trunk/webrtc/modules/audio_coding/neteq/neteq_impl.cc:200:7
    #7 0x7fefbe89809b in webrtc::acm2::AcmReceiver::GetAudio(int, webrtc::AudioFrame*, bool*) src/media/webrtc/trunk/webrtc/modules/audio_coding/acm2/acm_receiver.cc:126:15
    #8 0x7fefbe8a42da in webrtc::(anonymous namespace)::AudioCodingModuleImpl::PlayoutData10Ms(int, webrtc::AudioFrame*, bool*) src/media/webrtc/trunk/webrtc/modules/audio_coding/acm2/audio_coding_module.cc:1108:17
    #9 0x7fefbed66c0f in webrtc::voe::Channel::GetAudioFrameWithInfo(int, webrtc::AudioFrame*) src/media/webrtc/trunk/webrtc/voice_engine/channel.cc:760:22
    #10 0x7fefb6ec4199 in mozilla::WebrtcAudioConduit::GetAudioFrame(short*, int, int, int&) src/media/webrtc/signaling/src/media-conduit/AudioConduit.cpp:616:22
    #11 0x7fefb6f462f5 in mozilla::MediaPipelineReceiveAudio::PipelineListener::NotifyPullImpl(long) src/media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp:1350:17
    #12 0x7fefbac35f0b in mozilla::SourceMediaStream::PullNewData(long) src/dom/media/MediaStreamGraph.cpp:2535:22
    #13 0x7fefbac3462d in mozilla::MediaStreamGraphImpl::UpdateGraph(long) src/dom/media/MediaStreamGraph.cpp:1188:34
    #14 0x7fefbac3851b in mozilla::MediaStreamGraphImpl::OneIterationImpl(long) src/dom/media/MediaStreamGraph.cpp:1403:3
    #15 0x7fefba9d80d0 in mozilla::AudioCallbackDriver::DataCallback(float const*, float*, long) src/dom/media/GraphDriver.cpp:882:36
    #16 0x7fefc1449d8f in _$LT$audioipc_client..stream..CallbackServer$u20$as$u20$audioipc..rpc..server..Server$GT$::process::_$u7b$$u7b$closure$u7d$$u7d$::ha43956b0eea91cf4 src/media/audioipc/client/src/stream.rs:113:24
    #17 0x7fefc1449d8f in futures::future::lazy::Lazy$LT$F$C$R$GT$::get::h07d3c7d5fa23492d src/third_party/rust/futures/src/future/lazy.rs:64
    #18 0x7fefc1449d8f in _$LT$futures..future..lazy..Lazy$LT$F$C$R$GT$$u20$as$u20$futures..future..Future$GT$::poll::h04c8f2a4b37c4cc4 src/third_party/rust/futures/src/future/lazy.rs:82
    #19 0x7fefc1449d8f in futures::future::catch_unwind::_$LT$impl$u20$futures..future..Future$u20$for$u20$std..panic..AssertUnwindSafe$LT$F$GT$$GT$::poll::hbc95ddcc43778203 src/third_party/rust/futures/src/future/catch_unwind.rs:49
    #20 0x7fefc1449d8f in _$LT$futures..future..catch_unwind..CatchUnwind$LT$F$GT$$u20$as$u20$futures..future..Future$GT$::poll::_$u7b$$u7b$closure$u7d$$u7d$::h88fae40ae17fead0 src/third_party/rust/futures/src/future/catch_unwind.rs:32
    #21 0x7fefc1449d8f in std::panicking::try::do_call::hb53a138c07811070 /rustc/eae3437dfe991621e8afdc82734f4a172d7ddf9b/src/libstd/panicking.rs:296
    #22 0x7fefc1449d8f in __rust_maybe_catch_panic /rustc/eae3437dfe991621e8afdc82734f4a172d7ddf9b/src/libpanic_abort/lib.rs:29
    #23 0x7fefc1449d8f in std::panicking::try::haf1bcccc99281b03 /rustc/eae3437dfe991621e8afdc82734f4a172d7ddf9b/src/libstd/panicking.rs:275
    #24 0x7fefc1449d8f in std::panic::catch_unwind::h4869e15ba6994726 /rustc/eae3437dfe991621e8afdc82734f4a172d7ddf9b/src/libstd/panic.rs:394
    #25 0x7fefc1449d8f in _$LT$futures..future..catch_unwind..CatchUnwind$LT$F$GT$$u20$as$u20$futures..future..Future$GT$::poll::ha72049ee68bd070c src/third_party/rust/futures/src/future/catch_unwind.rs:32
    #26 0x7fefc1449d8f in _$LT$futures_cpupool..MySender$LT$F$C$core..result..Result$LT$$LT$F$u20$as$u20$futures..future..Future$GT$..Item$C$$LT$F$u20$as$u20$futures..future..Future$GT$..Error$GT$$GT$$u20$as$u20$futures..future..Future$GT$::poll::h792cf0333f3aa894 src/third_party/rust/futures-cpupool/src/lib.rs:325
    #27 0x7fefc1464be2 in _$LT$alloc..boxed..Box$LT$F$GT$$u20$as$u20$futures..future..Future$GT$::poll::h54ddf78dbcbbe5d7 src/third_party/rust/futures/src/future/mod.rs:113:12
    #28 0x7fefc1464be2 in futures::task_impl::Spawn$LT$T$GT$::poll_future_notify::_$u7b$$u7b$closure$u7d$$u7d$::h9087352d841f248c src/third_party/rust/futures/src/task_impl/mod.rs:289
    #29 0x7fefc1464be2 in futures::task_impl::Spawn$LT$T$GT$::enter::_$u7b$$u7b$closure$u7d$$u7d$::hfb133f03c1046753 src/third_party/rust/futures/src/task_impl/mod.rs:363
    #30 0x7fefc1464be2 in futures::task_impl::std::set::hb997ae7cc15a9b15 src/third_party/rust/futures/src/task_impl/std/mod.rs:78
    #31 0x7fefc1464be2 in futures::task_impl::Spawn$LT$T$GT$::enter::h058bb783be7fc7a3 src/third_party/rust/futures/src/task_impl/mod.rs:363
    #32 0x7fefc1464be2 in futures::task_impl::Spawn$LT$T$GT$::poll_future_notify::h74c95dca24aed8a8 src/third_party/rust/futures/src/task_impl/mod.rs:289
    #33 0x7fefc1464be2 in futures::task_impl::std::Run::run::h1a0c4680ae006636 src/third_party/rust/futures/src/task_impl/std/mod.rs:450
    #34 0x7fefc1464be2 in futures_cpupool::Inner::work::h4762dceb8410976a src/third_party/rust/futures-cpupool/src/lib.rs:257
    #35 0x7fefc1464be2 in futures_cpupool::Builder::create::_$u7b$$u7b$closure$u7d$$u7d$::hce6c1b963e8c3ab1 src/third_party/rust/futures-cpupool/src/lib.rs:427
    #36 0x7fefc1464be2 in std::sys_common::backtrace::__rust_begin_short_backtrace::hec0a26d17fbf8797 /rustc/eae3437dfe991621e8afdc82734f4a172d7ddf9b/src/libstd/sys_common/backtrace.rs:77
    #37 0x7fefc1463979 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::ha5c426bceccbf1ef /rustc/eae3437dfe991621e8afdc82734f4a172d7ddf9b/src/libstd/thread/mod.rs:470:16
    #38 0x7fefc1463979 in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h46726cdf78664f0c /rustc/eae3437dfe991621e8afdc82734f4a172d7ddf9b/src/libstd/panic.rs:315
    #39 0x7fefc1463979 in std::panicking::try::do_call::h96880815832064e4 /rustc/eae3437dfe991621e8afdc82734f4a172d7ddf9b/src/libstd/panicking.rs:296
    #40 0x7fefc1463979 in __rust_maybe_catch_panic /rustc/eae3437dfe991621e8afdc82734f4a172d7ddf9b/src/libpanic_abort/lib.rs:29
    #41 0x7fefc1463979 in std::panicking::try::h8eed1c6e8f11155c /rustc/eae3437dfe991621e8afdc82734f4a172d7ddf9b/src/libstd/panicking.rs:275
    #42 0x7fefc1463979 in std::panic::catch_unwind::hf5c1edfc475e6579 /rustc/eae3437dfe991621e8afdc82734f4a172d7ddf9b/src/libstd/panic.rs:394
    #43 0x7fefc1463979 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::hba604fe8945ffb73 /rustc/eae3437dfe991621e8afdc82734f4a172d7ddf9b/src/libstd/thread/mod.rs:469
    #44 0x7fefc1463979 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h133f8224b7997b5a /rustc/eae3437dfe991621e8afdc82734f4a172d7ddf9b/src/libcore/ops/function.rs:231
    #45 0x7fefc1b2015d in _$LT$alloc..boxed..Box$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::h42806b83647d4c79 /rustc/eae3437dfe991621e8afdc82734f4a172d7ddf9b/src/liballoc/boxed.rs:746:8
    #46 0x7fefc1b22407 in _$LT$alloc..boxed..Box$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::h83c921c8e826dd1d /rustc/eae3437dfe991621e8afdc82734f4a172d7ddf9b/src/liballoc/boxed.rs:746:8
    #47 0x7fefc1b22407 in std::sys_common::thread::start_thread::h2613204ce513782e /rustc/eae3437dfe991621e8afdc82734f4a172d7ddf9b/src/libstd/sys_common/thread.rs:13
    #48 0x7fefc1b22407 in std::sys::unix::thread::Thread::new::thread_start::h4570080769500bcd /rustc/eae3437dfe991621e8afdc82734f4a172d7ddf9b/src/libstd/sys/unix/thread.rs:79
    #49 0x7fefd57876b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #50 0x7fefd481041c in clone /build/glibc-LK5gWL/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
Priority: P2 → --
See Also: → 1584643
See Also: → 1584660
Priority: -- → P3
Assignee: nobody → dminor
Duplicate of this bug: 1584643
Duplicate of this bug: 1584660

These have already been fixed upstream. The upstream comment was: "Negative
overflow is permitted here, because this is auto-regressive filters, and the
state for each batch run is stored in the "negative" positions of the output
vector."

Status: NEW → ASSIGNED
Pushed by dminor@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1b3998d69371
Fix pointer overflow errors in webrtc signal processing; r=ng
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
No longer depends on: 1646904
You need to log in before you can comment on or make changes to this bug.