Closed Bug 459439 Opened 11 years ago Closed 11 years ago

Changing <audio> src can cause crashes

Categories

(Core :: Audio/Video, defect, P2, critical)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9.1b2

People

(Reporter: jruderman, Assigned: cajbir)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [sg:critical?][fixed by bug 449159])

Attachments

(2 files)

Changing the src attribute of an <audio> element can pause JavaScript execution in a strange way.  This can lead to all kinds of bad assertions and crashes.

I suspect that it's wrong to spin an event loop under nsHTMLMediaElement::SetAttr.

* Closing the window with the testcase can trigger nonsensical JavaScript errors such as "i is not defined", and can cause the music to restart.

* Reloading the testcase a few times can crash Firefox.

* More complicated testcases can cause scarier crashes.
Flags: blocking1.9.1?
Eep, yes, you have to be really really careful about where you spin the event loop. You basically never want to do it.
Firefox was showing "FAIL" while I took this sample.
I think this needs to be fixed well before 1.9.1.

* It will interfere with sites that use <audio> in interesting ways, which is bad on its own but also means the security hole is likely to be discovered.

* It interferes with me being able to test <audio> for other bugs.
Whiteboard: [sg:critical?]
Assignee: nobody → chris.double
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Related to bug 449481?
Also bug 456648. The event loop spinning issues are being worked on in bug 449159 since they same issue was happening during destruction via the cycle collector (spinning the event loop).
Ok, tried the testcase using the latest iteration of the fix for bug 449159 and it shows PASS?, audio plays fine, no assertions, and refreshing the page multiple times works fine.
This seems to have been fixed by bug 449159.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Verified with builds on OS X and Windows (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090204 Shiretoko/3.1b3pre ID:20090204020327)

Can we get the crashtest into the test suite?
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: [sg:critical?] → [sg:critical?][fixed by bug 449159]
Target Milestone: --- → mozilla1.9.1b2
Flags: wanted1.9.0.x-
Flags: wanted1.8.1.x-
Can this bug be opened up now?
Yes, making this bug public.

I'll add a crashtest soon.
Group: core-security
Crashtest: http://hg.mozilla.org/mozilla-central/rev/7dcc98765d59
Flags: in-testsuite? → in-testsuite+
Depends on: 509272
You need to log in before you can comment on or make changes to this bug.