Closed Bug 746577 Opened 12 years ago Closed 12 years ago

ASAN: Opus crash [@nsNativeAudioStream::Write]

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Version:
Other Branch
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox-esr10 --- unaffected

People

(Reporter: posidron, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [asan][sg:critical])

Attachments

(2 files)

callstack
7.25 KB, text/plain
Details
sample
6.16 KB, text/plain
Details
Attached file callstack 
Happens only in builds with ASAN enabled but is reproducible everytime.


Origin:

case FORMAT_FLOAT32: {
const float* buf = static_cast<const float*>(aBuf);
for (PRUint32 i = 0; i <  samples; ++i) {
  float scaled_value = floorf(0.5 + 32768 * buf[i] * scaled_volume); // <--
  if (buf[i] < 0.0) {
    s_data[i] = (scaled_value < -32768.0) ?
      -32768 :
      short(scaled_value);
  } else {
    s_data[i] = (scaled_value > 32767.0) ?
      32767 :
      short(scaled_value);
  }
}
Attached file sample 

    
    

    
  
Awesome, that didn't take you long!

Help me out here though, what does "0 bytes to the right of 2592-byte region" mean? It ran off the end of the buf?

    
    

    
  
(In reply to Ralph Giles (:rillian) from comment #2)
> Help me out here though, what does "0 bytes to the right of 2592-byte
> region" mean? It ran off the end of the buf?

Yes, I assume it's an off-by-one error. Looking at the shadow data, it seems to be accessing one byte outside the valid memory:

0x100026df5754: fb
0x100026df5750: 00 00 00 00 fb fb fb fb

fb means the memory here is not valid.

The error message seems to confirm this, it says the memory region in question is [0x000136fab080,0x000136fabaa0) but 0x000136fabaa0 (which is not included, but the boundary) is accessed.

    
    

    
  
For the record, this is testing the patches in Bug 674225.

    
    

    
  
I'd guess it's an off-by-many, actually. Looks like I missed a change when I last updated the patch.

Does applying https://github.com/rillian/firefox/commit/ba1bf373e3b71c5c71cee576aeb917a66cdce13d resolve the problem?

    
    

    
  
Yes, that did it.

    
    

    
  
Ok, good. I'd say sorry for wasting your time, but this probably also explains why my try builds didn't work when local testing did!

    
    

    
  
based on comments 5-7 calling this "fixed" before it ever hit mozilla-central.
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago

          status-firefox-esr10:
          --- → unaffected
Resolution: --- → FIXED
Whiteboard: [asan] → [asan][sg:critical]
Version: Trunk → Other Branch

    
  
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: