ASAN: Opus crash [@nsNativeAudioStream::Write]

VERIFIED FIXED

Status

()

Core
Audio/Video
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: posidron, Unassigned)

Tracking

(Blocks: 1 bug, {crash, testcase})

Other Branch
x86_64
Mac OS X
crash, testcase
Points:
---

Firefox Tracking Flags

(firefox-esr10 unaffected)

Details

(Whiteboard: [asan][sg:critical])

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 616143 [details]
callstack

Happens only in builds with ASAN enabled but is reproducible everytime.


Origin:

case FORMAT_FLOAT32: {
const float* buf = static_cast<const float*>(aBuf);
for (PRUint32 i = 0; i <  samples; ++i) {
  float scaled_value = floorf(0.5 + 32768 * buf[i] * scaled_volume); // <--
  if (buf[i] < 0.0) {
    s_data[i] = (scaled_value < -32768.0) ?
      -32768 :
      short(scaled_value);
  } else {
    s_data[i] = (scaled_value > 32767.0) ?
      32767 :
      short(scaled_value);
  }
}
(Reporter)

Comment 1

5 years ago
Created attachment 616144 [details]
sample
Awesome, that didn't take you long!

Help me out here though, what does "0 bytes to the right of 2592-byte region" mean? It ran off the end of the buf?
(In reply to Ralph Giles (:rillian) from comment #2)
> Help me out here though, what does "0 bytes to the right of 2592-byte
> region" mean? It ran off the end of the buf?

Yes, I assume it's an off-by-one error. Looking at the shadow data, it seems to be accessing one byte outside the valid memory:

0x100026df5754: fb
0x100026df5750: 00 00 00 00 fb fb fb fb

fb means the memory here is not valid.

The error message seems to confirm this, it says the memory region in question is [0x000136fab080,0x000136fabaa0) but 0x000136fabaa0 (which is not included, but the boundary) is accessed.
For the record, this is testing the patches in Bug 674225.
I'd guess it's an off-by-many, actually. Looks like I missed a change when I last updated the patch.

Does applying https://github.com/rillian/firefox/commit/ba1bf373e3b71c5c71cee576aeb917a66cdce13d resolve the problem?
(Reporter)

Comment 6

5 years ago
Yes, that did it.
Ok, good. I'd say sorry for wasting your time, but this probably also explains why my try builds didn't work when local testing did!
based on comments 5-7 calling this "fixed" before it ever hit mozilla-central.
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox-esr10: --- → unaffected
Resolution: --- → FIXED
Whiteboard: [asan] → [asan][sg:critical]
Version: Trunk → Other Branch
Blocks: 750714
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.