Closed
Bug 746577
Opened 12 years ago
Closed 12 years ago
ASAN: Opus crash [@nsNativeAudioStream::Write]
Categories
(Core :: Audio/Video, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr10 | --- | unaffected |
People
(Reporter: posidron, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [asan][sg:critical])
Attachments
(2 files)
Happens only in builds with ASAN enabled but is reproducible everytime. Origin: case FORMAT_FLOAT32: { const float* buf = static_cast<const float*>(aBuf); for (PRUint32 i = 0; i < samples; ++i) { float scaled_value = floorf(0.5 + 32768 * buf[i] * scaled_volume); // <-- if (buf[i] < 0.0) { s_data[i] = (scaled_value < -32768.0) ? -32768 : short(scaled_value); } else { s_data[i] = (scaled_value > 32767.0) ? 32767 : short(scaled_value); } }
Reporter | ||
Comment 1•12 years ago
|
||
Comment 2•12 years ago
|
||
Awesome, that didn't take you long! Help me out here though, what does "0 bytes to the right of 2592-byte region" mean? It ran off the end of the buf?
Comment 3•12 years ago
|
||
(In reply to Ralph Giles (:rillian) from comment #2) > Help me out here though, what does "0 bytes to the right of 2592-byte > region" mean? It ran off the end of the buf? Yes, I assume it's an off-by-one error. Looking at the shadow data, it seems to be accessing one byte outside the valid memory: 0x100026df5754: fb 0x100026df5750: 00 00 00 00 fb fb fb fb fb means the memory here is not valid. The error message seems to confirm this, it says the memory region in question is [0x000136fab080,0x000136fabaa0) but 0x000136fabaa0 (which is not included, but the boundary) is accessed.
Comment 4•12 years ago
|
||
For the record, this is testing the patches in Bug 674225.
Comment 5•12 years ago
|
||
I'd guess it's an off-by-many, actually. Looks like I missed a change when I last updated the patch. Does applying https://github.com/rillian/firefox/commit/ba1bf373e3b71c5c71cee576aeb917a66cdce13d resolve the problem?
Reporter | ||
Comment 6•12 years ago
|
||
Yes, that did it.
Comment 7•12 years ago
|
||
Ok, good. I'd say sorry for wasting your time, but this probably also explains why my try builds didn't work when local testing did!
Comment 8•12 years ago
|
||
based on comments 5-7 calling this "fixed" before it ever hit mozilla-central.
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox-esr10:
--- → unaffected
Resolution: --- → FIXED
Whiteboard: [asan] → [asan][sg:critical]
Version: Trunk → Other Branch
Updated•12 years ago
|
Blocks: fuzzing-opus
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•