WebAudio use-after-free [@mozilla::dom::AudioBufferSourceNode::Stop]

RESOLVED FIXED in Firefox 23

Status

()

defect
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: posidron, Assigned: Ehsan)

Tracking

(Blocks 1 bug, 4 keywords)

Trunk
mozilla23
x86_64
macOS
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox20 unaffected, firefox21 unaffected, firefox22 unaffected, firefox23+ fixed, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [adv-main23-])

Attachments

(3 attachments)

Posted file testcase
alloc: ./obj-ff64-asan-opt/dom/bindings/AudioContextBinding.cpp:319

    static bool
    createBufferSource(JSContext* cx, JSHandleObject obj, mozilla::dom::AudioContext* self, unsigned argc, JS::Value* vp)
    {
      nsRefPtr<mozilla::dom::AudioBufferSourceNode > result;
*     result = self->CreateBufferSource();


free: content/media/webaudio/AudioNode.cpp:37

    NS_IMETHODIMP_(nsrefcnt)
    AudioNode::Release()
    {
      if (mRefCnt.get() == 1) {
        // We are about to be deleted, disconnect the object from the graph before
        // the derived type is destroyed.
        DisconnectFromGraph();
      }
*     nsrefcnt r = nsDOMEventTargetHelper::Release();



re-use: content/media/webaudio/AudioBufferSourceNode.cpp:518

    void
    AudioBufferSourceNode::Stop(double aWhen, ErrorResult& aRv)
    {
*     if (!mStartCalled) {


Tested with m-i changeset: 129815:0f87eee6f792
Posted file callstack
I landed 3-4 patches today which should help with this, and there's also my patch in bug 865532 which has not landed yet (but that probably won't help with this.)  Do you mind testing this on the tip of inbound, please?
Blocks: webaudio
I did :-)
Sigh!  OK, can you please tell me what exact revision you're using so that I can be sure I'm looking at the right lines of source files?
Assignee: nobody → ehsan
What's happening here is that the UnlinkImpl method for AudioBufferSourceNode first calls the UnlinkImpl method for the base class, which clobbers mContext, and therefore the UnregisterAudioBufferSourceNode function never gets called, leaving the AudioContext with dangling pointers to AudioBufferSourceNode's.

This is a footgun in general, filed bug 865847 for the broader issue.
Posted patch Patch (v1)Splinter Review
Attachment #742010 - Flags: review?(continuation)
Attachment #742010 - Flags: review?(continuation) → review+
Blocks: 866141
https://hg.mozilla.org/mozilla-central/rev/3f48aa1ff025
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Blocks: 875414
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio
Whiteboard: [adv-main23-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.