Closed Bug 865550 Opened 9 years ago Closed 9 years ago

WebAudio use-after-free [@mozilla::dom::AudioBufferSourceNode::Stop]

Categories

(Core :: Web Audio, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla23
Tracking Status
firefox20 --- unaffected
firefox21 --- unaffected
firefox22 --- unaffected
firefox23 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: posidron, Assigned: ehsan.akhgari)

References

Details

(4 keywords, Whiteboard: [adv-main23-])

Attachments

(4 files)

Attached file testcase
alloc: ./obj-ff64-asan-opt/dom/bindings/AudioContextBinding.cpp:319

    static bool
    createBufferSource(JSContext* cx, JSHandleObject obj, mozilla::dom::AudioContext* self, unsigned argc, JS::Value* vp)
    {
      nsRefPtr<mozilla::dom::AudioBufferSourceNode > result;
*     result = self->CreateBufferSource();


free: content/media/webaudio/AudioNode.cpp:37

    NS_IMETHODIMP_(nsrefcnt)
    AudioNode::Release()
    {
      if (mRefCnt.get() == 1) {
        // We are about to be deleted, disconnect the object from the graph before
        // the derived type is destroyed.
        DisconnectFromGraph();
      }
*     nsrefcnt r = nsDOMEventTargetHelper::Release();



re-use: content/media/webaudio/AudioBufferSourceNode.cpp:518

    void
    AudioBufferSourceNode::Stop(double aWhen, ErrorResult& aRv)
    {
*     if (!mStartCalled) {


Tested with m-i changeset: 129815:0f87eee6f792
Attached file callstack
I landed 3-4 patches today which should help with this, and there's also my patch in bug 865532 which has not landed yet (but that probably won't help with this.)  Do you mind testing this on the tip of inbound, please?
Blocks: webaudio
I did :-)
Sigh!  OK, can you please tell me what exact revision you're using so that I can be sure I'm looking at the right lines of source files?
Assignee: nobody → ehsan
What's happening here is that the UnlinkImpl method for AudioBufferSourceNode first calls the UnlinkImpl method for the base class, which clobbers mContext, and therefore the UnregisterAudioBufferSourceNode function never gets called, leaving the AudioContext with dangling pointers to AudioBufferSourceNode's.

This is a footgun in general, filed bug 865847 for the broader issue.
Attached patch Patch (v1)Splinter Review
Attachment #742010 - Flags: review?(continuation)
Attachment #742010 - Flags: review?(continuation) → review+
Blocks: 866141
https://hg.mozilla.org/mozilla-central/rev/3f48aa1ff025
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio
Whiteboard: [adv-main23-]
Group: core-security
Flags: in-testsuite? → in-testsuite+
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d0527839b83f
Add a crashtest based on the test case for the bug
You need to log in before you can comment on or make changes to this bug.