Closed Bug 866737 Opened 7 years ago Closed 7 years ago

crash in mozilla::dom::PannerNode::FindConnectedSources

Categories

(Core :: Web Audio, defect, critical)

23 Branch
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla23
Tracking Status
firefox22 --- unaffected
firefox23 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: scoobidiver, Assigned: ehsan)

References

Details

(4 keywords, Whiteboard: [adv-main23-])

Crash Data

Attachments

(1 file)

It first showed up in 23.0a1/20130416. The regression range might be:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=261d6997d1d1&tochange=1d9c510b3742

Signature 	mozilla::dom::PannerNode::FindConnectedSources(mozilla::dom::AudioNode*, nsTArray<mozilla::dom::AudioBufferSourceNode*>&, std::set<mozilla::dom::AudioNode*, std::less<mozilla::dom::AudioNode*>, std::allocator<mozilla::dom::AudioNode*> >&) More Reports Search
UUID	d6842db5-383d-4fc6-8132-231df2130429
Date Processed	2013-04-29 13:03:37
Uptime	23
Last Crash	35 seconds before submission
Install Age	7.2 hours since version was first installed.
Install Time	2013-04-29 05:51:30
Product	Firefox
Version	23.0a1
Build ID	20130428031010
Release Channel	nightly
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
Build Architecture	x86
Build Architecture Info	GenuineIntel family 15 model 2 stepping 9
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x0
App Notes 	
AdapterVendorID: 0x0000, AdapterDeviceID: 0x0000, AdapterSubsysID: 00000000, AdapterDriverVersion: 
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 
Processor Notes 	sp-processor05.phx1.mozilla.com_19953:2012
EMCheckCompatibility	True
Adapter Vendor ID	0x0000
Adapter Device ID	0x0000
Total Virtual Memory	2147352576
Available Virtual Memory	1906249728
System Memory Use Percentage	47
Available Page File	912732160
Available Physical Memory	277131264
Accessibility	Active

Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::dom::PannerNode::FindConnectedSources 	content/media/webaudio/PannerNode.cpp:493
1 	xul.dll 	mozilla::dom::PannerNode::FindConnectedSources 	content/media/webaudio/PannerNode.cpp:466
2 	xul.dll 	mozilla::dom::FindConnectedSourcesOn 	content/media/webaudio/AudioContext.cpp:270
3 	xul.dll 	nsTHashtable<nsPtrHashKey<mozilla::dom::PannerNode> >::s_EnumStub 	obj-firefox/dist/include/nsTHashtable.h:486
4 	xul.dll 	PL_DHashTableEnumerate 	obj-firefox/xpcom/build/pldhash.cpp:714
5 	xul.dll 	nsTHashtable<nsPtrHashKey<mozilla::dom::PannerNode> >::EnumerateEntries 	obj-firefox/dist/include/nsTHashtable.h:237
6 	xul.dll 	mozilla::dom::AudioContext::UpdatePannerSource 	content/media/webaudio/AudioContext.cpp:278
7 	xul.dll 	mozilla::dom::AudioNode::Disconnect 	content/media/webaudio/AudioNode.cpp:213
8 	xul.dll 	mozilla::dom::AudioNodeBinding::disconnect 	obj-firefox/dom/bindings/AudioNodeBinding.cpp:102
9 	mozjs.dll 	mozjs.dll@0xe3fa0 	
10 		@0x11ea01

More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Adom%3A%3APannerNode%3A%3AFindConnectedSources%28mozilla%3A%3Adom%3A%3AAudioNode*%2C+nsTArray%3Cmozilla%3A%3Adom%3A%3AAudioBufferSourceNode*%3E%26%2C+std%3A%3Aset%3Cmozilla%3A%3Adom%3A%3AAudioNode*%2C+std%3A%3Aless%3Cmozilla%3A%3Adom%3A%3AAudioNode*%3E%2C+std%3A%3Aallocator%3Cmozilla%3A%3Adom%3A%3AAudioNode*%3E+%3E%26%29
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Adom%3A%3APannerNode%3A%3AFindConnectedSources%28%29
https://crash-stats.mozilla.com/query/query?product=Firefox&version=Firefox%3A23.0a1&query_search=signature&query_type=contains&query=%3A%3AClear%28%29&do_query=1
Blocks: webaudio
PannerNode needs to unregister itself when getting deleted by the CC.
Hmm, this is use after free, basically.
Assignee: nobody → ehsan
Group: core-security
Keywords: sec-critical
Use-after-unlink isn't so bad.  The CC doesn't actually delete things. :)
Well, sounds like this isn't actually a use-after-unlink, but something having a weak reference.
Yes, the issue here is that CC nulls out mContext, which means that code in ~PannerNode to unregister the node before it going away will not run, which means that when you do something that causes the mPannerNodes hashtable to be accessed again, you'll end up accessing the freed PannerNode object.
Attached patch Patch (v1)Splinter Review
Attachment #743171 - Flags: review?(paul)
Keywords: csec-uaf
Attachment #743171 - Flags: review?(paul) → review+
https://hg.mozilla.org/mozilla-central/rev/20cb411cf7df
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio
Whiteboard: [adv-main23-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.