Closed Bug 866737 Opened 12 years ago Closed 12 years ago

crash in mozilla::dom::PannerNode::FindConnectedSources

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Version:
23 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla23
Tracking Flags:
Tracking Status
firefox22 --- unaffected
firefox23 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: scoobidiver, Assigned: ehsan.akhgari)

References

Details

(4 keywords, Whiteboard: [adv-main23-])

Crash Data

Attachments

(1 file)

Patch (v1)
4.06 KB, patch
padenot
: review+
Details | Diff | Splinter Review
It first showed up in 23.0a1/20130416. The regression range might be: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=261d6997d1d1&tochange=1d9c510b3742 Signature mozilla::dom::PannerNode::FindConnectedSources(mozilla::dom::AudioNode*, nsTArray<mozilla::dom::AudioBufferSourceNode*>&, std::set<mozilla::dom::AudioNode*, std::less<mozilla::dom::AudioNode*>, std::allocator<mozilla::dom::AudioNode*> >&) More Reports Search UUID d6842db5-383d-4fc6-8132-231df2130429 Date Processed 2013-04-29 13:03:37 Uptime 23 Last Crash 35 seconds before submission Install Age 7.2 hours since version was first installed. Install Time 2013-04-29 05:51:30 Product Firefox Version 23.0a1 Build ID 20130428031010 Release Channel nightly OS Windows NT OS Version 5.1.2600 Service Pack 3 Build Architecture x86 Build Architecture Info GenuineIntel family 15 model 2 stepping 9 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x0 App Notes AdapterVendorID: 0x0000, AdapterDeviceID: 0x0000, AdapterSubsysID: 00000000, AdapterDriverVersion: D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- Processor Notes sp-processor05.phx1.mozilla.com_19953:2012 EMCheckCompatibility True Adapter Vendor ID 0x0000 Adapter Device ID 0x0000 Total Virtual Memory 2147352576 Available Virtual Memory 1906249728 System Memory Use Percentage 47 Available Page File 912732160 Available Physical Memory 277131264 Accessibility Active Frame Module Signature Source 0 xul.dll mozilla::dom::PannerNode::FindConnectedSources content/media/webaudio/PannerNode.cpp:493 1 xul.dll mozilla::dom::PannerNode::FindConnectedSources content/media/webaudio/PannerNode.cpp:466 2 xul.dll mozilla::dom::FindConnectedSourcesOn content/media/webaudio/AudioContext.cpp:270 3 xul.dll nsTHashtable<nsPtrHashKey<mozilla::dom::PannerNode> >::s_EnumStub obj-firefox/dist/include/nsTHashtable.h:486 4 xul.dll PL_DHashTableEnumerate obj-firefox/xpcom/build/pldhash.cpp:714 5 xul.dll nsTHashtable<nsPtrHashKey<mozilla::dom::PannerNode> >::EnumerateEntries obj-firefox/dist/include/nsTHashtable.h:237 6 xul.dll mozilla::dom::AudioContext::UpdatePannerSource content/media/webaudio/AudioContext.cpp:278 7 xul.dll mozilla::dom::AudioNode::Disconnect content/media/webaudio/AudioNode.cpp:213 8 xul.dll mozilla::dom::AudioNodeBinding::disconnect obj-firefox/dom/bindings/AudioNodeBinding.cpp:102 9 mozjs.dll mozjs.dll@0xe3fa0 10 @0x11ea01 More reports at: https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Adom%3A%3APannerNode%3A%3AFindConnectedSources%28mozilla%3A%3Adom%3A%3AAudioNode*%2C+nsTArray%3Cmozilla%3A%3Adom%3A%3AAudioBufferSourceNode*%3E%26%2C+std%3A%3Aset%3Cmozilla%3A%3Adom%3A%3AAudioNode*%2C+std%3A%3Aless%3Cmozilla%3A%3Adom%3A%3AAudioNode*%3E%2C+std%3A%3Aallocator%3Cmozilla%3A%3Adom%3A%3AAudioNode*%3E+%3E%26%29 https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Adom%3A%3APannerNode%3A%3AFindConnectedSources%28%29 https://crash-stats.mozilla.com/query/query?product=Firefox&version=Firefox%3A23.0a1&query_search=signature&query_type=contains&query=%3A%3AClear%28%29&do_query=1
Blocks: webaudio
PannerNode needs to unregister itself when getting deleted by the CC.
Hmm, this is use after free, basically.
Assignee: nobody → ehsan
Group: core-security
Keywords: sec-critical
Use-after-unlink isn't so bad. The CC doesn't actually delete things. :)
Well, sounds like this isn't actually a use-after-unlink, but something having a weak reference.
Yes, the issue here is that CC nulls out mContext, which means that code in ~PannerNode to unregister the node before it going away will not run, which means that when you do something that causes the mPannerNodes hashtable to be accessed again, you'll end up accessing the freed PannerNode object.
Attached patch Patch (v1)Splinter Review
Attachment #743171 - Flags: review?(paul)
Keywords: csec-uaf
Attachment #743171 - Flags: review?(paul) → review+
https://hg.mozilla.org/mozilla-central/rev/20cb411cf7df
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox23: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
Whiteboard: [adv-main23-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: