Closed Bug 867086 Opened 11 years ago Closed 11 years ago

WebAudio stack-buffer-overflow [@mozilla::AudioChannelsDownMix]

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox22 --- unaffected
firefox23 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: posidron, Unassigned)

References

Details

(5 keywords, Whiteboard: [adv-main23-] fixed in bug 865234)

Attachments

(2 files)

testcase
8.03 KB, text/html
Details
callstack
5.29 KB, text/plain
Details
Attached file testcase 
content/media/AudioChannelFormat.cpp:212

  for (uint32_t c = 0; c < inputChannelCount; ++c) {
*   outputChannels[m.mInputDestination[c]] +=
      m.mInputCoefficient[c]*(static_cast<const float*>(inputChannels[c]))[s];
  }


Tested with m-i changeset: 130174:ea5490a3bca7
Attached file callstack 

    
  
Blocks: webaudio

    
    

    
  
I'm rewriting a whole bunch of stuff in this code in bug 865234.  It probably makes sense for us to wait for that bug to land and then retest.  I'm hoping to push those patches tomorrow if I get the reviews.
Depends on: 865234

    
    

    
  
Christoph, can you please retest this?  Thanks!

    
    

    
  
Fixed.

Tested with m-i changeset: 130540:39aad6551764

    
    

    
  
Yay!
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE

    
    

    
  
We shouldn't dup found security bugs against implementation bugs, if the specific vulnerability was unknown at the time. There were no previous reports of the same issue. Let's mark this as fixed.
Resolution: DUPLICATE → FIXED

          status-b2g18:
          --- → unaffected

          status-firefox22:
          --- → unaffected

          status-firefox23:
          --- → fixed

          status-firefox-esr17:
          --- → unaffected
Keywords: regression
Whiteboard: fixed in bug 865234

    
    

    
  
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio
Whiteboard: fixed in bug 865234 → [adv-main23-] fixed in bug 865234
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: