WebAudio stack-buffer-overflow [@mozilla::AudioChannelsDownMix]

RESOLVED FIXED

Status

()

defect
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: posidron, Unassigned)

Tracking

(Blocks 1 bug, 5 keywords)

Trunk
x86_64
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox22 unaffected, firefox23 fixed, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [adv-main23-] fixed in bug 865234)

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Posted file testcase
content/media/AudioChannelFormat.cpp:212

  for (uint32_t c = 0; c < inputChannelCount; ++c) {
*   outputChannels[m.mInputDestination[c]] +=
      m.mInputCoefficient[c]*(static_cast<const float*>(inputChannels[c]))[s];
  }


Tested with m-i changeset: 130174:ea5490a3bca7
(Reporter)

Comment 1

6 years ago
Posted file callstack
(Reporter)

Updated

6 years ago
Blocks: webaudio
I'm rewriting a whole bunch of stuff in this code in bug 865234.  It probably makes sense for us to wait for that bug to land and then retest.  I'm hoping to push those patches tomorrow if I get the reviews.
Depends on: 865234
Christoph, can you please retest this?  Thanks!
(Reporter)

Comment 4

6 years ago
Fixed.

Tested with m-i changeset: 130540:39aad6551764
Yay!
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 865234
(Reporter)

Comment 6

6 years ago
We shouldn't dup found security bugs against implementation bugs, if the specific vulnerability was unknown at the time. There were no previous reports of the same issue. Let's mark this as fixed.
Resolution: DUPLICATE → FIXED
Keywords: regression
Whiteboard: fixed in bug 865234
(Reporter)

Updated

6 years ago
Blocks: 875414
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio
Whiteboard: fixed in bug 865234 → [adv-main23-] fixed in bug 865234
Group: core-security
You need to log in before you can comment on or make changes to this bug.