WebAudio heap-buffer-overflow crash [@mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBufferWithResampling]

RESOLVED FIXED in Firefox 23

Status

()

defect
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: posidron, Assigned: padenot)

Tracking

(Blocks 1 bug, 5 keywords)

Trunk
mozilla24
x86_64
macOS
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox21 disabled, firefox22 disabled, firefox23+ fixed, firefox24 fixed, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [adv-main23-])

Attachments

(4 attachments)

Reporter

Description

6 years ago
Posted file testcase
./content/media/webaudio/AudioBufferSourceNode.cpp:203

      speex_resampler_process_float(resampler, i,
                                    inputData, &inSamples,
                                    outputData, &outSamples);


./media/libspeex_resampler/src/resample.c:867

int speex_resampler_process_float
[...]
        if (in) {
           for(j=0;j<ichunk;++j)
*             x[j+filt_offs]=in[j*istride];
        } else {
          for(j=0;j<ichunk;++j)
            x[j+filt_offs]=0;
        }


Tested with m-i changeset: 130174:ea5490a3bca7
Reporter

Comment 1

6 years ago
Posted file callstack
Assignee

Comment 2

6 years ago
I can't repro, tested on Mac and Linux 64, on a just pulled m-c that contains 130174:ea5490a3bca7. Anything in particular to do?
Reporter

Comment 3

6 years ago
You need an ASan build.
Reporter

Updated

6 years ago
Blocks: webaudio
Paul, can you please look into this?  Thanks!
Assignee: nobody → paul
You can get ASAN builds (for Linux, anyway) at
https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/

Thought we had Mac, too, but don't see them.
Assignee

Comment 6

6 years ago
I built my own Mac ASAN build, and I found the cause (bad mDuration value in the AudioBufferSourceNodeEngine), but I'm not sure yet of how it can happen.
Assignee

Comment 7

6 years ago
The root cause was basically that we forgot to send along the new duration when setting a new buffer after calling |start()| on the AudioBufferSourceNode.
Attachment #748837 - Flags: review?(ehsan)
Assignee

Comment 8

6 years ago
Posted patch fixSplinter Review
Attachment #748838 - Flags: review?(ehsan)
Attachment #748838 - Flags: review?(ehsan) → review+
Comment on attachment 748837 [details] [diff] [review]
adds a crashtest

Review of attachment 748837 [details] [diff] [review]:
-----------------------------------------------------------------

::: content/media/webaudio/test/test_bug867104.html
@@ +24,5 @@
> +  setTimeout(function() {
> +    ok(true, "We did not crash.");
> +    SpecialPowers.clearUserPref("media.webaudio.enabled");
> +    SimpleTest.finish();
> +  }, 1000);

Presumably you just want to wait until audio processing starts to happen, right?  In that case it's a lot better to stick a ScriptProcessorNode in front of the source node and wait for its first audioprocess event, and then end the test.
Attachment #748837 - Flags: review?(ehsan) → review+
Comment on attachment 748838 [details] [diff] [review]
fix

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Web Audio
User impact if declined: Web Audio will only remain enabled on Aurora, so this won't impact beta/release users unless they manually turn it on
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): not risky
String or IDL/UUID changes made by this patch: none
Attachment #748838 - Flags: approval-mozilla-aurora?
Depends on: 872140
https://hg.mozilla.org/mozilla-central/rev/744de2aced8c
https://hg.mozilla.org/mozilla-central/rev/d98e7c680020
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Attachment #748838 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Reporter

Updated

6 years ago
See Also: → 874934
Reporter

Updated

6 years ago
Blocks: 875414
Reporter

Updated

6 years ago
Blocks: 875617
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio
Whiteboard: [adv-main23-]
Blocks: 864164
Group: core-security
You need to log in before you can comment on or make changes to this bug.