Closed
Bug 867104
Opened 11 years ago
Closed 11 years ago
WebAudio heap-buffer-overflow crash [@mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBufferWithResampling]
Categories
(Core :: Web Audio, defect)
Tracking
()
RESOLVED
FIXED
mozilla24
Tracking | Status | |
---|---|---|
firefox21 | --- | disabled |
firefox22 | --- | disabled |
firefox23 | + | fixed |
firefox24 | --- | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: posidron, Assigned: padenot)
References
Details
(5 keywords, Whiteboard: [adv-main23-])
Attachments
(4 files)
10.02 KB,
text/html
|
Details | |
7.10 KB,
text/plain
|
Details | |
1.91 KB,
patch
|
ehsan.akhgari
:
review+
|
Details | Diff | Splinter Review |
3.19 KB,
patch
|
ehsan.akhgari
:
review+
bajaj
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
./content/media/webaudio/AudioBufferSourceNode.cpp:203 speex_resampler_process_float(resampler, i, inputData, &inSamples, outputData, &outSamples); ./media/libspeex_resampler/src/resample.c:867 int speex_resampler_process_float [...] if (in) { for(j=0;j<ichunk;++j) * x[j+filt_offs]=in[j*istride]; } else { for(j=0;j<ichunk;++j) x[j+filt_offs]=0; } Tested with m-i changeset: 130174:ea5490a3bca7
Reporter | ||
Comment 1•11 years ago
|
||
Assignee | ||
Comment 2•11 years ago
|
||
I can't repro, tested on Mac and Linux 64, on a just pulled m-c that contains 130174:ea5490a3bca7. Anything in particular to do?
Reporter | ||
Comment 3•11 years ago
|
||
You need an ASan build.
Updated•11 years ago
|
status-b2g18:
--- → affected
status-firefox21:
--- → disabled
status-firefox22:
--- → disabled
status-firefox23:
--- → affected
status-firefox-esr17:
--- → affected
tracking-firefox23:
--- → ?
Keywords: regression
Comment 5•11 years ago
|
||
You can get ASAN builds (for Linux, anyway) at https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/ Thought we had Mac, too, but don't see them.
Assignee | ||
Comment 6•11 years ago
|
||
I built my own Mac ASAN build, and I found the cause (bad mDuration value in the AudioBufferSourceNodeEngine), but I'm not sure yet of how it can happen.
Updated•11 years ago
|
Updated•11 years ago
|
Updated•11 years ago
|
Assignee | ||
Comment 7•11 years ago
|
||
The root cause was basically that we forgot to send along the new duration when setting a new buffer after calling |start()| on the AudioBufferSourceNode.
Attachment #748837 -
Flags: review?(ehsan)
Assignee | ||
Comment 8•11 years ago
|
||
Attachment #748838 -
Flags: review?(ehsan)
Updated•11 years ago
|
Attachment #748838 -
Flags: review?(ehsan) → review+
Comment 9•11 years ago
|
||
Comment on attachment 748837 [details] [diff] [review] adds a crashtest Review of attachment 748837 [details] [diff] [review]: ----------------------------------------------------------------- ::: content/media/webaudio/test/test_bug867104.html @@ +24,5 @@ > + setTimeout(function() { > + ok(true, "We did not crash."); > + SpecialPowers.clearUserPref("media.webaudio.enabled"); > + SimpleTest.finish(); > + }, 1000); Presumably you just want to wait until audio processing starts to happen, right? In that case it's a lot better to stick a ScriptProcessorNode in front of the source node and wait for its first audioprocess event, and then end the test.
Attachment #748837 -
Flags: review?(ehsan) → review+
Assignee | ||
Comment 10•11 years ago
|
||
pushed with comments addressed: https://hg.mozilla.org/integration/mozilla-inbound/rev/744de2aced8c https://hg.mozilla.org/integration/mozilla-inbound/rev/d98e7c680020
Comment 11•11 years ago
|
||
Comment on attachment 748838 [details] [diff] [review] fix [Approval Request Comment] Bug caused by (feature/regressing bug #): Web Audio User impact if declined: Web Audio will only remain enabled on Aurora, so this won't impact beta/release users unless they manually turn it on Testing completed (on m-c, etc.): m-c Risk to taking this patch (and alternatives if risky): not risky String or IDL/UUID changes made by this patch: none
Attachment #748838 -
Flags: approval-mozilla-aurora?
Comment 12•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/744de2aced8c https://hg.mozilla.org/mozilla-central/rev/d98e7c680020
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox24:
--- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Updated•11 years ago
|
Attachment #748838 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 13•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/913b31ff6094 https://hg.mozilla.org/releases/mozilla-aurora/rev/3b1a78efc021
Comment 14•11 years ago
|
||
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
Updated•11 years ago
|
Whiteboard: [adv-main23-]
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•