Closed Bug 867104 Opened 12 years ago Closed 12 years ago

WebAudio heap-buffer-overflow crash [@mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBufferWithResampling]

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24
Tracking Flags:
Tracking Status
firefox21 --- disabled
firefox22 --- disabled
firefox23 + fixed
firefox24 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: posidron, Assigned: padenot)

References

Details

(5 keywords, Whiteboard: [adv-main23-])

Attachments

(4 files)

testcase
10.02 KB, text/html
Details
callstack
7.10 KB, text/plain
Details
adds a crashtest
1.91 KB, patch
ehsan.akhgari
: review+
Details | Diff | Splinter Review
fix
3.19 KB, patch
ehsan.akhgari
: review+
bajaj
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Attached file testcase
./content/media/webaudio/AudioBufferSourceNode.cpp:203 speex_resampler_process_float(resampler, i, inputData, &inSamples, outputData, &outSamples); ./media/libspeex_resampler/src/resample.c:867 int speex_resampler_process_float [...] if (in) { for(j=0;j<ichunk;++j) * x[j+filt_offs]=in[j*istride]; } else { for(j=0;j<ichunk;++j) x[j+filt_offs]=0; } Tested with m-i changeset: 130174:ea5490a3bca7
Attached file callstack
I can't repro, tested on Mac and Linux 64, on a just pulled m-c that contains 130174:ea5490a3bca7. Anything in particular to do?
You need an ASan build.
Blocks: webaudio
Paul, can you please look into this? Thanks!
Assignee: nobody → paul
You can get ASAN builds (for Linux, anyway) at https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/ Thought we had Mac, too, but don't see them.
I built my own Mac ASAN build, and I found the cause (bad mDuration value in the AudioBufferSourceNodeEngine), but I'm not sure yet of how it can happen.
Attached patch adds a crashtestSplinter Review
The root cause was basically that we forgot to send along the new duration when setting a new buffer after calling |start()| on the AudioBufferSourceNode.
Attachment #748837 - Flags: review?(ehsan)
Attached patch fixSplinter Review
Attachment #748838 - Flags: review?(ehsan)
Attachment #748838 - Flags: review?(ehsan) → review+
Comment on attachment 748837 [details] [diff] [review] adds a crashtest Review of attachment 748837 [details] [diff] [review]: ----------------------------------------------------------------- ::: content/media/webaudio/test/test_bug867104.html @@ +24,5 @@ > + setTimeout(function() { > + ok(true, "We did not crash."); > + SpecialPowers.clearUserPref("media.webaudio.enabled"); > + SimpleTest.finish(); > + }, 1000); Presumably you just want to wait until audio processing starts to happen, right? In that case it's a lot better to stick a ScriptProcessorNode in front of the source node and wait for its first audioprocess event, and then end the test.
Attachment #748837 - Flags: review?(ehsan) → review+
Comment on attachment 748838 [details] [diff] [review] fix [Approval Request Comment] Bug caused by (feature/regressing bug #): Web Audio User impact if declined: Web Audio will only remain enabled on Aurora, so this won't impact beta/release users unless they manually turn it on Testing completed (on m-c, etc.): m-c Risk to taking this patch (and alternatives if risky): not risky String or IDL/UUID changes made by this patch: none
Attachment #748838 - Flags: approval-mozilla-aurora?
Depends on: 872140
https://hg.mozilla.org/mozilla-central/rev/744de2aced8c https://hg.mozilla.org/mozilla-central/rev/d98e7c680020
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox24: --- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Attachment #748838 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
See Also: → 874934
Blocks: 875617
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
Whiteboard: [adv-main23-]
Blocks: 864164
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: