Closed Bug 867104 Opened 11 years ago Closed 11 years ago

WebAudio heap-buffer-overflow crash [@mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBufferWithResampling]

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24
Tracking Flags:
Tracking Status
firefox21 --- disabled
firefox22 --- disabled
firefox23 + fixed
firefox24 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: posidron, Assigned: padenot)

References

Details

(5 keywords, Whiteboard: [adv-main23-])

Attachments

(4 files)

testcase
10.02 KB, text/html
Details
callstack
7.10 KB, text/plain
Details
adds a crashtest
1.91 KB, patch
ehsan.akhgari
: review+
Details | Diff | Splinter Review
fix
3.19 KB, patch
ehsan.akhgari
: review+
bajaj
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Attached file testcase 
./content/media/webaudio/AudioBufferSourceNode.cpp:203

      speex_resampler_process_float(resampler, i,
                                    inputData, &inSamples,
                                    outputData, &outSamples);


./media/libspeex_resampler/src/resample.c:867

int speex_resampler_process_float
[...]
        if (in) {
           for(j=0;j<ichunk;++j)
*             x[j+filt_offs]=in[j*istride];
        } else {
          for(j=0;j<ichunk;++j)
            x[j+filt_offs]=0;
        }


Tested with m-i changeset: 130174:ea5490a3bca7
Attached file callstack 

    
    

    
  
I can't repro, tested on Mac and Linux 64, on a just pulled m-c that contains 130174:ea5490a3bca7. Anything in particular to do?

    
    

    
  
You need an ASan build.

    
  
Blocks: webaudio

    
    

    
  
Paul, can you please look into this?  Thanks!
Assignee: nobody → paul

    
    

    
  
You can get ASAN builds (for Linux, anyway) at
https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/

Thought we had Mac, too, but don't see them.

    
    

    
  
I built my own Mac ASAN build, and I found the cause (bad mDuration value in the AudioBufferSourceNodeEngine), but I'm not sure yet of how it can happen.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        adds a crashtestSplinter Review
      

    


  
The root cause was basically that we forgot to send along the new duration when setting a new buffer after calling |start()| on the AudioBufferSourceNode.

        Attachment #748837 -
        Flags: review?(ehsan)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fixSplinter Review
      

    


  

        Attachment #748838 -
        Flags: review?(ehsan)

    
  

        Attachment #748838 -
        Flags: review?(ehsan) → review+

    
    

    
  
Comment on attachment 748837 [details] [diff] [review]
adds a crashtest

Review of attachment 748837 [details] [diff] [review]:
-----------------------------------------------------------------

::: content/media/webaudio/test/test_bug867104.html
@@ +24,5 @@
> +  setTimeout(function() {
> +    ok(true, "We did not crash.");
> +    SpecialPowers.clearUserPref("media.webaudio.enabled");
> +    SimpleTest.finish();
> +  }, 1000);

Presumably you just want to wait until audio processing starts to happen, right?  In that case it's a lot better to stick a ScriptProcessorNode in front of the source node and wait for its first audioprocess event, and then end the test.

        Attachment #748837 -
        Flags: review?(ehsan) → review+

    
    

    
  
Comment on attachment 748838 [details] [diff] [review]
fix

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Web Audio
User impact if declined: Web Audio will only remain enabled on Aurora, so this won't impact beta/release users unless they manually turn it on
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): not risky
String or IDL/UUID changes made by this patch: none

        Attachment #748838 -
        Flags: approval-mozilla-aurora?
Depends on: 872140

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/744de2aced8c
https://hg.mozilla.org/mozilla-central/rev/d98e7c680020
Status: NEW → RESOLVED
Closed: 11 years ago

          status-firefox24:
          --- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla24

        Attachment #748838 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

    
  
See Also:  → 874934

    
  
Blocks: 875617

    
    

    
  
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio
Whiteboard: [adv-main23-]
Blocks: 864164
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: