Closed
Bug 867104
Opened 10 years ago
Closed 10 years ago
WebAudio heap-buffer-overflow crash [@mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBufferWithResampling]
Categories
(Core :: Web Audio, defect)
Tracking
()
RESOLVED
FIXED
mozilla24
| Tracking | Status | |
|---|---|---|
| firefox21 | --- | disabled |
| firefox22 | --- | disabled |
| firefox23 | + | fixed |
| firefox24 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: posidron, Assigned: padenot)
References
Details
(5 keywords, Whiteboard: [adv-main23-])
Attachments
(4 files)
|
10.02 KB,
text/html
|
Details | |
|
7.10 KB,
text/plain
|
Details | |
|
1.91 KB,
patch
|
ehsan.akhgari
:
review+
|
Details | Diff | Splinter Review |
|
3.19 KB,
patch
|
ehsan.akhgari
:
review+
bajaj
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
./content/media/webaudio/AudioBufferSourceNode.cpp:203
speex_resampler_process_float(resampler, i,
inputData, &inSamples,
outputData, &outSamples);
./media/libspeex_resampler/src/resample.c:867
int speex_resampler_process_float
[...]
if (in) {
for(j=0;j<ichunk;++j)
* x[j+filt_offs]=in[j*istride];
} else {
for(j=0;j<ichunk;++j)
x[j+filt_offs]=0;
}
Tested with m-i changeset: 130174:ea5490a3bca7
|
Reporter | |
Comment 1•10 years ago
|
||
|
Assignee | |
Comment 2•10 years ago
|
||
I can't repro, tested on Mac and Linux 64, on a just pulled m-c that contains 130174:ea5490a3bca7. Anything in particular to do?
|
|
Reporter | |
Comment 3•10 years ago
|
||
You need an ASan build.
|
||
Updated•10 years ago
|
status-b2g18:
--- → affected
status-firefox21:
--- → disabled
status-firefox22:
--- → disabled
status-firefox23:
--- → affected
status-firefox-esr17:
--- → affected
tracking-firefox23:
--- → ?
Keywords: regression
|
||
Comment 5•10 years ago
|
||
You can get ASAN builds (for Linux, anyway) at https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/ Thought we had Mac, too, but don't see them.
|
|
Assignee | |
Comment 6•10 years ago
|
||
I built my own Mac ASAN build, and I found the cause (bad mDuration value in the AudioBufferSourceNodeEngine), but I'm not sure yet of how it can happen.
|
||
Updated•10 years ago
|
|
||
Updated•10 years ago
|
|
|
||
Updated•10 years ago
|
|
|
Assignee | |
Comment 7•10 years ago
|
||
The root cause was basically that we forgot to send along the new duration when setting a new buffer after calling |start()| on the AudioBufferSourceNode.
Attachment #748837 -
Flags: review?(ehsan)
|
|
Assignee | |
Comment 8•10 years ago
|
||
Attachment #748838 -
Flags: review?(ehsan)
|
|
||
Updated•10 years ago
|
Attachment #748838 -
Flags: review?(ehsan) → review+
|
|
||
Comment 9•10 years ago
|
||
Comment on attachment 748837 [details] [diff] [review] adds a crashtest Review of attachment 748837 [details] [diff] [review]: ----------------------------------------------------------------- ::: content/media/webaudio/test/test_bug867104.html @@ +24,5 @@ > + setTimeout(function() { > + ok(true, "We did not crash."); > + SpecialPowers.clearUserPref("media.webaudio.enabled"); > + SimpleTest.finish(); > + }, 1000); Presumably you just want to wait until audio processing starts to happen, right? In that case it's a lot better to stick a ScriptProcessorNode in front of the source node and wait for its first audioprocess event, and then end the test.
Attachment #748837 -
Flags: review?(ehsan) → review+
|
|
Assignee | |
Comment 10•10 years ago
|
||
pushed with comments addressed: https://hg.mozilla.org/integration/mozilla-inbound/rev/744de2aced8c https://hg.mozilla.org/integration/mozilla-inbound/rev/d98e7c680020
|
|
||
Comment 11•10 years ago
|
||
Comment on attachment 748838 [details] [diff] [review] fix [Approval Request Comment] Bug caused by (feature/regressing bug #): Web Audio User impact if declined: Web Audio will only remain enabled on Aurora, so this won't impact beta/release users unless they manually turn it on Testing completed (on m-c, etc.): m-c Risk to taking this patch (and alternatives if risky): not risky String or IDL/UUID changes made by this patch: none
Attachment #748838 -
Flags: approval-mozilla-aurora?
|
||
Comment 12•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/744de2aced8c https://hg.mozilla.org/mozilla-central/rev/d98e7c680020
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox24:
--- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
|
||
Updated•10 years ago
|
Attachment #748838 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Comment 13•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/913b31ff6094 https://hg.mozilla.org/releases/mozilla-aurora/rev/3b1a78efc021
|
|
||
Comment 14•10 years ago
|
||
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
|
||
Updated•10 years ago
|
Whiteboard: [adv-main23-]
|
|
||
Updated•8 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•