Stack buffer overflow in mozilla::AudioChannelsDownMix(nsTArray<void const*> const&, float**, unsigned int, unsigned int)

RESOLVED DUPLICATE of bug 875529

Status

()

Core
Web Audio
RESOLVED DUPLICATE of bug 875529
5 years ago
a year ago

People

(Reporter: padenot, Assigned: padenot)

Tracking

(4 keywords)

Trunk
crash, csectype-bounds, sec-critical, testcase
Points:
---

Firefox Tracking Flags

(firefox22 ?, firefox23- affected, firefox24- affected)

Details

(Whiteboard: [asan][asan-test-failure][blocking-webaudio-])

Attachments

(2 attachments)

(Assignee)

Description

5 years ago
Created attachment 748843 [details]
Log

STR:
- Do an ASAN build
- ./mach mochitest-plain content/media/webaudio/test_mixingRules.html

Expected:
- no crash

Actual result:
- ASAN says there is a stack buffer overflow and the test aborts. This happened during the teardown sequence, I guess, see the log.

Comment 1

5 years ago
Paul can you please attach a human readable version of this log?  (See http://code.google.com/p/address-sanitizer/wiki/CallStack)
Flags: needinfo?(paul)

Updated

5 years ago
Blocks: 779297
No longer blocks: 665909
(Assignee)

Comment 2

5 years ago
Created attachment 748860 [details]
End of the log, with symbols

Here you go.
Flags: needinfo?(paul)
(Assignee)

Comment 3

5 years ago
Taking per discussion with ehsan on IRC.
Assignee: nobody → paul
Status: NEW → ASSIGNED

Comment 4

5 years ago
I suspect looking at the arguments we pass to AudioChannelsDownMix should help you figure this out.  IIRC I fixed one of these types of buffer overflows by adding this code which helped us properly take null input chunks into account: <http://hg.mozilla.org/mozilla-central/diff/d8b87a58ebf5/content/media/AudioNodeStream.cpp>
if the log matches the current line 185 in m-c then the out of bounds read is of an array we're going to write into (depending on which array, either in that statement or the next one).
Keywords: crash, csec-bounds, sec-critical, testcase
Whiteboard: [asan][asan-test-failure]
What builds have this code, and in which builds is it enabled? I'm sure we don't have to worry about ESR-17, but what about Fx 22?
status-firefox22: --- → ?
status-firefox23: --- → affected
status-firefox24: --- → affected
tracking-firefox23: --- → +
tracking-firefox24: --- → +

Comment 7

5 years ago
(In reply to Daniel Veditz [:dveditz] from comment #6)
> What builds have this code, and in which builds is it enabled? I'm sure we
> don't have to worry about ESR-17, but what about Fx 22?

22's version of this function is very different.  Once we figure out what's happening it would be easier to judge whether the bug affects 22 or not.  (Note that the test case in question doesn't exist on 22 and it's probably very hard to get it working there.)
To me for an ASan run on FF22.
Flags: needinfo?(mwobensmith)
Ehsan wanted a ping on this bug so needinfoing him.
Flags: needinfo?(ehsan)

Comment 10

5 years ago
So I wanted to retest this to see if it's still an issue, and before I got that I "found" bug 875529 and I fixed that, and now I see this was reported before.  Duping towards the bug which has a patch.
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Flags: needinfo?(mwobensmith)
Flags: needinfo?(ehsan)
Resolution: --- → DUPLICATE
Duplicate of bug: 875529

Comment 11

5 years ago
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio
tracking-firefox23: + → -
tracking-firefox24: + → -

Updated

4 years ago
Whiteboard: [asan][asan-test-failure] → [asan][asan-test-failure][blocking-webaudio-]

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.