Heap-buffer-overflow in nsTArray_Impl<mozilla::AudioChunk, nsTArrayInfallibleAllocator>::ElementAt

VERIFIED FIXED in Firefox 24

Status

()

defect
VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: attekett, Assigned: Ehsan)

Tracking

(4 keywords)

unspecified
mozilla24
x86_64
All
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox21 unaffected, firefox22- disabled, firefox23- disabled, firefox24+ verified, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [asan][adv-main24-])

Attachments

(2 attachments, 1 obsolete attachment)

Posted file Repro-file
Tested on:

OS: Ubuntu 12.04

Firefox: 

ASAN dbg-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-dbg-asan/1369232390/

ASAN opt-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1369217427/

ASAN-report:(opt-build)

==3461== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f63fc68da08 at pc 0x7f64274fc436 bp 0x7f63fc4a13f0 sp 0x7f63fc4a13e8
READ of size 8 at 0x7f63fc68da08 thread T22
    #0 0x7f64274fc435 in nsRefPtr<mozilla::ThreadSharedObject>::get() const /builds/slave/m-cen-l64-asan-ntly-0000000000/build/../../dist/include/nsAutoPtr.h:1009
    #1 0x7f64274fcfe5 in mozilla::AudioNodeStream::ProduceOutput(long, long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/AudioNodeStream.cpp:407
    #2 0x7f642756ac83 in mozilla::MediaStreamGraphImpl::ProduceDataForStreamsBlockByBlock(unsigned int, long, long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:937
    #3 0x7f642757ce05 in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:1163
    #4 0x7f6429c0e212 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238
    #5 0x7f6429cd619c in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/xpcom/threads/nsThread.cpp:265
.
.
.



ASAN-report:(debug-build)

Assertion failure: i < Length() (invalid array index), at ../../dist/include/nsTArray.h:725
ASAN:SIGSEGV
=================================================================
==3301== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f02f14583bd sp 0x7f02c63f2ef0 bp 0x7f02c63f2f10 T24)
AddressSanitizer can not provide additional info.
    #0 0x7f02f14583bc in nsTArray_Impl<mozilla::AudioChunk, nsTArrayInfallibleAllocator>::ElementAt(unsigned int) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/../../dist/include/nsTArray.h:725
    #1 0x7f02f1454ea1 in mozilla::AudioNodeStream::ObtainInputBlock(mozilla::AudioChunk&, unsigned int) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/AudioNodeStream.cpp:279
    #2 0x7f02f14560b6 in mozilla::AudioNodeStream::ProduceOutput(long, long) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/AudioNodeStream.cpp:407
    #3 0x7f02f14bcc52 in mozilla::MediaStreamGraphImpl::ProduceDataForStreamsBlockByBlock(unsigned int, long, long) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:937
    #4 0x7f02f14bd5b2 in mozilla::MediaStreamGraphImpl::RunThread() /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:1017
    #5 0x7f02f14cbdd8 in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:1163
.
.
.
Blocks: webaudio
OS: Linux → All
Attachment #752819 - Attachment mime type: text/plain → text/html
Posted patch Patch (v1) (obsolete) — Splinter Review
Assignee: nobody → ehsan
Status: NEW → ASSIGNED
Attachment #752950 - Flags: review?(roc)
Comment on attachment 752950 [details] [diff] [review]
Patch (v1)

Review of attachment 752950 [details] [diff] [review]:
-----------------------------------------------------------------

::: content/media/test/crashtests/874952.html
@@ +1,1 @@
> +874952.html
\ No newline at end of file

Er, what???
Posted patch Patch (v2)Splinter Review
Sorry, copy/paste fail.
Attachment #752950 - Attachment is obsolete: true
Attachment #752950 - Flags: review?(roc)
Attachment #753312 - Flags: review?(roc)
Triaging with Ehsan. Affects 23+
Flags: needinfo?(mwobensmith)
I think the needinfo for me concerned whether it repros on 21/22, which David has marked unaffected. If there is still something for me to do, just let me know.
Flags: needinfo?(mwobensmith)
https://hg.mozilla.org/mozilla-central/rev/71ade5bf04f1
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Flags: sec-bounty?
We need to know how/if this affects 22 and 23. I assume 21 is unaffected. The flags say that 23 *is* affected.

In general, security bugs should get approval when they affect anything other than trunk before they go in. 

https://wiki.mozilla.org/Security/Bug_Approval_Process
Flags: sec-bounty? → sec-bounty+
Whiteboard: [asan]
(In reply to Al Billings [:abillings] from comment #9)
> In general, security bugs should get approval when they affect anything
> other than trunk before they go in. 
> 
> https://wiki.mozilla.org/Security/Bug_Approval_Process

I thought that only applies to bugs which affect Release?
(In reply to :Ehsan Akhgari (needinfo? me!) from comment #10)
> 
> > https://wiki.mozilla.org/Security/Bug_Approval_Process
> 
> I thought that only applies to bugs which affect Release?

No, only if the bug *only* affects trunk (quoting the above doc):

'This means that the developer can mark the status flags for ESR, Beta, and Aurora as "unaffected." It also means that we haven't shipped anywhere public in an official release yet.'

The exception is if the bug is sec-low, sec-moderate, sec-other, or sec-want rating. All sec-high or sec-critical bugs otherwise need approval if they aren't trunk only.
Comment 4 suggests this doesn't affect FF22 but comment 9 implies it might. Help?
I *believe* is is disabled in 22 and currently enabled in 23 but scheduled to be disabled in 23 as well.
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio
(In reply to Al Billings [:abillings] from comment #13)
> I *believe* is is disabled in 22 and currently enabled in 23 but scheduled
> to be disabled in 23 as well.

That is correct.
Whiteboard: [asan] → [asan][adv-main24-]
Confirmed crash in FF24 ASan build from 2013-05-22.
Verified no crash in FF24 ASan build from 2013-09-16.
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.