Closed Bug 876249 Opened 11 years ago Closed 11 years ago

Heap-buffer-overflow READ in WebCore::Biquad::process

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 876252

People

(Reporter: attekett, Assigned: ehsan.akhgari)

References

Details

(4 keywords, Whiteboard: [blocking-webaudio-])

Attachments

(1 file)

Repro-file
843 bytes, text/html
Details
Attached file Repro-file 
Tested on:

OS: Ubuntu 12.04

Firefox: ASAN opt-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1369563046/

ASAN-report:(from few days old debug-build)

==3881== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f8fdbce5edc at pc 0x7f8fffcf9adb bp 0x7f8fd3364dc0 sp 0x7f8fd3364db8
READ of size 4 at 0x7f8fdbce5edc thread T27
    #0 0x7f8fffcf9ada in WebCore::Biquad::process(float const*, float*, unsigned long) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/webaudio/blink/Biquad.cpp:69
    #1 0x7f8fffce22c1 in mozilla::dom::BiquadFilterNodeEngine::ProduceAudioBlock(mozilla::AudioNodeStream*, mozilla::AudioChunk const&, mozilla::AudioChunk*, bool*) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/webaudio/BiquadFilterNode.cpp:158
    #2 0x7f8fffc481cd in mozilla::AudioNodeStream::ProduceOutput(long, long) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/AudioNodeStream.cpp:411
    #3 0x7f8fffcaec52 in mozilla::MediaStreamGraphImpl::ProduceDataForStreamsBlockByBlock(unsigned int, long, long) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:937
    #4 0x7f8fffcaf5b2 in mozilla::MediaStreamGraphImpl::RunThread() /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:1017
    #5 0x7f8fffcbddd8 in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:1163
.
.
.
Keywords: crash, csec-bounds, sec-critical, testcase
OS: Linux → All
Blocks: webaudio
Severity: normal → critical
Attachment #754231 - Attachment mime type: text/plain → text/html
This is a dupe of bug 876252.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Landed the test case: https://hg.mozilla.org/integration/mozilla-inbound/rev/6d921704e199
Assignee: nobody → ehsan
Flags: sec-bounty-
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio
Whiteboard: [blocking-webaudio-]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: