Closed Bug 876252 Opened 11 years ago Closed 11 years ago

Heap-buffer-overflow READ in speex_resampler_process_float

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24
Tracking Flags:
Tracking Status
firefox21 --- unaffected
firefox22 --- disabled
firefox23 --- disabled
firefox24 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: attekett, Assigned: ehsan.akhgari)

References

Details

(4 keywords, Whiteboard: [asan][adv-main24-])

Attachments

(2 files)

Repro-file
735 bytes, text/html
Details
Patch (v1)
3.32 KB, patch
roc
: review+
Details | Diff | Splinter Review
Attached file Repro-file 
Tested on:

OS: Ubuntu 12.04

Firefox: ASAN opt-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1369563046/

ASAN-report:

==17611== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f48c10ede7c at pc 0x7f48e92350b2 bp 0x7f48bdfd3cb0 sp 0x7f48bdfd3ca8
READ of size 4 at 0x7f48c10ede7c thread T27
    #0 0x7f48e92350b1 in speex_resampler_process_float /builds/slave/m-cen-l64-asan-ntly-0000000000/build/media/libspeex_resampler/src/resample.c:867
    #1 0x7f48e61bcae5 in mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBufferWithResampling(mozilla::AudioNodeStream*, mozilla::AudioChunk*, unsigned int, unsigned long, unsigned long, unsigned int, unsigned int&, unsigned int&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/webaudio/AudioBufferSourceNode.cpp:217
    #2 0x7f48e61bb240 in mozilla::dom::AudioBufferSourceNodeEngine::CopyFromBuffer(mozilla::AudioNodeStream*, mozilla::AudioChunk*, unsigned int, unsigned int*, long*, unsigned int, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/webaudio/AudioBufferSourceNode.cpp:294
    #3 0x7f48e61b98ab in mozilla::dom::AudioBufferSourceNodeEngine::ProduceAudioBlock(mozilla::AudioNodeStream*, mozilla::AudioChunk const&, mozilla::AudioChunk*, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/webaudio/AudioBufferSourceNode.cpp:397
    #4 0x7f48e6123d5a in mozilla::AudioNodeStream::ProduceOutput(long, long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/AudioNodeStream.cpp:425
.
.
.

The crash stack is identical to the stack from bug 874934
Same underlying issue as bug 875617?
Severity: normal → critical
Depends on: 875617
Blocks: webaudio
Attachment #754235 - Attachment mime type: text/plain → text/html
Attached patch Patch (v1)Splinter Review 
Sigh....
Assignee: nobody → ehsan
Status: NEW → ASSIGNED
Attachment #754585 - Flags: review?(roc)
(In reply to Mats Palmgren [:mats] from comment #1)
> Same underlying issue as bug 875617?

I doubt that.
No longer depends on: 875617
https://hg.mozilla.org/mozilla-central/rev/aa7086197909
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
status-firefox24: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Flags: sec-bounty?
Does this affect branches or is this trunk only? 

I am told that this might be explicitly disabled on 22 and 23 and unaffected for 21. Is that right?
status-firefox21: --- → ?
status-firefox22: --- → ?
status-firefox23: --- → ?
Flags: sec-bounty? → sec-bounty+
Whiteboard: [asan]
(In reply to Al Billings [:abillings] from comment #9)
> Does this affect branches or is this trunk only? 

23 and 24.

> I am told that this might be explicitly disabled on 22 and 23 and unaffected
> for 21. Is that right?

It is already disabled on 22, and will be disabled on 23 once it goes to beta.  And yes, 21 is unaffected.
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio
Flags: in-testsuite+
(copying the security rating from the duplicate bugs)
Keywords: crash, csec-bounds, sec-critical, testcase
Whiteboard: [asan] → [asan][adv-main24-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: