WebAudio heap-buffer-overflow crash [@mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer]

RESOLVED DUPLICATE of bug 876252

Status

()

defect
--
critical
RESOLVED DUPLICATE of bug 876252
6 years ago
3 years ago

People

(Reporter: posidron, Unassigned)

Tracking

(Blocks 1 bug, 4 keywords)

Trunk
x86_64
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [blocking-webaudio-])

Attachments

(3 attachments, 2 obsolete attachments)

Reporter

Description

6 years ago
Posted file testcase (obsolete) —
./content/media/webaudio/AudioBufferSourceNode.cpp:174

  void CopyFromInputBuffer(AudioChunk* aOutput,
                           uint32_t aChannels,
                           uintptr_t aSourceOffset,
                           uintptr_t aBufferOffset,
                           uint32_t aNumberOfFrames) {
    for (uint32_t i = 0; i < aChannels; ++i) {
      float* baseChannelData = static_cast<float*>(const_cast<void*>(aOutput->mChannelData[i]));
      memcpy(baseChannelData + aBufferOffset,
*            mBuffer->GetData(i) + aSourceOffset,
             aNumberOfFrames * sizeof(float));
    }
  }


Tested with m-i changeset: 132982:ce25da24ba1c
Reporter

Comment 1

6 years ago
Posted file callstack
Reporter

Updated

6 years ago
Keywords: testcase
Reporter

Comment 2

6 years ago
Posted file testcase-use-after-free (obsolete) —
Testcase with a delayed call to stop()
This variation of the testcase lets FF crash with a use-after-free.
Reporter

Comment 3

6 years ago
Posted file testcase
Attachment #754342 - Attachment is obsolete: true
Reporter

Comment 4

6 years ago
Attachment #754351 - Attachment is obsolete: true
Dupe of bug 876252.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 876252
Reporter

Updated

6 years ago
See Also: → 878478
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio
Whiteboard: [blocking-webaudio-]

Updated

4 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.