Closed
Bug 876338
Opened 11 years ago
Closed 11 years ago
WebAudio heap-buffer-overflow crash [@mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer]
Categories
(Core :: Web Audio, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 876252
People
(Reporter: posidron, Unassigned)
References
Details
(4 keywords, Whiteboard: [blocking-webaudio-])
Attachments
(3 files, 2 obsolete files)
./content/media/webaudio/AudioBufferSourceNode.cpp:174 void CopyFromInputBuffer(AudioChunk* aOutput, uint32_t aChannels, uintptr_t aSourceOffset, uintptr_t aBufferOffset, uint32_t aNumberOfFrames) { for (uint32_t i = 0; i < aChannels; ++i) { float* baseChannelData = static_cast<float*>(const_cast<void*>(aOutput->mChannelData[i])); memcpy(baseChannelData + aBufferOffset, * mBuffer->GetData(i) + aSourceOffset, aNumberOfFrames * sizeof(float)); } } Tested with m-i changeset: 132982:ce25da24ba1c
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Testcase with a delayed call to stop() This variation of the testcase lets FF crash with a use-after-free.
Reporter | ||
Comment 3•11 years ago
|
||
Attachment #754342 -
Attachment is obsolete: true
Reporter | ||
Comment 4•11 years ago
|
||
Attachment #754351 -
Attachment is obsolete: true
Comment 5•11 years ago
|
||
Dupe of bug 876252.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Comment 6•11 years ago
|
||
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
Updated•11 years ago
|
Whiteboard: [blocking-webaudio-]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•