Closed Bug 876338 Opened 11 years ago Closed 11 years ago

WebAudio heap-buffer-overflow crash [@mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer]

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 876252

People

(Reporter: posidron, Unassigned)

References

Details

(4 keywords, Whiteboard: [blocking-webaudio-])

Attachments

(3 files, 2 obsolete files)

callstack
1.29 KB, text/plain
Details
testcase
212 bytes, text/html
Details
testcase-use-after-free
233 bytes, text/html
Details
Attached file testcase (obsolete) — 
./content/media/webaudio/AudioBufferSourceNode.cpp:174

  void CopyFromInputBuffer(AudioChunk* aOutput,
                           uint32_t aChannels,
                           uintptr_t aSourceOffset,
                           uintptr_t aBufferOffset,
                           uint32_t aNumberOfFrames) {
    for (uint32_t i = 0; i < aChannels; ++i) {
      float* baseChannelData = static_cast<float*>(const_cast<void*>(aOutput->mChannelData[i]));
      memcpy(baseChannelData + aBufferOffset,
*            mBuffer->GetData(i) + aSourceOffset,
             aNumberOfFrames * sizeof(float));
    }
  }


Tested with m-i changeset: 132982:ce25da24ba1c
Attached file callstack 

    
  
Keywords: testcase

    
    

    
  

      
      
      
      

        Attached file
          
        testcase-use-after-free (obsolete)
        — 
      

    


  
Testcase with a delayed call to stop()
This variation of the testcase lets FF crash with a use-after-free.

    
    

    
  

      
      
      
      

        Attached file
          
        testcase
      

    


  

        Attachment #754342 -
        Attachment is obsolete: true

    
    

    
  


  

        Attachment #754351 -
        Attachment is obsolete: true

    
    

    
  
Dupe of bug 876252.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE

    
  
See Also:  → 878478

    
    

    
  
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio

    
  
Whiteboard: [blocking-webaudio-]

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: