Closed Bug 877523 Opened 11 years ago Closed 11 years ago

WebAudio global-buffer-overflow crash [@mozilla::dom::DelayNodeEngine::ProduceAudioBlock]

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24
Tracking Flags:
Tracking Status
firefox22 --- disabled
firefox23 - disabled
firefox24 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: posidron, Assigned: ehsan.akhgari)

References

Details

(4 keywords, Whiteboard: [adv-main24-])

Attachments

(4 files, 1 obsolete file)

testcase
1.70 KB, text/html
Details
callstack
5.31 KB, text/plain
Details
testcase-reduced
555 bytes, text/html
Details
Fixed a typo in the test
3.39 KB, patch
roc
: review+
Details | Diff | Splinter Review
Attached file testcase 
content/media/webaudio/DelayNode.cpp:215

    // Write the input sample to the correct location in our buffer
    if (input) {
*     buffer[writeIndex] = input[i] * aInput.mVolume;
    }


Tested with http://hg.mozilla.org/integration/mozilla-inbound/rev/c9e6ca6528b8
Attached file callstack 

    
    

    
  

      
      
      
      

        Attached file
          
        testcase-reduced
      

    


  

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch (v1) (obsolete)
        — Splinter Review
      

    


  
OK, this is really embarrassing.  We ended up calculating 0 for all maxDelay values less than 1, so the internal buffer's size would end up being 0.
Assignee: nobody → ehsan
Status: NEW → ASSIGNED

        Attachment #755980 -
        Flags: review?(roc)

    
    

    
  


  

        Attachment #755980 -
        Attachment is obsolete: true

        Attachment #755980 -
        Flags: review?(roc)

        Attachment #756073 -
        Flags: review?(roc)

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/e12be295c0b1
Status: ASSIGNED → RESOLVED
Closed: 11 years ago

          status-firefox24:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Flags: in-testsuite+

    
    

    
  
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio
Whiteboard: [adv-main24-]
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: