Closed
Bug 877527
Opened 11 years ago
Closed 11 years ago
WebAudio heap-buffer-overflow crash [@mozilla::AudioBlockCopyChannelWithScale]
Categories
(Core :: Web Audio, defect)
Tracking
()
RESOLVED
FIXED
mozilla24
Tracking | Status | |
---|---|---|
firefox22 | --- | disabled |
firefox23 | - | disabled |
firefox24 | + | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: posidron, Assigned: padenot)
References
Details
(5 keywords, Whiteboard: [adv-main24-])
Attachments
(2 files)
content/media/AudioNodeEngine.cpp:64 void AudioBlockCopyChannelWithScale(const float* aInput, float aScale, float* aOutput) { if (aScale == 1.0f) { * memcpy(aOutput, aInput, WEBAUDIO_BLOCK_SIZE*sizeof(float)); [...] }
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Please see also: https://bugzilla.mozilla.org/show_bug.cgi?id=876207#c0 This is exactly where my concern is, we are not fixing the root of the problems. I believe we should add a sanitize checks for the memcpy parameters so that we won't crash there again.
Reporter | ||
Comment 3•11 years ago
|
||
Tested with http://hg.mozilla.org/integration/mozilla-inbound/rev/d7c6d6061ab5
Comment 4•11 years ago
|
||
(In reply to Christoph Diehl [:cdiehl] from comment #2) > Please see also: https://bugzilla.mozilla.org/show_bug.cgi?id=876207#c0 > > This is exactly where my concern is, we are not fixing the root of the > problems. > > I believe we should add a sanitize checks for the memcpy parameters so that > we won't crash there again. I don't think that's the case. We can't check for the length of the buffer because AudioChunk doesn't keep track of that information at all. We should just make sure we're consistent in keeping track of the number of channels, the offsets, etc. There's no single root cause for these kinds of bugs, well, besides using an unsafe language! :-)
Assignee: nobody → paul
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox22:
--- → disabled
status-firefox23:
--- → affected
status-firefox24:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox23:
--- → ?
tracking-firefox24:
--- → ?
Updated•11 years ago
|
Keywords: regression
Assignee | ||
Comment 5•11 years ago
|
||
This does not happen on tip for me, but I can repro on d7c6d6061ab5. Now bisecting to see what "fixed" it, because nothing seem to touch WebAudio in the log.
Updated•11 years ago
|
Comment 6•11 years ago
|
||
Paul, can you please check in the test case as a crashtest? Closing as FIXED for now, for the purpose of tracking the work left.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(paul)
Resolution: --- → FIXED
Assignee | ||
Comment 8•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/0d327854300c and https://hg.mozilla.org/integration/mozilla-inbound/rev/0bf1e71fe3cc because I forgot to hg add and actually put the wrong bug number.
Comment 9•11 years ago
|
||
Backed out for timeouts. https://hg.mozilla.org/integration/mozilla-inbound/rev/a2de97d3a53f https://tbpl.mozilla.org/php/getParsedLog.php?id=23724920&tree=Mozilla-Inbound
Comment 10•11 years ago
|
||
Paul, please add this to the crashtest suite here: <http://mxr.mozilla.org/mozilla-central/source/content/media/test/crashtests/> See my recent commits to that directory for examples. Thanks!
Assignee | ||
Comment 11•11 years ago
|
||
Relanded as a crashtest https://hg.mozilla.org/integration/mozilla-inbound/rev/fd5698ce0440
Comment 12•11 years ago
|
||
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
Comment 14•11 years ago
|
||
No longer tracking for FF23
Updated•11 years ago
|
Whiteboard: [adv-main24-]
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•