Heap-buffer-overflow in mozilla::AudioBlockPanStereoToStereo

RESOLVED FIXED in mozilla24

Status

()

defect
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: attekett, Assigned: Ehsan)

Tracking

unspecified
mozilla24
x86_64
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

Reporter

Description

6 years ago
Posted file Repro-file
Tested on:

OS: Ubuntu 12.04

Firefox: ASAN opt-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1370513488/


ASAN-report:

==22305== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f29706df450 at pc 0x7f2992fae517 bp 0x7f295b5e6240 sp 0x7f295b5e6238
READ of size 4 at 0x7f29706df450 thread T43
    #0 0x7f2992fae516 in mozilla::AudioBlockPanStereoToStereo(float const*, float const*, float, float, bool, float*, float*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/AudioNodeEngine.cpp:116
    #1 0x7f2992fb24ea in mozilla::AudioNodeStream::ProduceOutput(long, long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/AudioNodeStream.cpp:428
    #2 0x7f29930212ce in mozilla::AudioNodeStream::SampleRate() const /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:967
    #3 0x7f2993034255 in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:1214
    #4 0x7f29956f2e32 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238
    #5 0x7f29957bd7cc in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/xpcom/threads/nsThread.cpp:265
.
.
.
Attachment #759082 - Attachment mime type: text/plain → text/html
Assignee: nobody → ehsan
Bug 878765's patch is wrong...
This is not a security sensitive bug.  In bug 878765, we added one additional increment to either aInputL or aInputR depending on aIsOnTheLeft.  That means that we will read past the end of the buffer but will only use the read value in a floating point computation, which will give us corrupted results, but that's about it.
Blocks: webaudio, 878765
Group: core-security
https://hg.mozilla.org/mozilla-central/rev/dfcabf3d307a
https://hg.mozilla.org/mozilla-central/rev/f4bb9c18463e
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Duplicate of this bug: 880845
You need to log in before you can comment on or make changes to this bug.