WebAudio heap-buffer-overflow crash [@mozilla::AudioBlockSumOfSquares]

RESOLVED FIXED in Firefox 24

Status

()

defect
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: posidron, Assigned: Ehsan)

Tracking

(Blocks 1 bug, 4 keywords)

Trunk
mozilla24
x86_64
macOS
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox23 unaffected, firefox24+ fixed, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [adv-main24-])

Attachments

(3 attachments)

Reporter

Description

6 years ago
Posted file testcase
A reduced testcase will follow in the next comment.

content/media/AudioNodeEngine.cpp:158

    float
    AudioBlockSumOfSquares(const float* aInput, uint32_t aLength)
    {
      float sum = 0.0f;
      while (aLength--) {
*       sum += *aInput * *aInput;
        ++aInput;
      }
      return sum;
    }

Tested with http://hg.mozilla.org/integration/mozilla-inbound/rev/2551c645b782 + ehsan's patch for the Convolver node.
Reporter

Comment 1

6 years ago
Posted file callstack
Reporter

Comment 2

6 years ago
Posted file testcase-reduced
reduced testcase
Does this affect Aurora? This is disabled in Beta, right?
Assignee

Comment 4

6 years ago
Can you please test without my patch as well?
Flags: needinfo?(cdiehl)
Assignee

Comment 5

6 years ago
(In reply to Al Billings [:abillings] from comment #3)
> Does this affect Aurora? This is disabled in Beta, right?

This is with the patch to bug 815643 which has not landed yet...
Assignee

Comment 6

6 years ago
Fixed locally, and landed the test case: https://hg.mozilla.org/integration/mozilla-inbound/rev/a178af222dd4
Assignee: nobody → ehsan
Flags: needinfo?(cdiehl)
Reporter

Comment 7

6 years ago
Tested it again with Ehsan's updated patch https://gist.github.com/ehsan/5730140 and the testcase is not reproducible anymore. Fixed.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
https://hg.mozilla.org/mozilla-central/rev/a178af222dd4
Flags: in-testsuite+
Target Milestone: --- → mozilla24
Whiteboard: [adv-main24-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.