Closed Bug 880342 Opened 11 years ago Closed 11 years ago

WebAudio heap-buffer-overflow crash [@mozilla::AudioBlockSumOfSquares]

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24
Tracking Flags:
Tracking Status
firefox23 --- unaffected
firefox24 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: posidron, Assigned: ehsan.akhgari)

References

Details

(4 keywords, Whiteboard: [adv-main24-])

Attachments

(3 files)

testcase
15.64 KB, text/html
Details
callstack
7.14 KB, text/plain
Details
testcase-reduced
776 bytes, text/html
Details
Attached file testcase 
A reduced testcase will follow in the next comment.

content/media/AudioNodeEngine.cpp:158

    float
    AudioBlockSumOfSquares(const float* aInput, uint32_t aLength)
    {
      float sum = 0.0f;
      while (aLength--) {
*       sum += *aInput * *aInput;
        ++aInput;
      }
      return sum;
    }

Tested with http://hg.mozilla.org/integration/mozilla-inbound/rev/2551c645b782 + ehsan's patch for the Convolver node.
Attached file callstack 

    
    

    
  

      
      
      
      

        Attached file
          
        testcase-reduced
      

    


  
reduced testcase

    
    

    
  
Does this affect Aurora? This is disabled in Beta, right?

          status-firefox24:
          --- → affected

          tracking-firefox24:
          --- → +

    
    

    
  
Can you please test without my patch as well?
Flags: needinfo?(cdiehl)

    
    

    
  
(In reply to Al Billings [:abillings] from comment #3)
> Does this affect Aurora? This is disabled in Beta, right?

This is with the patch to bug 815643 which has not landed yet...

    
    

    
  
Fixed locally, and landed the test case: https://hg.mozilla.org/integration/mozilla-inbound/rev/a178af222dd4
Assignee: nobody → ehsan
Flags: needinfo?(cdiehl)

    
    

    
  
Tested it again with Ehsan's updated patch https://gist.github.com/ehsan/5730140 and the testcase is not reproducible anymore. Fixed.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/a178af222dd4

          status-firefox24:
          affectedfixed
Flags: in-testsuite+
Target Milestone: --- → mozilla24
Whiteboard: [adv-main24-]
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: