Closed Bug 880384 Opened 12 years ago Closed 12 years ago

WebAudio heap-buffer-overflow crash [@mozilla::PodAssign<float>]

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24
Tracking Flags:
Tracking Status
firefox23 --- unaffected
firefox24 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: posidron, Assigned: ehsan.akhgari)

References

Details

(4 keywords, Whiteboard: [adv-main24-])

Attachments

(1 file)

testcase
503 bytes, text/html
Details
Attached file testcase
./content/media/webaudio/blink/ReverbConvolverStage.cpp:52 ReverbConvolverStage::ReverbConvolverStage(const float* impulseResponse, size_t, size_t reverbTotalLatency, size_t stageOffset, size_t stageLength, size_t fftSize, size_t renderPhase, size_t renderSliceSize, ReverbAccumulationBuffer* accumulationBuffer, bool directMode) : m_accumulationBuffer(accumulationBuffer) , m_accumulationReadIndex(0) , m_inputReadIndex(0) , m_directMode(directMode) { MOZ_ASSERT(impulseResponse); MOZ_ASSERT(accumulationBuffer); if (!m_directMode) { m_fftKernel = new FFTFrame(fftSize); * m_fftKernel->PerformPaddedFFT(impulseResponse + stageOffset, stageLength); [...] } ... ./content/media/webaudio/FFTFrame.h:56 void PerformPaddedFFT(const float* aData, size_t dataSize) { nsTArray<float> paddedData; paddedData.SetLength(FFTSize()); * PodCopy(paddedData.Elements(), aData, dataSize); PerformFFT(paddedData.Elements()); } ... obj-ff64-asan-opt/dist/include/mozilla/PodOperations.h:77 template<typename T> static void PodAssign(T* dst, const T* src) { MOZ_ASSERT(dst != src); MOZ_ASSERT_IF(src < dst, PointerRangeSize(src, static_cast<const T*>(dst)) >= 1); MOZ_ASSERT_IF(dst < src, PointerRangeSize(static_cast<const T*>(dst), src) >= 1); * memcpy(reinterpret_cast<char*>(dst), reinterpret_cast<const char*>(src), sizeof(T)); } Tested with http://hg.mozilla.org/integration/mozilla-inbound/rev/2551c645b782 + ehsan's patch for the Convolver node.
Does this affect Aurora? This is disabled in Beta, right?
status-firefox24: --- → affected
tracking-firefox24: --- → +
Can you please test without my patch as well?
Flags: needinfo?(cdiehl)
(In reply to Al Billings [:abillings] from comment #1) > Does this affect Aurora? This is disabled in Beta, right? This is with the patch to bug 815643 which has not landed yet...
Fixed locally and landed the test case: https://hg.mozilla.org/integration/mozilla-inbound/rev/4a4d474f2484
Flags: needinfo?(cdiehl)
Tested it again with Ehsan's updated patch https://gist.github.com/ehsan/5730140 and the testcase is not reproducible anymore. Fixed.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Assignee: nobody → ehsan
https://hg.mozilla.org/mozilla-central/rev/4a4d474f2484
status-firefox24: affectedfixed
Flags: in-testsuite+
Target Milestone: --- → mozilla24
Whiteboard: [adv-main24-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: