WebAudio heap-buffer-overflow crash [@mozilla::PodAssign<float>]

RESOLVED FIXED in Firefox 24

Status

()

defect
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: posidron, Assigned: Ehsan)

Tracking

(Blocks 1 bug, 4 keywords)

Trunk
mozilla24
x86_64
macOS
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox23 unaffected, firefox24+ fixed, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [adv-main24-])

Attachments

(1 attachment)

Reporter

Description

6 years ago
Posted file testcase
./content/media/webaudio/blink/ReverbConvolverStage.cpp:52

ReverbConvolverStage::ReverbConvolverStage(const float* impulseResponse, size_t, size_t reverbTotalLatency, size_t stageOffset, size_t stageLength,
                                           size_t fftSize, size_t renderPhase, size_t renderSliceSize, ReverbAccumulationBuffer* accumulationBuffer, bool directMode)
    : m_accumulationBuffer(accumulationBuffer)
    , m_accumulationReadIndex(0)
    , m_inputReadIndex(0)
    , m_directMode(directMode)
{
    MOZ_ASSERT(impulseResponse);
    MOZ_ASSERT(accumulationBuffer);

    if (!m_directMode) {
        m_fftKernel = new FFTFrame(fftSize);
*       m_fftKernel->PerformPaddedFFT(impulseResponse + stageOffset, stageLength);
[...]
}


...


./content/media/webaudio/FFTFrame.h:56

  void PerformPaddedFFT(const float* aData, size_t dataSize)
  {
    nsTArray<float> paddedData;
    paddedData.SetLength(FFTSize());
*   PodCopy(paddedData.Elements(), aData, dataSize);
    PerformFFT(paddedData.Elements());
  }


...


obj-ff64-asan-opt/dist/include/mozilla/PodOperations.h:77

template<typename T>
static void
PodAssign(T* dst, const T* src)
{
  MOZ_ASSERT(dst != src);
  MOZ_ASSERT_IF(src < dst, PointerRangeSize(src, static_cast<const T*>(dst)) >= 1);
  MOZ_ASSERT_IF(dst < src, PointerRangeSize(static_cast<const T*>(dst), src) >= 1);
* memcpy(reinterpret_cast<char*>(dst), reinterpret_cast<const char*>(src), sizeof(T));
}


Tested with http://hg.mozilla.org/integration/mozilla-inbound/rev/2551c645b782 + ehsan's patch for the Convolver node.
Does this affect Aurora? This is disabled in Beta, right?
Can you please test without my patch as well?
Flags: needinfo?(cdiehl)
(In reply to Al Billings [:abillings] from comment #1)
> Does this affect Aurora? This is disabled in Beta, right?

This is with the patch to bug 815643 which has not landed yet...
Flags: needinfo?(cdiehl)
Reporter

Comment 5

6 years ago
Tested it again with Ehsan's updated patch https://gist.github.com/ehsan/5730140 and the testcase is not reproducible anymore. Fixed.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Assignee: nobody → ehsan
https://hg.mozilla.org/mozilla-central/rev/4a4d474f2484
Flags: in-testsuite+
Target Milestone: --- → mozilla24
Whiteboard: [adv-main24-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.