Closed Bug 880404 Opened 7 years ago Closed 7 years ago

WebAudio heap-buffer-overflow crash [@mozilla::AudioBlockInPlaceScale]

Categories

(Core :: Web Audio, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla24
Tracking Status
firefox23 --- unaffected
firefox24 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: posidron, Assigned: ehsan)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [adv-main24-])

Attachments

(2 files, 1 obsolete file)

Attached file testcase
./content/media/AudioNodeEngine.cpp:117

void
AudioBlockInPlaceScale(float aBlock[WEBAUDIO_BLOCK_SIZE],
                       uint32_t aChannelCount,
                       float aScale)
{
  if (aScale == 1.0f) {
    return;
  }
  for (uint32_t i = 0; i < WEBAUDIO_BLOCK_SIZE * aChannelCount; ++i) {
*   *aBlock++ *= aScale;
  }
}


Tested with http://hg.mozilla.org/integration/mozilla-inbound/rev/2551c645b782 + ehsan's patch for the Convolver node.
Attached file callstack (obsolete) —
Attached file callstack
Attachment #759354 - Attachment is obsolete: true
Does this affect Aurora? This is disabled in Beta, right?
Can you please test without my patch as well?
Flags: needinfo?(cdiehl)
(In reply to Al Billings [:abillings] from comment #3)
> Does this affect Aurora? This is disabled in Beta, right?

This is with the patch to bug 815643 which has not landed yet...
Flags: needinfo?(cdiehl)
Fixed locally and landed the test case: https://hg.mozilla.org/integration/mozilla-inbound/rev/c18dc1499470
Tested it again with Ehsan's updated patch https://gist.github.com/ehsan/5730140 and the testcase is not reproducible anymore. Fixed.
Assignee: nobody → ehsan
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
https://hg.mozilla.org/mozilla-central/rev/c18dc1499470
Flags: in-testsuite+
Target Milestone: --- → mozilla24
Whiteboard: [adv-main24-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.