WebAudio heap-buffer-overflow crash [@mozilla::AudioBlockInPlaceScale]

RESOLVED FIXED in Firefox 24

Status

()

Core
Web Audio
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: posidron, Assigned: Ehsan)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla24
x86_64
Mac OS X
crash, csectype-bounds, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox23 unaffected, firefox24+ fixed, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [adv-main24-])

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

5 years ago
Created attachment 759352 [details]
testcase

./content/media/AudioNodeEngine.cpp:117

void
AudioBlockInPlaceScale(float aBlock[WEBAUDIO_BLOCK_SIZE],
                       uint32_t aChannelCount,
                       float aScale)
{
  if (aScale == 1.0f) {
    return;
  }
  for (uint32_t i = 0; i < WEBAUDIO_BLOCK_SIZE * aChannelCount; ++i) {
*   *aBlock++ *= aScale;
  }
}


Tested with http://hg.mozilla.org/integration/mozilla-inbound/rev/2551c645b782 + ehsan's patch for the Convolver node.
(Reporter)

Comment 1

5 years ago
Created attachment 759354 [details]
callstack
(Reporter)

Comment 2

5 years ago
Created attachment 759356 [details]
callstack
Attachment #759354 - Attachment is obsolete: true

Comment 3

5 years ago
Does this affect Aurora? This is disabled in Beta, right?
status-firefox24: --- → affected
tracking-firefox24: --- → +
(Assignee)

Comment 4

5 years ago
Can you please test without my patch as well?
Flags: needinfo?(cdiehl)
(Assignee)

Comment 5

5 years ago
(In reply to Al Billings [:abillings] from comment #3)
> Does this affect Aurora? This is disabled in Beta, right?

This is with the patch to bug 815643 which has not landed yet...
(Assignee)

Updated

5 years ago
Flags: needinfo?(cdiehl)
(Assignee)

Comment 6

5 years ago
Fixed locally and landed the test case: https://hg.mozilla.org/integration/mozilla-inbound/rev/c18dc1499470
(Reporter)

Comment 7

5 years ago
Tested it again with Ehsan's updated patch https://gist.github.com/ehsan/5730140 and the testcase is not reproducible anymore. Fixed.
Assignee: nobody → ehsan
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
https://hg.mozilla.org/mozilla-central/rev/c18dc1499470
status-firefox24: affected → fixed
Flags: in-testsuite+
Target Milestone: --- → mozilla24

Updated

5 years ago
status-firefox23: --- → unaffected
status-firefox-esr17: --- → unaffected

Updated

5 years ago
Whiteboard: [adv-main24-]
status-b2g18: --- → unaffected
Group: core-security
You need to log in before you can comment on or make changes to this bug.