Closed Bug 880724 Opened 11 years ago Closed 11 years ago

WebAudio heap-buffer-overflow crash [@mozilla::PodAssign<float>]

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24
Tracking Flags:
Tracking Status
firefox22 --- disabled
firefox23 --- disabled
firefox24 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: posidron, Assigned: ehsan.akhgari)

References

Details

(Keywords: crash, csectype-bounds, sec-critical, Whiteboard: [adv-main24-])

Attachments

(2 files)

testcase
297 bytes, text/html
Details
callstack
7.83 KB, text/plain
Details
Attached file testcase 
Tested with http://hg.mozilla.org/integration/mozilla-inbound/rev/c18dc1499470 and Ehsan's patch for the Convolver node which is available here https://gist.github.com/ehsan/5730140

NOTE: The stack is similar to bug 880384 but Ehsan fixed this bug locally and updated his Convolver node patch; the testcase in that bug is also not working anymore.
Attached file callstack 

    
    

    
  
Fixed locally and landed the test case: https://hg.mozilla.org/integration/mozilla-inbound/rev/050f5a9a15b5
Assignee: nobody → ehsan

    
    

    
  
Tested it again with Ehsan's updated patch https://gist.github.com/ehsan/5731909 and the testcase is not reproducible anymore. Fixed.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/050f5a9a15b5

(In reply to Christoph Diehl [:cdiehl] from comment #3)
> Tested it again with Ehsan's updated patch
> https://gist.github.com/ehsan/5731909 and the testcase is not reproducible
> anymore. Fixed.

No harm done, but we normally leave bugs open until they merge into mozilla-central :-)

          status-firefox24:
          --- → fixed
Target Milestone: --- → mozilla24

    
    

    
  
Ed, this bug is about preemptive fuzzing on a patch that is not even finished nor pushed to even mozilla-inbound, so I think this is the right thing to do.

    
    

    
  
How far back does this bug go? Was it trunk only? I know Web Audio is disabled on 22 and 23 (as I recall) but were they affected as well?

    
    

    
  
Please see comment 0 and comment 5.

          status-firefox22:
          --- → disabled

          status-firefox23:
          --- → disabled
Whiteboard: [adv-main24-]
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: