Closed Bug 881775 Opened 7 years ago Closed 7 years ago

WebAudio Assertion failure: i < Length() (invalid array index) and crash [@mozilla::DownmixAndInterleave]

Categories

(Core :: Audio/Video, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla24
Tracking Status
firefox23 --- disabled
firefox24 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: posidron, Assigned: ehsan)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [adv-main24-])

Attachments

(4 files, 1 obsolete file)

Attached file testcase (obsolete) —
./content/media/AudioSegment.cpp

    for (uint32_t i = 0; i < aChannelData.Length(); ++i) {
      channelData[i] = aChannelData[i];
    }


Tested with http://hg.mozilla.org/integration/mozilla-inbound/rev/86413e921d5d
Group: core-security
Attached file callstack
Attached file callstack-debug-build
This code was added in bug 842243, so this has nothing to do with Web Audio.
Blocks: 842243
Component: Web Audio → Video/Audio
Assignee: nobody → slin
No longer blocks: webaudio
Hmm, looking at the code, here <https://hg.mozilla.org/mozilla-central/rev/e59ac8e0e410#l1.52> channelData's size will be 0 as far as I can tell, so if we ever get into this loop then we're going to access the array out of bounds, unless I'm missing something.
Attached file testcase
reduced testcase
Attachment #760990 - Attachment is obsolete: true
Attached patch Patch (v1)Splinter Review
The check before calling AudioChannelsDownMix is necessary because that function asserts if it finds out that it doesn't need to do any work.
Assignee: slin → ehsan
Status: NEW → ASSIGNED
Attachment #761173 - Flags: review?(roc)
https://hg.mozilla.org/mozilla-central/rev/66d987002b36
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Whiteboard: [adv-main24-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.