WebAudio crash [@mozilla::AudioChannelsUpMix]

RESOLVED FIXED in Firefox 25

Status

()

defect
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: posidron, Assigned: Ehsan)

Tracking

(Blocks 1 bug, {crash, sec-moderate, testcase})

unspecified
mozilla26
x86_64
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox24 disabled, firefox25 fixed, firefox26 fixed, firefox-esr17 unaffected, firefox-esr24 disabled, b2g18 unaffected)

Details

(Whiteboard: [blocking-webaudio+])

Attachments

(3 attachments)

Reporter

Description

6 years ago
Posted file testcase
content/media/AudioChannelFormat.cpp:85

83	  if (inputChannelCount < CUSTOM_CHANNEL_LAYOUTS &&
84	      outputChannelCount <= CUSTOM_CHANNEL_LAYOUTS) {
85	    const UpMixMatrix& m = gUpMixMatrices[
86	      gMixingMatrixIndexByChannels[inputChannelCount - 1] +
87	      outputChannelCount - inputChannelCount - 1];


Tested with http://hg.mozilla.org/integration/mozilla-inbound/rev/a24cbd51b6f7
+ https://bugzilla.mozilla.org/show_bug.cgi?id=865253
Reporter

Comment 1

6 years ago
Posted file callstack
Assignee

Comment 2

6 years ago
Posted patch Patch (v1)Splinter Review
Somebody (me?) made the mistake of not checking for empty channel data here...
Assignee: nobody → ehsan
Status: NEW → ASSIGNED
Attachment #790978 - Flags: review?(roc)
Assignee

Comment 3

6 years ago
Comment on attachment 790978 [details] [diff] [review]
Patch (v1)

This is a bug in Web Audio, which affects Firefox 25 and 26.  The fix is very simple and very safe.  With enough effort, one could perhaps construct a test case based on the fix, but I don't think that's a severe issue since this bug doesn't affect any stable channels.
Attachment #790978 - Flags: sec-approval?
Attachment #790978 - Flags: approval-mozilla-aurora?
Comment on attachment 790978 [details] [diff] [review]
Patch (v1)

I'll ignore the lack of a security rating here but it would be good to have one.
Attachment #790978 - Flags: sec-approval?
Attachment #790978 - Flags: sec-approval+
Attachment #790978 - Flags: approval-mozilla-aurora?
Attachment #790978 - Flags: approval-mozilla-aurora+
Reporter

Comment 5

6 years ago
(In reply to Al Billings [:abillings] from comment #4)
> Comment on attachment 790978 [details] [diff] [review]
> Patch (v1)
> 
> I'll ignore the lack of a security rating here but it would be good to have
> one.

Marking this as sec-moderate. Based on comment 3 I presume that this bug got not introduced with the applied patch for the Oscillator node.
Keywords: sec-moderate
Assignee

Comment 6

6 years ago
(In reply to Christoph Diehl [:cdiehl] from comment #5)
> (In reply to Al Billings [:abillings] from comment #4)
> > Comment on attachment 790978 [details] [diff] [review]
> > Patch (v1)
> > 
> > I'll ignore the lack of a security rating here but it would be good to have
> > one.
> 
> Marking this as sec-moderate.

I think that's fair.

> Based on comment 3 I presume that this bug got
> not introduced with the applied patch for the Oscillator node.

No, it wasn't.  This is a bug in the general mixing code that we use for all kinds of AudioNode connections.
Assignee

Comment 7

6 years ago
http://hg.mozilla.org/integration/mozilla-inbound/rev/223d191a1e62
Whiteboard: [blocking-webaudio+][checkin-needed-aurora]
https://hg.mozilla.org/mozilla-central/rev/223d191a1e62
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
https://hg.mozilla.org/releases/mozilla-aurora/rev/561f74e56882
Whiteboard: [blocking-webaudio+][checkin-needed-aurora] → [blocking-webaudio+]
Group: core-security
You need to log in before you can comment on or make changes to this bug.