Closed Bug 920987 Opened 11 years ago Closed 11 years ago

WebAudio crash [@void mozilla::PodCopy<float>]

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla27
Tracking Flags:
Tracking Status
firefox26 --- unaffected
firefox27 + verified
firefox-esr17 --- unaffected
firefox-esr24 --- unaffected
b2g18 --- unaffected

People

(Reporter: posidron, Assigned: karlt)

References

Details

(Keywords: crash, sec-critical, testcase)

Attachments

(3 files)

testcase
1.02 KB, text/html
Details
callstack
1.42 KB, text/plain
Details
check for overflow in addition
3.19 KB, patch
ehsan.akhgari
: review+
Details | Diff | Splinter Review
Attached file testcase 
Most likely introduced through: https://bugzilla.mozilla.org/show_bug.cgi?id=915524

mfbt/PodOperations.h:101

  PodCopy(T* dst, const T* src, size_t nelem)
  {
    MOZ_ASSERT(dst != src);
    MOZ_ASSERT_IF(src < dst, PointerRangeSize(src, static_cast<const T*>(dst)) >= nelem);
    MOZ_ASSERT_IF(dst < src, PointerRangeSize(static_cast<const T*>(dst), src) >= nelem);

    if (nelem < 128) {
      /*
       * Avoid using operator= in this loop, as it may have been
       * intentionally deleted by the POD type.
       */
      for (const T* srcend = src + nelem; src < srcend; src++, dst++)
        PodAssign(dst, src);
    } else {
*     memcpy(dst, src, nelem * sizeof(T));
    }
[...]


Tested with https://hg.mozilla.org/integration/mozilla-inbound/rev/e56e8fbacb7c
Attached file callstack 

    
    

    
  
Setting this to sec-critical because we are crashing in memcpy(). - unaware about what kind of data and size we are using.
Keywords: sec-critical

    
  
Blocks: 915524

    
    

    
  
So, is this caused by bug 915524?

    
    

    
  
Well, the stack says yes!

Maire, who should own this?
Blocks: 915524

    
  
Flags: needinfo?(mreavy)

    
    

    
  
(In reply to :Ehsan Akhgari (needinfo? me!) from comment #4)
> Well, the stack says yes!
> 
> Maire, who should own this?

I'm not sure yet, but I'll find an owner quickly.
Flags: needinfo?(mreavy)
Assignee: nobody → karlt

    
    

    
  


  

        Attachment #810958 -
        Flags: review?(ehsan)

    
  

        Attachment #810958 -
        Flags: review?(ehsan) → review+

    
    

    
  
Landed just the fix.
I'll land the reduced testcase in attachment 810958 [details] [diff] [review] in a few days.
https://hg.mozilla.org/integration/mozilla-inbound/rev/d976524b8774
Flags: in-testsuite?

    
    

    
  
https://hg.mozilla.org/integration/mozilla-inbound/rev/3ae5ae74b4a5
Status: NEW → RESOLVED
Closed: 11 years ago

          status-firefox26:
          --- → unaffected
Flags: in-testsuite? → in-testsuite+
OS: Mac OS X → All
Hardware: x86_64 → All
Resolution: --- → FIXED
Target Milestone: --- → mozilla27

    
    

    
  
Confirmed crash in FF27 2013-09-25.
Verified fixed in FF27 2013-10-07.
Status: RESOLVED → VERIFIED

          status-firefox27:
          fixedverified
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: