WebAudio crash [@void mozilla::PodCopy<float>]

VERIFIED FIXED in Firefox 27

Status

()

--
critical
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: posidron, Assigned: karlt)

Tracking

(Blocks: 1 bug, {crash, sec-critical, testcase})

Trunk
mozilla27
crash, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox26 unaffected, firefox27+ verified, firefox-esr17 unaffected, firefox-esr24 unaffected, b2g18 unaffected)

Details

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Created attachment 810520 [details]
testcase

Most likely introduced through: https://bugzilla.mozilla.org/show_bug.cgi?id=915524

mfbt/PodOperations.h:101

  PodCopy(T* dst, const T* src, size_t nelem)
  {
    MOZ_ASSERT(dst != src);
    MOZ_ASSERT_IF(src < dst, PointerRangeSize(src, static_cast<const T*>(dst)) >= nelem);
    MOZ_ASSERT_IF(dst < src, PointerRangeSize(static_cast<const T*>(dst), src) >= nelem);

    if (nelem < 128) {
      /*
       * Avoid using operator= in this loop, as it may have been
       * intentionally deleted by the POD type.
       */
      for (const T* srcend = src + nelem; src < srcend; src++, dst++)
        PodAssign(dst, src);
    } else {
*     memcpy(dst, src, nelem * sizeof(T));
    }
[...]


Tested with https://hg.mozilla.org/integration/mozilla-inbound/rev/e56e8fbacb7c
(Reporter)

Comment 1

5 years ago
Created attachment 810521 [details]
callstack
(Reporter)

Comment 2

5 years ago
Setting this to sec-critical because we are crashing in memcpy(). - unaware about what kind of data and size we are using.
Keywords: sec-critical
(Assignee)

Updated

5 years ago
Blocks: 915524
No longer blocks: 915524
status-firefox27: --- → affected
tracking-firefox27: --- → +
status-firefox-esr17: --- → unaffected

Comment 3

5 years ago
So, is this caused by bug 915524?

Comment 4

5 years ago
Well, the stack says yes!

Maire, who should own this?
Blocks: 915524

Updated

5 years ago
Flags: needinfo?(mreavy)
(In reply to :Ehsan Akhgari (needinfo? me!) from comment #4)
> Well, the stack says yes!
> 
> Maire, who should own this?

I'm not sure yet, but I'll find an owner quickly.
Flags: needinfo?(mreavy)
Assignee: nobody → karlt
(Assignee)

Comment 6

5 years ago
Created attachment 810958 [details] [diff] [review]
check for overflow in addition
Attachment #810958 - Flags: review?(ehsan)

Updated

5 years ago
Attachment #810958 - Flags: review?(ehsan) → review+
(Assignee)

Comment 7

5 years ago
Landed just the fix.
I'll land the reduced testcase in attachment 810958 [details] [diff] [review] in a few days.
https://hg.mozilla.org/integration/mozilla-inbound/rev/d976524b8774
Flags: in-testsuite?
(Assignee)

Comment 9

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/3ae5ae74b4a5
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox26: --- → unaffected
Flags: in-testsuite? → in-testsuite+
OS: Mac OS X → All
Hardware: x86_64 → All
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Confirmed crash in FF27 2013-09-25.
Verified fixed in FF27 2013-10-07.
Status: RESOLVED → VERIFIED
status-firefox27: fixed → verified
status-b2g18: --- → unaffected
status-firefox-esr24: --- → unaffected
Group: core-security
You need to log in before you can comment on or make changes to this bug.