Closed Bug 933156 Opened 12 years ago Closed 12 years ago

mozilla::dom::PannerNodeEngine::GainStereoToStereo reads out of bounds

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla28
Tracking Flags:
Tracking Status
firefox25 --- unaffected
firefox26 --- verified
firefox27 + verified
firefox28 --- verified
firefox-esr17 --- unaffected
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- fixed

People

(Reporter: jruderman, Assigned: karlt)

References

Details

(5 keywords)

Attachments

(3 files)

testcase (takes 4 seconds)
578 bytes, text/html
Details
stack
3.84 KB, text/plain
Details
don't send null input to EqualPowerPanningFunction
1.24 KB, patch
roc
: review+
bajaj
: approval-mozilla-aurora+
lsblakk
: approval-mozilla-beta+
Details | Diff | Splinter Review
Assertion failure: i < Length() (invalid array index), at nsTArray.h:880
Attached file stack
Karl-- Can you look at this?
Assignee: nobody → karlt
This is a regression from https://hg.mozilla.org/mozilla-central/rev/578c80c21547. It could make two 512-byte blocks of memory accessible to content. The addresses of these blocks are from the two pointer-sized words after nsTArrayHeader::sEmptyHdr. sEmptyHdr is not declared const, so there is the chance of these pointers being influenced by content but that seems unlikely. Considering this a mitigating circumstance, marking sec-moderate.
Status: NEW → ASSIGNED
status-firefox26: --- → unaffected
status-firefox27: --- → affected
tracking-firefox27: --- → ?
Keywords: regression, sec-moderate
OS: Mac OS X → All
> It could make two 512-byte blocks of memory accessible to content. read-accessible, that is.
Blocks: 898291
Comment on attachment 825641 [details] [diff] [review] don't send null input to EqualPowerPanningFunction [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 898291 User impact if declined: security risk Testing completed (on m-c, etc.): testcase Risk to taking this patch (and alternatives if risky): very low. small patch + infuence String or IDL/UUID changes made by this patch: none
Attachment #825641 - Flags: approval-mozilla-aurora?
Comment on attachment 825641 [details] [diff] [review] don't send null input to EqualPowerPanningFunction [Approval Request Comment] Bug caused by (feature/regressing bug #): User impact if declined: bug 898291 shouldn't land on Beta without this Testing completed (on m-c, etc.): testcase Risk to taking this patch (and alternatives if risky): very low. small patch + small influence String or IDL/UUID changes made by this patch: none
Attachment #825641 - Flags: approval-mozilla-beta?
Comment on attachment 825641 [details] [diff] [review] don't send null input to EqualPowerPanningFunction This is marked as unaffected on FF26 - so no need for mozilla-beta approval here.
Attachment #825641 - Flags: approval-mozilla-beta? → approval-mozilla-beta-
Comment on attachment 825641 [details] [diff] [review] don't send null input to EqualPowerPanningFunction We want beta approval for this so that we can land bug 898291 (a noticeable performance win) on Firefox 26. See Comment 7: "User impact if declined: bug 898291 shouldn't land on Beta without this." Bug 898291 was just approved for Beta.
Attachment #825641 - Flags: approval-mozilla-beta- → approval-mozilla-beta?
Attachment #825641 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
https://hg.mozilla.org/mozilla-central/rev/c42c1d8bd703
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
b2g-v1.2 shouldn't be affected by this since fx26 isn't. However I'm not sure given the regression was landed the Friday before merge.
status-b2g18: --- → unaffected
status-b2g-v1.1hd: --- → unaffected
status-b2g-v1.2: --- → ?
Attachment #825641 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
I tried to reproduce this issue on a 10/31 Fx26 debug build and on a 10/26 Fx26 ASAN build to see if I can verify it locally. I waited several minutes (for those 4 seconds) and tried this multiple times but it didn't reproduce once. I worked on Ubuntu 12.10 64bit. Any ideas what else I could do to reproduce this bug?
Flags: needinfo?(jruderman)
Landed a slightly reduced test: https://hg.mozilla.org/integration/mozilla-inbound/rev/9768d081b7d8
Flags: in-testsuite+
Group: core-security
Ioana, this bug didn't affect any Firefox 26 builds because the regressing changeset was held back on that branch until this bug's patch had approval. See comment 7 through comment 9.
Flags: needinfo?(jruderman)
(In reply to Jesse Ruderman from comment #19) > Ioana, this bug didn't affect any Firefox 26 builds because the regressing > changeset was held back on that branch until this bug's patch had approval. > See comment 7 through comment 9. Sorry, the status-firefox26 set as fixed threw me off. I reproduced the bug on a 10/31 Nightly ASAN and verified it on current ASAN builds: 11/11 Nightly, 11/11 Aurora, 11/10 Beta. Tested on Ubuntu 12.10 x86_x64.
Status: RESOLVED → VERIFIED
status-firefox26: fixedverified
status-firefox27: fixedverified
status-firefox28: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: