Closed
Bug 933156
Opened 11 years ago
Closed 11 years ago
mozilla::dom::PannerNodeEngine::GainStereoToStereo reads out of bounds
Categories
(Core :: Web Audio, defect)
Tracking
()
VERIFIED
FIXED
mozilla28
| Tracking | Status | |
|---|---|---|
| firefox25 | --- | unaffected |
| firefox26 | --- | verified |
| firefox27 | + | verified |
| firefox28 | --- | verified |
| firefox-esr17 | --- | unaffected |
| firefox-esr24 | --- | unaffected |
| b2g18 | --- | unaffected |
| b2g-v1.1hd | --- | unaffected |
| b2g-v1.2 | --- | fixed |
People
(Reporter: jruderman, Assigned: karlt)
References
Details
(5 keywords)
Attachments
(3 files)
|
578 bytes,
text/html
|
Details | |
|
3.84 KB,
text/plain
|
Details | |
|
1.24 KB,
patch
|
roc
:
review+
bajaj
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
Assertion failure: i < Length() (invalid array index), at nsTArray.h:880
|
Reporter | |
Comment 1•11 years ago
|
||
|
Assignee | |
Comment 3•11 years ago
|
||
This is a regression from https://hg.mozilla.org/mozilla-central/rev/578c80c21547. It could make two 512-byte blocks of memory accessible to content. The addresses of these blocks are from the two pointer-sized words after nsTArrayHeader::sEmptyHdr. sEmptyHdr is not declared const, so there is the chance of these pointers being influenced by content but that seems unlikely. Considering this a mitigating circumstance, marking sec-moderate.
Status: NEW → ASSIGNED
status-firefox26:
--- → unaffected
status-firefox27:
--- → affected
tracking-firefox27:
--- → ?
Keywords: regression,
sec-moderate
|
|
Assignee | |
Updated•11 years ago
|
OS: Mac OS X → All
|
|
Assignee | |
Comment 4•11 years ago
|
||
> It could make two 512-byte blocks of memory accessible to content.
read-accessible, that is.|
|
Assignee | |
Comment 5•11 years ago
|
||
Attachment #825641 -
Flags: review?(roc)
Attachment #825641 -
Flags: review?(roc) → review+
|
|
Assignee | |
Comment 6•11 years ago
|
||
Comment on attachment 825641 [details] [diff] [review] don't send null input to EqualPowerPanningFunction [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 898291 User impact if declined: security risk Testing completed (on m-c, etc.): testcase Risk to taking this patch (and alternatives if risky): very low. small patch + infuence String or IDL/UUID changes made by this patch: none
Attachment #825641 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 7•11 years ago
|
||
Comment on attachment 825641 [details] [diff] [review] don't send null input to EqualPowerPanningFunction [Approval Request Comment] Bug caused by (feature/regressing bug #): User impact if declined: bug 898291 shouldn't land on Beta without this Testing completed (on m-c, etc.): testcase Risk to taking this patch (and alternatives if risky): very low. small patch + small influence String or IDL/UUID changes made by this patch: none
Attachment #825641 -
Flags: approval-mozilla-beta?
|
||
Comment 8•11 years ago
|
||
Comment on attachment 825641 [details] [diff] [review] don't send null input to EqualPowerPanningFunction This is marked as unaffected on FF26 - so no need for mozilla-beta approval here.
Attachment #825641 -
Flags: approval-mozilla-beta? → approval-mozilla-beta-
|
||
Comment 9•11 years ago
|
||
Comment on attachment 825641 [details] [diff] [review] don't send null input to EqualPowerPanningFunction We want beta approval for this so that we can land bug 898291 (a noticeable performance win) on Firefox 26. See Comment 7: "User impact if declined: bug 898291 shouldn't land on Beta without this." Bug 898291 was just approved for Beta.
Attachment #825641 -
Flags: approval-mozilla-beta- → approval-mozilla-beta?
|
||
Updated•11 years ago
|
Attachment #825641 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Updated•11 years ago
|
|
||
Comment 11•11 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #10) > https://hg.mozilla.org/integration/mozilla-inbound/rev/2e6063aa9b77 Wrong cset. This is the right one: https://hg.mozilla.org/integration/mozilla-inbound/rev/c42c1d8bd703
|
|
||
Comment 12•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/7b2d872b4496
status-firefox28:
--- → affected
https://hg.mozilla.org/mozilla-central/rev/c42c1d8bd703
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
|
||
Comment 14•11 years ago
|
||
b2g-v1.2 shouldn't be affected by this since fx26 isn't. However I'm not sure given the regression was landed the Friday before merge.
|
|
||
Updated•11 years ago
|
Attachment #825641 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
||
Updated•11 years ago
|
status-firefox25:
--- → unaffected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → unaffected
|
||
Comment 17•11 years ago
|
||
I tried to reproduce this issue on a 10/31 Fx26 debug build and on a 10/26 Fx26 ASAN build to see if I can verify it locally. I waited several minutes (for those 4 seconds) and tried this multiple times but it didn't reproduce once. I worked on Ubuntu 12.10 64bit. Any ideas what else I could do to reproduce this bug?
Flags: needinfo?(jruderman)
|
|
Assignee | |
Comment 18•11 years ago
|
||
Landed a slightly reduced test: https://hg.mozilla.org/integration/mozilla-inbound/rev/9768d081b7d8
Flags: in-testsuite+
|
|
Assignee | |
Updated•11 years ago
|
Group: core-security
|
|
Reporter | |
Comment 19•11 years ago
|
||
Ioana, this bug didn't affect any Firefox 26 builds because the regressing changeset was held back on that branch until this bug's patch had approval. See comment 7 through comment 9.
Flags: needinfo?(jruderman)
|
|
||
Comment 21•11 years ago
|
||
(In reply to Jesse Ruderman from comment #19) > Ioana, this bug didn't affect any Firefox 26 builds because the regressing > changeset was held back on that branch until this bug's patch had approval. > See comment 7 through comment 9. Sorry, the status-firefox26 set as fixed threw me off. I reproduced the bug on a 10/31 Nightly ASAN and verified it on current ASAN builds: 11/11 Nightly, 11/11 Aurora, 11/10 Beta. Tested on Ubuntu 12.10 x86_x64.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•