Closed
Bug 999376
Opened 11 years ago
Closed 11 years ago
Out-of-Bounds Read in WaveShaperNode::ProcessCurve
Categories
(Core :: Web Audio, defect)
Tracking
()
RESOLVED
FIXED
mozilla32
People
(Reporter: hofusec, Assigned: karlt)
References
Details
(Keywords: csectype-bounds, sec-moderate)
Attachments
(3 files, 1 obsolete file)
The testcase spawns the debugger with http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014-04-22-03-02-04-mozilla-central/firefox-31.0a1.en-US.linux-x86_64-asan.tar.bz2.
The asan report is the original report from fuzzing, i'm not able to get the report again.
Stacktrace:
#0 0x00007fffe97b1030 in nsTArray_Impl<float, nsTArrayInfallibleAllocator>::ElementAt (this=<optimized out>, i=<optimized out>)
at ../../dist/include/nsTArray.h:883
#1 0x00007fffeb45c233 in mozilla::dom::WaveShaperNodeEngine::ProcessCurve<1u> (this=<optimized out>, aInputBuffer=<optimized out>,
aOutputBuffer=<optimized out>) at /builds/slave/m-cen-l64-asan-d-0000000000000/build/content/media/webaudio/WaveShaperNode.cpp:196
#2 0x00007fffeb45bd70 in mozilla::dom::WaveShaperNodeEngine::ProcessBlock (this=0x60b0000e5570, aStream=0x6150007b7080, aInput=...,
aOutput=<optimized out>, aFinished=0x7fffb1ef3700)
at /builds/slave/m-cen-l64-asan-d-0000000000000/build/content/media/webaudio/WaveShaperNode.cpp:227
#3 0x00007fffeb3435c3 in mozilla::AudioNodeStream::ProcessInput (this=0x6150007b7080, aFrom=<optimized out>, aFlags=<optimized out>,
aTo=<optimized out>) at /builds/slave/m-cen-l64-asan-d-0000000000000/build/content/media/AudioNodeStream.cpp:430
...
|
Reporter | |
Comment 1•11 years ago
|
||
|
Assignee | |
Comment 2•11 years ago
|
||
|
|
Assignee | |
Comment 3•11 years ago
|
||
The error is due to float not having enough precision to clamp accurately to the buffer length. The length may be up to 2^31/4 = 2^27, while float has 24 bits of precision. There may therefore be up to about 4 elements of error in the clamp, which would be 16 bytes after the end of the array. The ASAN report says 24 bytes after the end of the array, so perhaps there's some situations where the rounding is not to nearest.
Due to the lack of precision, I don't see any way to read more than 4 bytes a short distance before and 4 bytes a short distance after a large allocation.
|
|
Assignee | |
Comment 4•11 years ago
|
||
float did not necessarily have enough precision.
Includes a -1 fix in the multiplier of the input signal to have
"a signal level of zero corresponding to the center value of the curve array".
|
|
Assignee | |
Comment 5•11 years ago
|
||
Comment on attachment 8411588 [details] [diff] [review]
use integers to clamp integer range in WaveShaper curve
This isn't right when index is -ve and rounded up to 0.
Attachment #8411588 -
Flags: review?(ehsan)
|
|
Assignee | |
Comment 6•11 years ago
|
||
(In reply to Karl Tomlinson (:karlt, back May 5) from comment #3)
> Due to the lack of precision, I don't see any way to read more than 4 bytes
> a short distance before and 4 bytes a short distance after a large
> allocation.
Actually there's no precision error with zero, so no way to read before the allocation, only after.
|
|
Assignee | |
Comment 7•11 years ago
|
||
Attachment #8411588 -
Attachment is obsolete: true
Attachment #8411639 -
Flags: review?(ehsan)
|
||
Updated•11 years ago
|
Attachment #8411639 -
Flags: review?(ehsan) → review+
|
|
Assignee | |
Comment 8•11 years ago
|
||
Flags: in-testsuite?
|
|
Assignee | |
Comment 9•11 years ago
|
||
Target Milestone: --- → mozilla32
|
|
Assignee | |
Updated•11 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Updated•10 years ago
|
status-firefox-esr31:
--- → affected
tracking-firefox-esr31:
--- → -
|
||
Updated•10 years ago
|
|
|
Assignee | |
Comment 10•10 years ago
|
||
Group: core-security
Flags: in-testsuite? → in-testsuite+
|
||
Comment 11•10 years ago
|
||
|
|
Assignee | |
Comment 12•10 years ago
|
||
The large memory allocations seem to have resulted in processes being killed on B2G emulator and Android.
https://treeherder.mozilla.org/logviewer.html#?job_id=12231903&repo=mozilla-inbound
18:27:41 INFO - REFTEST TEST-LOAD | http://10.0.2.2:8888/tests/dom/media/test/crashtests/999376.html | 428 / 966 (44%)
18:27:41 INFO - Killed
18:27:41 WARNING - TEST-UNEXPECTED-FAIL | http://10.0.2.2:8888/tests/dom/media/test/crashtests/999376.html | application timed out after 330 seconds with no output
https://treeherder.mozilla.org/logviewer.html#?job_id=12232873&repo=mozilla-inbound
18:44:46 INFO - REFTEST TEST-LOAD | http://10.0.2.2:8854/tests/dom/media/test/crashtests/999376.html | 428 / 1437 (29%)
18:44:56 INFO - INFO | automation.py | Application ran for: 0:10:29.449203
18:44:56 INFO - INFO | zombiecheck | Reading PID log: /tmp/tmpTSalYApidlog
18:44:57 INFO - /data/tombstones does not exist; tombstone check skipped
18:44:58 INFO - WARNING | leakcheck | refcount logging is off, so leaks can't be detected!
18:44:58 INFO - REFTEST INFO | runreftest.py | Running tests: end.
Flags: in-testsuite+ → in-testsuite-
|
|
||
Comment 13•10 years ago
|
||
(In reply to Karl Tomlinson (ni?:karlt) from comment #12)
> The large memory allocations seem to have resulted in processes being killed
> on B2G emulator and Android.
Ugh. I thought we were pretty careful to allocate all large audio buffers fallibly... :(
You need to log in
before you can comment on or make changes to this bug.
Description
•