Closed
Bug 999376
Opened 10 years ago
Closed 10 years ago
Out-of-Bounds Read in WaveShaperNode::ProcessCurve
Categories
(Core :: Web Audio, defect)
Tracking
()
RESOLVED
FIXED
mozilla32
People
(Reporter: hofusec, Assigned: karlt)
References
Details
(Keywords: csectype-bounds, sec-moderate)
Attachments
(3 files, 1 obsolete file)
The testcase spawns the debugger with http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014-04-22-03-02-04-mozilla-central/firefox-31.0a1.en-US.linux-x86_64-asan.tar.bz2. The asan report is the original report from fuzzing, i'm not able to get the report again. Stacktrace: #0 0x00007fffe97b1030 in nsTArray_Impl<float, nsTArrayInfallibleAllocator>::ElementAt (this=<optimized out>, i=<optimized out>) at ../../dist/include/nsTArray.h:883 #1 0x00007fffeb45c233 in mozilla::dom::WaveShaperNodeEngine::ProcessCurve<1u> (this=<optimized out>, aInputBuffer=<optimized out>, aOutputBuffer=<optimized out>) at /builds/slave/m-cen-l64-asan-d-0000000000000/build/content/media/webaudio/WaveShaperNode.cpp:196 #2 0x00007fffeb45bd70 in mozilla::dom::WaveShaperNodeEngine::ProcessBlock (this=0x60b0000e5570, aStream=0x6150007b7080, aInput=..., aOutput=<optimized out>, aFinished=0x7fffb1ef3700) at /builds/slave/m-cen-l64-asan-d-0000000000000/build/content/media/webaudio/WaveShaperNode.cpp:227 #3 0x00007fffeb3435c3 in mozilla::AudioNodeStream::ProcessInput (this=0x6150007b7080, aFrom=<optimized out>, aFlags=<optimized out>, aTo=<optimized out>) at /builds/slave/m-cen-l64-asan-d-0000000000000/build/content/media/AudioNodeStream.cpp:430 ...
|
Reporter | |
Comment 1•10 years ago
|
||
|
Assignee | |
Comment 2•10 years ago
|
||
Out of bounds read at https://hg.mozilla.org/mozilla-central/file/c962bde5ac0b/content/media/webaudio/WaveShaperNode.cpp#l209 Allocated at https://hg.mozilla.org/mozilla-central/file/c962bde5ac0b/content/media/webaudio/WaveShaperNode.cpp#l315
|
|
Assignee | |
Comment 3•10 years ago
|
||
The error is due to float not having enough precision to clamp accurately to the buffer length. The length may be up to 2^31/4 = 2^27, while float has 24 bits of precision. There may therefore be up to about 4 elements of error in the clamp, which would be 16 bytes after the end of the array. The ASAN report says 24 bytes after the end of the array, so perhaps there's some situations where the rounding is not to nearest. Due to the lack of precision, I don't see any way to read more than 4 bytes a short distance before and 4 bytes a short distance after a large allocation.
|
|
Assignee | |
Comment 4•10 years ago
|
||
float did not necessarily have enough precision. Includes a -1 fix in the multiplier of the input signal to have "a signal level of zero corresponding to the center value of the curve array".
|
|
Assignee | |
Comment 5•10 years ago
|
||
Comment on attachment 8411588 [details] [diff] [review] use integers to clamp integer range in WaveShaper curve This isn't right when index is -ve and rounded up to 0.
Attachment #8411588 -
Flags: review?(ehsan)
|
|
Assignee | |
Comment 6•10 years ago
|
||
(In reply to Karl Tomlinson (:karlt, back May 5) from comment #3) > Due to the lack of precision, I don't see any way to read more than 4 bytes > a short distance before and 4 bytes a short distance after a large > allocation. Actually there's no precision error with zero, so no way to read before the allocation, only after.
|
|
Assignee | |
Comment 7•10 years ago
|
||
Attachment #8411588 -
Attachment is obsolete: true
Attachment #8411639 -
Flags: review?(ehsan)
|
||
Updated•10 years ago
|
Attachment #8411639 -
Flags: review?(ehsan) → review+
|
|
Assignee | |
Comment 8•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/32d79829ef99
Flags: in-testsuite?
|
|
Assignee | |
Comment 9•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/32d79829ef99
Target Milestone: --- → mozilla32
|
|
Assignee | |
Updated•10 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
||
Updated•10 years ago
|
status-firefox-esr31:
--- → affected
tracking-firefox-esr31:
--- → -
|
||
Updated•10 years ago
|
|
|
Assignee | |
Comment 10•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/9a8104912ebe
Group: core-security
Flags: in-testsuite? → in-testsuite+
|
||
Comment 11•9 years ago
|
||
Backout: https://hg.mozilla.org/integration/mozilla-inbound/rev/64f342488fbf
|
|
Assignee | |
Comment 12•9 years ago
|
||
The large memory allocations seem to have resulted in processes being killed on B2G emulator and Android. https://treeherder.mozilla.org/logviewer.html#?job_id=12231903&repo=mozilla-inbound 18:27:41 INFO - REFTEST TEST-LOAD | http://10.0.2.2:8888/tests/dom/media/test/crashtests/999376.html | 428 / 966 (44%) 18:27:41 INFO - Killed 18:27:41 WARNING - TEST-UNEXPECTED-FAIL | http://10.0.2.2:8888/tests/dom/media/test/crashtests/999376.html | application timed out after 330 seconds with no output https://treeherder.mozilla.org/logviewer.html#?job_id=12232873&repo=mozilla-inbound 18:44:46 INFO - REFTEST TEST-LOAD | http://10.0.2.2:8854/tests/dom/media/test/crashtests/999376.html | 428 / 1437 (29%) 18:44:56 INFO - INFO | automation.py | Application ran for: 0:10:29.449203 18:44:56 INFO - INFO | zombiecheck | Reading PID log: /tmp/tmpTSalYApidlog 18:44:57 INFO - /data/tombstones does not exist; tombstone check skipped 18:44:58 INFO - WARNING | leakcheck | refcount logging is off, so leaks can't be detected! 18:44:58 INFO - REFTEST INFO | runreftest.py | Running tests: end.
Flags: in-testsuite+ → in-testsuite-
|
|
||
Comment 13•9 years ago
|
||
(In reply to Karl Tomlinson (ni?:karlt) from comment #12) > The large memory allocations seem to have resulted in processes being killed > on B2G emulator and Android. Ugh. I thought we were pretty careful to allocate all large audio buffers fallibly... :(
You need to log in
before you can comment on or make changes to this bug.
Description
•