Closed Bug 1762620 Opened 3 years ago Closed 3 years ago

heap-buffer-overflow in [@ mozilla::dumbUpDownMix]

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
101 Branch
Tracking Flags:
Tracking Status
firefox-esr91 100+ fixed
firefox99 --- wontfix
firefox100 + fixed
firefox101 + fixed

People

(Reporter: tsmith, Assigned: padenot)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed][adv-main100+r][adv-esr91.9+r])

Attachments

(3 files)

testcase.zip
(deleted), application/x-zip-compressed
Details
Bug 1762620 - Only pad audio buffers when doing up mixing. r?alwu
(deleted), text/x-phabricator-request
diannaS
: approval-mozilla-beta+
diannaS
: approval-mozilla-esr91+
tjr
: sec-approval+
Details
Bug 1762620 - Add a test with a wav file that has 255 audio channels. r?alwu
(deleted), text/x-phabricator-request
Details
Attached file testcase.zip (deleted) —

Found while fuzzing m-c 20220401-a9b419c8a9c8 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

==201800==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6080000706f4 at pc 0x7fcb906fd6fd bp 0x7fcaf225e690 sp 0x7fcaf225e688
WRITE of size 4 at 0x6080000706f4 thread T27 (MediaDe~hine #1)
    #0 0x7fcb906fd6fc in void mozilla::dumbUpDownMix<float>(float*, int, float const*, int, int) src/dom/media/AudioConverter.cpp:160:34
    #1 0x7fcb906f8abb in mozilla::AudioConverter::DownmixAudio(void*, void const*, unsigned long) const src/dom/media/AudioConverter.cpp:186:7
    #2 0x7fcb906f7322 in mozilla::AudioConverter::ProcessInternal(void*, void const*, unsigned long) src/dom/media/AudioConverter.cpp:79:12
    #3 0x7fcb90f066eb in mozilla::AudioDataBuffer<(mozilla::AudioConfig::SampleFormat)6, float> mozilla::AudioConverter::Process<(mozilla::AudioConfig::SampleFormat)6, float>(mozilla::AudioDataBuffer<(mozilla::AudioConfig::SampleFormat)6, float> const&) src/dom/media/AudioConverter.h:156:14
    #4 0x7fcb90ee202a in mozilla::AudioDataBuffer<(mozilla::AudioConfig::SampleFormat)6, float> mozilla::AudioConverter::Process<(mozilla::AudioConfig::SampleFormat)6, float>(mozilla::AudioDataBuffer<(mozilla::AudioConfig::SampleFormat)6, float>&&) src/dom/media/AudioConverter.h:142:12
    #5 0x7fcb90edd9e9 in mozilla::AudioSink::NotifyAudioNeeded() src/dom/media/mediasink/AudioSink.cpp:416:23
    #6 0x7fcb90f04ac1 in operator() /builds/worker/workspace/obj-build/dist/include/MediaEventSource.h:404:7
    #7 0x7fcb90f04ac1 in std::enable_if<TakeArgs<mozilla::AbstractThread>::value, void>::type mozilla::detail::ListenerImpl<mozilla::AbstractThread, std::enable_if<TakeArgs<void (mozilla::AudioSink::*)(RefPtr<mozilla::AudioData> const&)>::value, mozilla::MediaEventListener>::type mozilla::MediaEventSourceImpl<(mozilla::ListenerPolicy)1, RefPtr<mozilla::AudioData> >::ConnectInternal<mozilla::AbstractThread, mozilla::AudioSink, void (mozilla::AudioSink::*)(RefPtr<mozilla::AudioData> const&)>(mozilla::AbstractThread*, mozilla::AudioSink*, void (mozilla::AudioSink::*)(RefPtr<mozilla::AudioData> const&))::'lambda'(RefPtr<mozilla::AudioData>&&), RefPtr<mozilla::AudioData> >::ApplyWithArgsImpl<std::enable_if<TakeArgs<void (mozilla::AudioSink::*)(RefPtr<mozilla::AudioData> const&)>::value, mozilla::MediaEventListener>::type mozilla::MediaEventSourceImpl<(mozilla::ListenerPolicy)1, RefPtr<mozilla::AudioData> >::ConnectInternal<mozilla::AbstractThread, mozilla::AudioSink, void (mozilla::AudioSink::*)(RefPtr<mozilla::AudioData> const&)>(mozilla::AbstractThread*, mozilla::AudioSink*, void (mozilla::AudioSink::*)(RefPtr<mozilla::AudioData> const&))::'lambda'(RefPtr<mozilla::AudioData>&&)>(mozilla::AbstractThread*, mozilla::AbstractThread const&, RefPtr<mozilla::AudioData>&&) /builds/worker/workspace/obj-build/dist/include/MediaEventSource.h:214:5
    #8 0x7fcb90f044ed in mozilla::detail::ListenerImpl<mozilla::AbstractThread, std::enable_if<TakeArgs<void (mozilla::AudioSink::*)(RefPtr<mozilla::AudioData> const&)>::value, mozilla::MediaEventListener>::type mozilla::MediaEventSourceImpl<(mozilla::ListenerPolicy)1, RefPtr<mozilla::AudioData> >::ConnectInternal<mozilla::AbstractThread, mozilla::AudioSink, void (mozilla::AudioSink::*)(RefPtr<mozilla::AudioData> const&)>(mozilla::AbstractThread*, mozilla::AudioSink*, void (mozilla::AudioSink::*)(RefPtr<mozilla::AudioData> const&))::'lambda'(RefPtr<mozilla::AudioData>&&), RefPtr<mozilla::AudioData> >::ApplyWithArgs(RefPtr<mozilla::AudioData>&&) /builds/worker/workspace/obj-build/dist/include/MediaEventSource.h:236:5
    #9 0x7fcb909d52fe in applyImpl<mozilla::detail::Listener<RefPtr<mozilla::AudioData> >, void (mozilla::detail::Listener<RefPtr<mozilla::AudioData> >::*)(RefPtr<mozilla::AudioData> &&), StoreCopyPassByRRef<RefPtr<mozilla::AudioData> > , 0UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
    #10 0x7fcb909d52fe in apply<mozilla::detail::Listener<RefPtr<mozilla::AudioData> >, void (mozilla::detail::Listener<RefPtr<mozilla::AudioData> >::*)(RefPtr<mozilla::AudioData> &&)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
    #11 0x7fcb909d52fe in mozilla::detail::RunnableMethodImpl<mozilla::detail::Listener<RefPtr<mozilla::AudioData> >*, void (mozilla::detail::Listener<RefPtr<mozilla::AudioData> >::*)(RefPtr<mozilla::AudioData>&&), true, (mozilla::RunnableKind)0, RefPtr<mozilla::AudioData>&&>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
    #12 0x7fcb8a9140fa in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:230:35
    #13 0x7fcb8a922565 in mozilla::TaskQueue::Runner::Run() src/xpcom/threads/TaskQueue.cpp:196:20
    #14 0x7fcb8a94c4e1 in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:310:14
    #15 0x7fcb8a93f3ab in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1181:16
    #16 0x7fcb8a948c7c in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:465:10
    #17 0x7fcb8c04ca0d in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:300:20
    #18 0x7fcb8bec6e71 in RunInternal src/ipc/chromium/src/base/message_loop.cc:380:10
    #19 0x7fcb8bec6e71 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
    #20 0x7fcb8bec6e71 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
    #21 0x7fcb8a936fc9 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:385:10
    #22 0x7fcbad8ec02e in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #23 0x7fcbafa09608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8
    #24 0x7fcbaf5d0162 in __clone /build/glibc-sMfBJT/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x6080000706f6 is located 0 bytes to the right of 86-byte region [0x6080000706a0,0x6080000706f6)
allocated by thread T27 (MediaDe~hine #1) here:
    #0 0x556a8e960b3d in __interceptor_malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
    #1 0x7fcb909667fa in operator new[] /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:47:10
    #2 0x7fcb909667fa in MakeUniqueFallible<unsigned char []> /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtrExtensions.h:42:23
    #3 0x7fcb909667fa in mozilla::AlignedBuffer<float, 32>::EnsureCapacity(unsigned long) src/dom/media/MediaData.h:218:22
    #4 0x7fcb90f06675 in SetLength src/dom/media/MediaData.h:116:31
    #5 0x7fcb90f06675 in mozilla::AudioDataBuffer<(mozilla::AudioConfig::SampleFormat)6, float> mozilla::AudioConverter::Process<(mozilla::AudioConfig::SampleFormat)6, float>(mozilla::AudioDataBuffer<(mozilla::AudioConfig::SampleFormat)6, float> const&) src/dom/media/AudioConverter.h:153:16
    #6 0x7fcb90ee202a in mozilla::AudioDataBuffer<(mozilla::AudioConfig::SampleFormat)6, float> mozilla::AudioConverter::Process<(mozilla::AudioConfig::SampleFormat)6, float>(mozilla::AudioDataBuffer<(mozilla::AudioConfig::SampleFormat)6, float>&&) src/dom/media/AudioConverter.h:142:12
    #7 0x7fcb90edd9e9 in mozilla::AudioSink::NotifyAudioNeeded() src/dom/media/mediasink/AudioSink.cpp:416:23
    #8 0x7fcb90f04ac1 in operator() /builds/worker/workspace/obj-build/dist/include/MediaEventSource.h:404:7
    #9 0x7fcb90f04ac1 in std::enable_if<TakeArgs<mozilla::AbstractThread>::value, void>::type mozilla::detail::ListenerImpl<mozilla::AbstractThread, std::enable_if<TakeArgs<void (mozilla::AudioSink::*)(RefPtr<mozilla::AudioData> const&)>::value, mozilla::MediaEventListener>::type mozilla::MediaEventSourceImpl<(mozilla::ListenerPolicy)1, RefPtr<mozilla::AudioData> >::ConnectInternal<mozilla::AbstractThread, mozilla::AudioSink, void (mozilla::AudioSink::*)(RefPtr<mozilla::AudioData> const&)>(mozilla::AbstractThread*, mozilla::AudioSink*, void (mozilla::AudioSink::*)(RefPtr<mozilla::AudioData> const&))::'lambda'(RefPtr<mozilla::AudioData>&&), RefPtr<mozilla::AudioData> >::ApplyWithArgsImpl<std::enable_if<TakeArgs<void (mozilla::AudioSink::*)(RefPtr<mozilla::AudioData> const&)>::value, mozilla::MediaEventListener>::type mozilla::MediaEventSourceImpl<(mozilla::ListenerPolicy)1, RefPtr<mozilla::AudioData> >::ConnectInternal<mozilla::AbstractThread, mozilla::AudioSink, void (mozilla::AudioSink::*)(RefPtr<mozilla::AudioData> const&)>(mozilla::AbstractThread*, mozilla::AudioSink*, void (mozilla::AudioSink::*)(RefPtr<mozilla::AudioData> const&))::'lambda'(RefPtr<mozilla::AudioData>&&)>(mozilla::AbstractThread*, mozilla::AbstractThread const&, RefPtr<mozilla::AudioData>&&) /builds/worker/workspace/obj-build/dist/include/MediaEventSource.h:214:5
    #10 0x7fcb90f044ed in mozilla::detail::ListenerImpl<mozilla::AbstractThread, std::enable_if<TakeArgs<void (mozilla::AudioSink::*)(RefPtr<mozilla::AudioData> const&)>::value, mozilla::MediaEventListener>::type mozilla::MediaEventSourceImpl<(mozilla::ListenerPolicy)1, RefPtr<mozilla::AudioData> >::ConnectInternal<mozilla::AbstractThread, mozilla::AudioSink, void (mozilla::AudioSink::*)(RefPtr<mozilla::AudioData> const&)>(mozilla::AbstractThread*, mozilla::AudioSink*, void (mozilla::AudioSink::*)(RefPtr<mozilla::AudioData> const&))::'lambda'(RefPtr<mozilla::AudioData>&&), RefPtr<mozilla::AudioData> >::ApplyWithArgs(RefPtr<mozilla::AudioData>&&) /builds/worker/workspace/obj-build/dist/include/MediaEventSource.h:236:5
    #11 0x7fcb909d52fe in applyImpl<mozilla::detail::Listener<RefPtr<mozilla::AudioData> >, void (mozilla::detail::Listener<RefPtr<mozilla::AudioData> >::*)(RefPtr<mozilla::AudioData> &&), StoreCopyPassByRRef<RefPtr<mozilla::AudioData> > , 0UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
    #12 0x7fcb909d52fe in apply<mozilla::detail::Listener<RefPtr<mozilla::AudioData> >, void (mozilla::detail::Listener<RefPtr<mozilla::AudioData> >::*)(RefPtr<mozilla::AudioData> &&)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
    #13 0x7fcb909d52fe in mozilla::detail::RunnableMethodImpl<mozilla::detail::Listener<RefPtr<mozilla::AudioData> >*, void (mozilla::detail::Listener<RefPtr<mozilla::AudioData> >::*)(RefPtr<mozilla::AudioData>&&), true, (mozilla::RunnableKind)0, RefPtr<mozilla::AudioData>&&>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
    #14 0x7fcb8a9140fa in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:230:35
    #15 0x7fcb8a922565 in mozilla::TaskQueue::Runner::Run() src/xpcom/threads/TaskQueue.cpp:196:20
    #16 0x7fcb8a94c4e1 in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:310:14
    #17 0x7fcb8a93f3ab in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1181:16
    #18 0x7fcb8a948c7c in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:465:10
    #19 0x7fcb8c04ca0d in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:300:20
    #20 0x7fcb8bec6e71 in RunInternal src/ipc/chromium/src/base/message_loop.cc:380:10
    #21 0x7fcb8bec6e71 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
    #22 0x7fcb8bec6e71 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
    #23 0x7fcb8a936fc9 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:385:10
    #24 0x7fcbad8ec02e in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #25 0x7fcbafa09608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8

Thread T27 (MediaDe~hine #1) created by T0 (Isolated Web Co) here:
    #0 0x556a8e94b23c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
    #1 0x7fcbad8dc0b4 in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7fcbad8cd35e in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7fcb8a93a2e5 in nsThread::Init(nsTSubstring<char> const&) src/xpcom/threads/nsThread.cpp:611:18
    #4 0x7fcb8a946a9f in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:562:12
    #5 0x7fcb8a9524d1 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) src/xpcom/threads/nsThreadUtils.cpp:161:57
    #6 0x7fcb8a94b0d0 in NS_NewNamedThread src/xpcom/threads/nsThreadUtils.cpp:153:10
    #7 0x7fcb8a94b0d0 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) src/xpcom/threads/nsThreadPool.cpp:123:17
    #8 0x7fcb8a94d40b in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) src/xpcom/threads/nsThreadPool.cpp:362:5
    #9 0x7fcb8a9209f8 in mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, unsigned int, mozilla::AbstractThread::DispatchReason) src/xpcom/threads/TaskQueue.cpp:69:26
    #10 0x7fcb8a956353 in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchReason) /builds/worker/workspace/obj-build/dist/include/mozilla/TaskQueue.h:81:14
    #11 0x7fcb8a913a8a in mozilla::AutoTaskDispatcher::DispatchTaskGroup(mozilla::UniquePtr<mozilla::AutoTaskDispatcher::PerThreadTaskGroup, mozilla::DefaultDelete<mozilla::AutoTaskDispatcher::PerThreadTaskGroup> >) /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:278:20
    #12 0x7fcb8a912ed6 in mozilla::AutoTaskDispatcher::~AutoTaskDispatcher() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:123:7
    #13 0x7fcb8a912ffd in mozilla::AutoTaskDispatcher::~AutoTaskDispatcher() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:110:25
    #14 0x7fcb8a90f56c in AfterProcessNextEvent src/xpcom/threads/AbstractThread.cpp:143:5
    #15 0x7fcb8a90f56c in non-virtual thunk to mozilla::XPCOMThreadWrapper::AfterProcessNextEvent(nsIThreadInternal*, bool) src/xpcom/threads/AbstractThread.cpp
    #16 0x7fcb8a93eed6 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1211:3
    #17 0x7fcb8a948c7c in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:465:10
    #18 0x7fcb8c04b35f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
    #19 0x7fcb8bec6e71 in RunInternal src/ipc/chromium/src/base/message_loop.cc:380:10
    #20 0x7fcb8bec6e71 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
    #21 0x7fcb8bec6e71 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
    #22 0x7fcb92d12ce7 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #23 0x7fcb97b3e93f in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:870:20
    #24 0x7fcb8bec6e71 in RunInternal src/ipc/chromium/src/base/message_loop.cc:380:10
    #25 0x7fcb8bec6e71 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
    #26 0x7fcb8bec6e71 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
    #27 0x7fcb97b3db63 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:729:34
    #28 0x556a8e99547d in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #29 0x556a8e9958b0 in main src/browser/app/nsBrowserApp.cpp:327:18
    #30 0x7fcbaf4d50b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Hi Paul, is this something you could help on take a look?
Thanks.

Flags: needinfo?(padenot)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220401092803-a9b419c8a9c8.
Unable to bisect testcase (Testcase does not reproduce on end build!):

Start: 90e761348ff5a79c687d505d68445b7643f776d5 (20210403093157)
End: a9b419c8a9c8f73b7ae8f18ff13a92499b3a2fa4 (20220401092803)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Whiteboard: [bugmon:bisected,confirmed]

A Pernosco session is available here: https://pernos.co/debug/KKsffvWWEKRDRXaytOQLMQ/index.html

Keywords: sec-high

Heh, a 255 channels wav file.

Flags: needinfo?(padenot)
Assignee: nobody → padenot

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220401092803-a9b419c8a9c8) but not with tip (mozilla-central 20220408214449-0671f5ff7249.)
Unable to bisect testcase (Start build didn't crash!):

Start: a9b419c8a9c8f73b7ae8f18ff13a92499b3a2fa4 (20220401092803)
End: 0671f5ff7249d3d7c458a29a4099a093c01f0ac1 (20220408214449)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Comment on attachment 9272146 [details]
Bug 1762620 - Only pad audio buffers when doing up mixing. r?alwu

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: This is an arbitrary OOB write in a buffer that's not easily controlled by the attacker, and only zeros can be written, so quite hard.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Trivial, this patch applies cleanly on all branches.
  • How likely is this patch to cause regressions; how much testing does it need?: It has a test, the cause and the solution is very clear.
Attachment #9272146 - Flags: sec-approval?
Attachment #9272147 - Flags: sec-approval?

Comment on attachment 9272146 [details]
Bug 1762620 - Only pad audio buffers when doing up mixing. r?alwu

Approved to land and uplift

Attachment #9272146 - Flags: sec-approval? → sec-approval+

Comment on attachment 9272147 [details]
Bug 1762620 - Add a test with a wav file that has 255 audio channels. r?alwu

Clearing sec-approval, test approved to land on or after May 13th

Attachment #9272147 - Flags: sec-approval?

Comment on attachment 9272146 [details]
Bug 1762620 - Only pad audio buffers when doing up mixing. r?alwu

Beta/Release Uplift Approval Request

  • User impact if declined: Crash that is trivial to trigger (just load a media file, no interaction needed). Hard to exploit.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Trivial fix, well tested.
  • String changes made/needed: None
  • Is Android affected?: Yes

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: This is sec-high.
  • User impact if declined: Crash that is trivial to trigger (just load a media file, no interaction needed). Hard to exploit.
  • Fix Landed on Version: 101
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Trivial fix, well tested.
Attachment #9272146 - Flags: approval-mozilla-esr91?
Attachment #9272146 - Flags: approval-mozilla-beta?
Attachment #9272147 - Flags: approval-mozilla-esr91?

Comment on attachment 9272146 [details]
Bug 1762620 - Only pad audio buffers when doing up mixing. r?alwu

Approved for 100.0rc1

Attachment #9272146 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
status-firefox101: --- → affected

Only pad audio buffers when doing up mixing. r=alwu
https://hg.mozilla.org/integration/autoland/rev/c9712e90b855dd7000a76d97da0a88f64e384334
https://hg.mozilla.org/mozilla-central/rev/c9712e90b855

Group: media-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox101: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 101 Branch
Attachment #9272147 - Flags: approval-mozilla-esr91?

Comment on attachment 9272146 [details]
Bug 1762620 - Only pad audio buffers when doing up mixing. r?alwu

Approved for 91.9esr

Attachment #9272146 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][adv-main100+r][adv-esr91.9+r]
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Flags: in-testsuite? → in-testsuite+

:padenot, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(padenot)
Flags: needinfo?(padenot)
Regressed by: 1444479
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: