Closed Bug 871577 Opened 12 years ago Closed 11 years ago

Stack buffer overflow in mozilla::AudioChannelsDownMix(nsTArray<void const*> const&, float**, unsigned int, unsigned int)

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 875529
Tracking Flags:
Tracking Status
firefox22 --- ?
firefox23 - affected
firefox24 - affected

People

(Reporter: padenot, Assigned: padenot)

References

Details

(4 keywords, Whiteboard: [asan][asan-test-failure][blocking-webaudio-])

Attachments

(2 files)

Log
(deleted), text/plain
Details
End of the log, with symbols
(deleted), text/plain
Details
Attached file Log (deleted) —
STR: - Do an ASAN build - ./mach mochitest-plain content/media/webaudio/test_mixingRules.html Expected: - no crash Actual result: - ASAN says there is a stack buffer overflow and the test aborts. This happened during the teardown sequence, I guess, see the log.
Paul can you please attach a human readable version of this log? (See http://code.google.com/p/address-sanitizer/wiki/CallStack)
Flags: needinfo?(paul)
Blocks: webaudio
No longer blocks: webrtc
Attached file End of the log, with symbols (deleted) —
Here you go.
Flags: needinfo?(paul)
Taking per discussion with ehsan on IRC.
Assignee: nobody → paul
Status: NEW → ASSIGNED
I suspect looking at the arguments we pass to AudioChannelsDownMix should help you figure this out. IIRC I fixed one of these types of buffer overflows by adding this code which helped us properly take null input chunks into account: <http://hg.mozilla.org/mozilla-central/diff/d8b87a58ebf5/content/media/AudioNodeStream.cpp>
if the log matches the current line 185 in m-c then the out of bounds read is of an array we're going to write into (depending on which array, either in that statement or the next one).
Keywords: crash, csec-bounds, sec-critical, testcase
Whiteboard: [asan][asan-test-failure]
What builds have this code, and in which builds is it enabled? I'm sure we don't have to worry about ESR-17, but what about Fx 22?
status-firefox22: --- → ?
status-firefox23: --- → affected
status-firefox24: --- → affected
tracking-firefox23: --- → +
tracking-firefox24: --- → +
(In reply to Daniel Veditz [:dveditz] from comment #6) > What builds have this code, and in which builds is it enabled? I'm sure we > don't have to worry about ESR-17, but what about Fx 22? 22's version of this function is very different. Once we figure out what's happening it would be easier to judge whether the bug affects 22 or not. (Note that the test case in question doesn't exist on 22 and it's probably very hard to get it working there.)
To me for an ASan run on FF22.
Flags: needinfo?(mwobensmith)
Ehsan wanted a ping on this bug so needinfoing him.
Flags: needinfo?(ehsan)
So I wanted to retest this to see if it's still an issue, and before I got that I "found" bug 875529 and I fixed that, and now I see this was reported before. Duping towards the bug which has a patch.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: needinfo?(mwobensmith)
Flags: needinfo?(ehsan)
Resolution: --- → DUPLICATE
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
Whiteboard: [asan][asan-test-failure] → [asan][asan-test-failure][blocking-webaudio-]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: