Closed
Bug 874952
Opened 12 years ago
Closed 12 years ago
Heap-buffer-overflow in nsTArray_Impl<mozilla::AudioChunk, nsTArrayInfallibleAllocator>::ElementAt
Categories
(Core :: Web Audio, defect)
Tracking
()
VERIFIED
FIXED
mozilla24
| Tracking | Status | |
|---|---|---|
| firefox21 | --- | unaffected |
| firefox22 | - | disabled |
| firefox23 | - | disabled |
| firefox24 | + | verified |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: attekett, Assigned: ehsan.akhgari)
References
Details
(4 keywords, Whiteboard: [asan][adv-main24-])
Attachments
(2 files, 1 obsolete file)
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
roc
:
review+
|
Details | Diff | Splinter Review |
Tested on:
OS: Ubuntu 12.04
Firefox:
ASAN dbg-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-dbg-asan/1369232390/
ASAN opt-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1369217427/
ASAN-report:(opt-build)
==3461== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f63fc68da08 at pc 0x7f64274fc436 bp 0x7f63fc4a13f0 sp 0x7f63fc4a13e8
READ of size 8 at 0x7f63fc68da08 thread T22
#0 0x7f64274fc435 in nsRefPtr<mozilla::ThreadSharedObject>::get() const /builds/slave/m-cen-l64-asan-ntly-0000000000/build/../../dist/include/nsAutoPtr.h:1009
#1 0x7f64274fcfe5 in mozilla::AudioNodeStream::ProduceOutput(long, long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/AudioNodeStream.cpp:407
#2 0x7f642756ac83 in mozilla::MediaStreamGraphImpl::ProduceDataForStreamsBlockByBlock(unsigned int, long, long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:937
#3 0x7f642757ce05 in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:1163
#4 0x7f6429c0e212 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238
#5 0x7f6429cd619c in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/xpcom/threads/nsThread.cpp:265
.
.
.
ASAN-report:(debug-build)
Assertion failure: i < Length() (invalid array index), at ../../dist/include/nsTArray.h:725
ASAN:SIGSEGV
=================================================================
==3301== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f02f14583bd sp 0x7f02c63f2ef0 bp 0x7f02c63f2f10 T24)
AddressSanitizer can not provide additional info.
#0 0x7f02f14583bc in nsTArray_Impl<mozilla::AudioChunk, nsTArrayInfallibleAllocator>::ElementAt(unsigned int) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/../../dist/include/nsTArray.h:725
#1 0x7f02f1454ea1 in mozilla::AudioNodeStream::ObtainInputBlock(mozilla::AudioChunk&, unsigned int) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/AudioNodeStream.cpp:279
#2 0x7f02f14560b6 in mozilla::AudioNodeStream::ProduceOutput(long, long) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/AudioNodeStream.cpp:407
#3 0x7f02f14bcc52 in mozilla::MediaStreamGraphImpl::ProduceDataForStreamsBlockByBlock(unsigned int, long, long) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:937
#4 0x7f02f14bd5b2 in mozilla::MediaStreamGraphImpl::RunThread() /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:1017
#5 0x7f02f14cbdd8 in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:1163
.
.
.
|
||
Updated•12 years ago
|
|
Assignee | |
Updated•12 years ago
|
Attachment #752819 -
Attachment mime type: text/plain → text/html
|
|
Assignee | |
Comment 1•12 years ago
|
||
Comment on attachment 752950 [details] [diff] [review]
Patch (v1)
Review of attachment 752950 [details] [diff] [review]:
-----------------------------------------------------------------
::: content/media/test/crashtests/874952.html
@@ +1,1 @@
> +874952.html
\ No newline at end of file
Er, what???
|
|
Assignee | |
Comment 3•12 years ago
|
||
Sorry, copy/paste fail.
Attachment #752950 -
Attachment is obsolete: true
Attachment #752950 -
Flags: review?(roc)
Attachment #753312 -
Flags: review?(roc)
|
||
Comment 4•12 years ago
|
||
Triaging with Ehsan. Affects 23+
status-firefox21:
--- → unaffected
status-firefox22:
--- → unaffected
status-firefox23:
--- → affected
status-firefox24:
--- → affected
tracking-firefox23:
--- → ?
tracking-firefox24:
--- → ?
Flags: needinfo?(mwobensmith)
|
||
Comment 5•12 years ago
|
||
I think the needinfo for me concerned whether it repros on 21/22, which David has marked unaffected. If there is still something for me to do, just let me know.
Flags: needinfo?(mwobensmith)
|
||
Updated•12 years ago
|
Attachment #753312 -
Flags: review?(roc) → review+
|
|
Assignee | |
Comment 6•12 years ago
|
||
|
||
Comment 7•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
|
||
Updated•11 years ago
|
Flags: sec-bounty?
|
||
Comment 8•11 years ago
|
||
We need to know how/if this affects 22 and 23. I assume 21 is unaffected. The flags say that 23 *is* affected.
In general, security bugs should get approval when they affect anything other than trunk before they go in.
https://wiki.mozilla.org/Security/Bug_Approval_Process
tracking-firefox22:
--- → ?
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•11 years ago
|
Whiteboard: [asan]
|
|
Assignee | |
Comment 9•11 years ago
|
||
(In reply to Al Billings [:abillings] from comment #9)
> In general, security bugs should get approval when they affect anything
> other than trunk before they go in.
>
> https://wiki.mozilla.org/Security/Bug_Approval_Process
I thought that only applies to bugs which affect Release?
|
|
||
Comment 10•11 years ago
|
||
(In reply to :Ehsan Akhgari (needinfo? me!) from comment #10)
>
> > https://wiki.mozilla.org/Security/Bug_Approval_Process
>
> I thought that only applies to bugs which affect Release?
No, only if the bug *only* affects trunk (quoting the above doc):
'This means that the developer can mark the status flags for ESR, Beta, and Aurora as "unaffected." It also means that we haven't shipped anywhere public in an official release yet.'
The exception is if the bug is sec-low, sec-moderate, sec-other, or sec-want rating. All sec-high or sec-critical bugs otherwise need approval if they aren't trunk only.
|
||
Updated•11 years ago
|
|
|
||
Comment 11•11 years ago
|
||
|
|
||
Comment 12•11 years ago
|
||
I *believe* is is disabled in 22 and currently enabled in 23 but scheduled to be disabled in 23 as well.
|
|
Assignee | |
Comment 13•11 years ago
|
||
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
|
|
Assignee | |
Comment 14•11 years ago
|
||
(In reply to Al Billings [:abillings] from comment #13)
> I *believe* is is disabled in 22 and currently enabled in 23 but scheduled
> to be disabled in 23 as well.
That is correct.
|
|
||
Updated•11 years ago
|
|
|
||
Updated•11 years ago
|
|
|
||
Updated•11 years ago
|
status-firefox-esr17:
--- → unaffected
|
|
||
Comment 15•11 years ago
|
||
No longer tracking for FF23
|
||
Updated•11 years ago
|
Attachment #757694 -
Attachment description: Bounty Awarded $3000 → Bounty Awarded $3000 [paid] 6/6/13
|
|
||
Updated•11 years ago
|
Whiteboard: [asan] → [asan][adv-main24-]
|
|
||
Updated•11 years ago
|
status-b2g18:
--- → unaffected
|
|
||
Comment 16•11 years ago
|
||
Confirmed crash in FF24 ASan build from 2013-05-22.
Verified no crash in FF24 ASan build from 2013-09-16.
Status: RESOLVED → VERIFIED
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•