Closed
Bug 876118
Opened 11 years ago
Closed 11 years ago
Heap-buffer-overflow WRITE in mozilla::AudioNodeStream::ObtainInputBlock
Categories
(Core :: Web Audio, defect)
Tracking
()
RESOLVED
FIXED
mozilla24
| Tracking | Status | |
|---|---|---|
| firefox21 | --- | unaffected |
| firefox22 | --- | disabled |
| firefox23 | --- | disabled |
| firefox24 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: attekett, Assigned: ehsan.akhgari)
References
Details
(4 keywords, Whiteboard: [asan][adv-main24-])
Attachments
(2 files, 1 obsolete file)
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
roc
:
review+
|
Details | Diff | Splinter Review |
Tested on:
OS: Ubuntu 12.04
Firefox: ASAN opt-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1369426802/
ASAN-report:
==27367== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd8b7696050 at pc 0x7fd8df363567 bp 0x7fd8b926d3f0 sp 0x7fd8b926d3e8
WRITE of size 1 at 0x7fd8b7696050 thread T25
#0 0x7fd8df363566 in mozilla::AudioNodeStream::ObtainInputBlock(mozilla::AudioChunk&, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/content/media/AudioNodeStream.cpp:374
#1 0x7fd8df363d45 in mozilla::AudioNodeStream::ProduceOutput(long, long) /builds/slave/m-cen-l64-asan-000000000000000/build/content/media/AudioNodeStream.cpp:415
#2 0x7fd8df3d1a53 in mozilla::MediaStreamGraphImpl::ProduceDataForStreamsBlockByBlock(unsigned int, long, long) /builds/slave/m-cen-l64-asan-000000000000000/build/content/media/MediaStreamGraph.cpp:937
#3 0x7fd8df3e3bd5 in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/content/media/MediaStreamGraph.cpp:1163
.
.
.
|
||
Updated•11 years ago
|
OS: Linux → All
|
|
||
Comment 1•11 years ago
|
||
If channelCount is 4294967295 we are crashing with an OOM error but if channelCount is 519910189000000 we are crashing with a heap-buffer-overflow. The WebAudio spec says channelCount is of type unsigned long.
|
|
||
Updated•11 years ago
|
Keywords: csec-bounds
|
Assignee | |
Updated•11 years ago
|
Attachment #754097 -
Attachment mime type: text/plain → text/html
|
|
Assignee | |
Comment 2•11 years ago
|
||
(In reply to Christoph Diehl [:cdiehl] from comment #1)
> If channelCount is 4294967295 we are crashing with an OOM error but if
> channelCount is 519910189000000 we are crashing with a heap-buffer-overflow.
> The WebAudio spec says channelCount is of type unsigned long.
So this value is not [Clamp] or [EnforceRange], which means that a large value is converted down to a uint32_t using the modulo operation (returning 102851904 here), which is probably not what we want... I need to raise this issue on the public-audio list, but we have a bug here no matter how we handle this.
|
|
Assignee | |
Comment 3•11 years ago
|
||
The bug here is caused because 102851904*sizeof(float)*WEBAUDIO_BLOCK_SIZE is more than what fits in a 32-bit integer, so we overflow and allocate a buffer too small in AllocateAudioBlock.
I think we should just limit the channel count uniformly everywhere.
|
|
Assignee | |
Comment 4•11 years ago
|
||
|
|
Assignee | |
Comment 6•11 years ago
|
||
With the test case from bug 876207.
Attachment #754844 -
Attachment is obsolete: true
Attachment #754844 -
Flags: review?(roc)
|
|
Assignee | |
Updated•11 years ago
|
Attachment #754851 -
Flags: review?(roc)
|
||
Updated•11 years ago
|
Flags: sec-bounty?
Attachment #754851 -
Flags: review?(roc) → review+
|
|
Assignee | |
Comment 7•11 years ago
|
||
|
||
Comment 8•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
status-firefox24:
--- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
|
||
Comment 9•11 years ago
|
||
Does this affect branches other than trunk or this this disabled on 22 and 23 and not out on 21?
status-firefox21:
--- → ?
status-firefox22:
--- → ?
status-firefox23:
--- → ?
Flags: sec-bounty? → sec-bounty+
Whiteboard: [asan]
|
|
Assignee | |
Comment 10•11 years ago
|
||
(In reply to Al Billings [:abillings] from comment #10)
> Does this affect branches other than trunk or this this disabled on 22 and
> 23 and not out on 21?
Like all Web Audio bugs, it affects trunk, and 23, until 23 goes to beta.
|
|
||
Updated•11 years ago
|
|
|
Assignee | |
Comment 11•11 years ago
|
||
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
|
|
||
Updated•11 years ago
|
status-firefox-esr17:
--- → unaffected
|
||
Updated•11 years ago
|
Attachment #757686 -
Attachment description: Bounty Awarded $3000 → Bounty Awarded $3000 [paid] 6/12/13
|
||
Updated•11 years ago
|
|
|
||
Updated•11 years ago
|
Whiteboard: [asan] → [asan][adv-main24-]
|
|
||
Updated•11 years ago
|
status-b2g18:
--- → unaffected
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•