Closed Bug 876338 Opened 11 years ago Closed 11 years ago

WebAudio heap-buffer-overflow crash [@mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer]

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 876252

People

(Reporter: posidron, Unassigned)

References

Details

(4 keywords, Whiteboard: [blocking-webaudio-])

Attachments

(3 files, 2 obsolete files)

callstack
(deleted), text/plain
Details
testcase
(deleted), text/html
Details
testcase-use-after-free
(deleted), text/html
Details
Attached file testcase (obsolete) (deleted) —
./content/media/webaudio/AudioBufferSourceNode.cpp:174 void CopyFromInputBuffer(AudioChunk* aOutput, uint32_t aChannels, uintptr_t aSourceOffset, uintptr_t aBufferOffset, uint32_t aNumberOfFrames) { for (uint32_t i = 0; i < aChannels; ++i) { float* baseChannelData = static_cast<float*>(const_cast<void*>(aOutput->mChannelData[i])); memcpy(baseChannelData + aBufferOffset, * mBuffer->GetData(i) + aSourceOffset, aNumberOfFrames * sizeof(float)); } } Tested with m-i changeset: 132982:ce25da24ba1c
Attached file callstack (deleted) —
Keywords: testcase
Attached file testcase-use-after-free (obsolete) (deleted) —
Testcase with a delayed call to stop() This variation of the testcase lets FF crash with a use-after-free.
Attached file testcase (deleted) —
Attachment #754342 - Attachment is obsolete: true
Attached file testcase-use-after-free (deleted) —
Attachment #754351 - Attachment is obsolete: true
Dupe of bug 876252.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
Whiteboard: [blocking-webaudio-]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: