Closed Bug 880404 Opened 11 years ago Closed 11 years ago

WebAudio heap-buffer-overflow crash [@mozilla::AudioBlockInPlaceScale]

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla24

Tracking Flags:

Tracking

Status

firefox23

---

unaffected

firefox24

fixed

firefox-esr17

---

unaffected

b2g18

---

unaffected

People

(Reporter: posidron, Assigned: ehsan.akhgari)

References

Details

(4 keywords, Whiteboard: [adv-main24-])

Attachments

(2 files, 1 obsolete file)

testcase 11 years ago Christoph Diehl [:posidron] (deleted), text/html		Details
callstack 11 years ago Christoph Diehl [:posidron] (deleted), text/plain		Details
callstack 11 years ago Christoph Diehl [:posidron] (deleted), text/plain		Details

Christoph Diehl [:posidron]

Reporter

Description

•

11 years ago

Attached file testcase (deleted) — Details

./content/media/AudioNodeEngine.cpp:117 void AudioBlockInPlaceScale(float aBlock[WEBAUDIO_BLOCK_SIZE], uint32_t aChannelCount, float aScale) { if (aScale == 1.0f) { return; } for (uint32_t i = 0; i < WEBAUDIO_BLOCK_SIZE * aChannelCount; ++i) { * *aBlock++ *= aScale; } } Tested with http://hg.mozilla.org/integration/mozilla-inbound/rev/2551c645b782 + ehsan's patch for the Convolver node.

Christoph Diehl [:posidron]

Reporter

Comment 1

•

11 years ago

Attached file callstack (obsolete) (deleted) — Details

Christoph Diehl [:posidron]

Reporter

Comment 2

•

11 years ago

Attached file callstack (deleted) — Details

Attachment #759354 - Attachment is obsolete: true

Al Billings [:abillings - ex-MoCo]

Comment 3

•

11 years ago

Does this affect Aurora? This is disabled in Beta, right?

status-firefox24: --- → affected

tracking-firefox24: --- → +

(no longer active)

Assignee

Comment 4

•

11 years ago

Can you please test without my patch as well?

Flags: needinfo?(cdiehl)

(no longer active)

Assignee

Comment 5

•

11 years ago

(In reply to Al Billings [:abillings] from comment #3) > Does this affect Aurora? This is disabled in Beta, right? This is with the patch to bug 815643 which has not landed yet...

(no longer active)

Assignee

Updated

•

11 years ago

Flags: needinfo?(cdiehl)

(no longer active)

Assignee

Comment 6

•

11 years ago

Fixed locally and landed the test case: https://hg.mozilla.org/integration/mozilla-inbound/rev/c18dc1499470

Christoph Diehl [:posidron]

Reporter

Comment 7

•

11 years ago

Tested it again with Ehsan's updated patch https://gist.github.com/ehsan/5730140 and the testcase is not reproducible anymore. Fixed.

Assignee: nobody → ehsan

Status: NEW → RESOLVED

Closed: 11 years ago

Resolution: --- → FIXED

Ryan VanderMeulen [:RyanVM]

Comment 8

•

11 years ago

https://hg.mozilla.org/mozilla-central/rev/c18dc1499470

status-firefox24: affected → fixed

Flags: in-testsuite+

Target Milestone: --- → mozilla24

Al Billings [:abillings - ex-MoCo]

Updated

•

11 years ago

status-firefox23: --- → unaffected

status-firefox-esr17: --- → unaffected

Al Billings [:abillings - ex-MoCo]

Updated

•

11 years ago

Whiteboard: [adv-main24-]

Daniel Veditz [:dveditz]

Updated

•

11 years ago

status-b2g18: --- → unaffected

Daniel Veditz [:dveditz]

Updated

•

11 years ago

Group: core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

WebAudio heap-buffer-overflow crash [@mozilla::AudioBlockInPlaceScale]

Categories

(Core :: Web Audio, defect)

Tracking

()

People

(Reporter: posidron, Assigned: ehsan.akhgari)

References

Details

(4 keywords, Whiteboard: [adv-main24-])

Crash Data

Security

(public)

User Story

Attachments

(2 files, 1 obsolete file)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Comment 5

Updated

Comment 6

Comment 7

Comment 8

Updated

Updated

Updated

Updated

Attachment

General

Description

File Name

Content Type