Closed
Bug 880724
Opened 11 years ago
Closed 11 years ago
WebAudio heap-buffer-overflow crash [@mozilla::PodAssign<float>]
Categories
(Core :: Web Audio, defect)
Tracking
()
RESOLVED
FIXED
mozilla24
| Tracking | Status | |
|---|---|---|
| firefox22 | --- | disabled |
| firefox23 | --- | disabled |
| firefox24 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: posidron, Assigned: ehsan.akhgari)
References
Details
(Keywords: crash, csectype-bounds, sec-critical, Whiteboard: [adv-main24-])
Attachments
(2 files)
Tested with http://hg.mozilla.org/integration/mozilla-inbound/rev/c18dc1499470 and Ehsan's patch for the Convolver node which is available here https://gist.github.com/ehsan/5730140
NOTE: The stack is similar to bug 880384 but Ehsan fixed this bug locally and updated his Convolver node patch; the testcase in that bug is also not working anymore.
|
Reporter | |
Comment 1•11 years ago
|
||
|
Assignee | |
Comment 2•11 years ago
|
||
Fixed locally and landed the test case: https://hg.mozilla.org/integration/mozilla-inbound/rev/050f5a9a15b5
Assignee: nobody → ehsan
|
|
Reporter | |
Comment 3•11 years ago
|
||
Tested it again with Ehsan's updated patch https://gist.github.com/ehsan/5731909 and the testcase is not reproducible anymore. Fixed.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Comment 4•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/050f5a9a15b5
(In reply to Christoph Diehl [:cdiehl] from comment #3)
> Tested it again with Ehsan's updated patch
> https://gist.github.com/ehsan/5731909 and the testcase is not reproducible
> anymore. Fixed.
No harm done, but we normally leave bugs open until they merge into mozilla-central :-)
status-firefox24:
--- → fixed
Target Milestone: --- → mozilla24
|
||
Comment 5•11 years ago
|
||
Ed, this bug is about preemptive fuzzing on a patch that is not even finished nor pushed to even mozilla-inbound, so I think this is the right thing to do.
|
||
Comment 6•11 years ago
|
||
How far back does this bug go? Was it trunk only? I know Web Audio is disabled on 22 and 23 (as I recall) but were they affected as well?
|
|
||
Updated•11 years ago
|
status-firefox-esr17:
--- → unaffected
|
|
Reporter | |
Comment 7•11 years ago
|
||
|
||
Comment 8•11 years ago
|
||
Test disabled on B2G due to frequent timeouts.
https://hg.mozilla.org/integration/mozilla-inbound/rev/9df04b16a655
|
|
||
Updated•11 years ago
|
|
||
Updated•11 years ago
|
status-b2g18:
--- → unaffected
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•