Closed Bug 881775 Opened 11 years ago Closed 11 years ago

WebAudio Assertion failure: i < Length() (invalid array index) and crash [@mozilla::DownmixAndInterleave]

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24
Tracking Flags:
Tracking Status
firefox23 --- disabled
firefox24 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: posidron, Assigned: ehsan.akhgari)

References

Details

(4 keywords, Whiteboard: [adv-main24-])

Attachments

(4 files, 1 obsolete file)

callstack
(deleted), text/plain
Details
callstack-debug-build
(deleted), text/plain
Details
testcase
(deleted), text/html
Details
Patch (v1)
(deleted), patch
roc
: review+
Details | Diff | Splinter Review
Attached file testcase (obsolete) (deleted) —
./content/media/AudioSegment.cpp for (uint32_t i = 0; i < aChannelData.Length(); ++i) { channelData[i] = aChannelData[i]; } Tested with http://hg.mozilla.org/integration/mozilla-inbound/rev/86413e921d5d
Group: core-security
Keywords: assertioncsec-bounds, sec-critical
Attached file callstack (deleted) —
Attached file callstack-debug-build (deleted) —
This code was added in bug 842243, so this has nothing to do with Web Audio.
Blocks: 842243
Component: Web Audio → Video/Audio
Assignee: nobody → slin
No longer blocks: webaudio
Hmm, looking at the code, here <https://hg.mozilla.org/mozilla-central/rev/e59ac8e0e410#l1.52> channelData's size will be 0 as far as I can tell, so if we ever get into this loop then we're going to access the array out of bounds, unless I'm missing something.
Attached file testcase (deleted) —
reduced testcase
Attachment #760990 - Attachment is obsolete: true
Attached patch Patch (v1) (deleted) — Splinter Review
The check before calling AudioChannelsDownMix is necessary because that function asserts if it finds out that it doesn't need to do any work.
Assignee: slin → ehsan
Status: NEW → ASSIGNED
Attachment #761173 - Flags: review?(roc)
https://hg.mozilla.org/mozilla-central/rev/66d987002b36
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
status-firefox24: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Whiteboard: [adv-main24-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: