Closed Bug 877125 Opened 12 years ago Closed 12 years ago

Heap-buffer-overflow in mozilla::dom::OfflineDestinationNodeEngine::ProduceAudioBlock

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24
Tracking Flags:
Tracking Status
firefox21 --- unaffected
firefox22 --- disabled
firefox23 + disabled
firefox24 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: attekett, Assigned: ehsan.akhgari)

References

Details

(5 keywords, Whiteboard: [asan][adv-main24-])

Attachments

(2 files)

Repro-file
636 bytes, text/html
Details
Patch (v1)
6.94 KB, patch
roc
: review+
Details | Diff | Splinter Review
Attached file Repro-file
Tested on: OS: Ubuntu 12.04 Firefox: ASAN opt-build https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1369790612/ ASAN bebug-build https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-dbg-asan/1369811142/ ASAN-report:(opt-build) ==31180== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f5b0d2405d0 at pc 0x7f5b27169492 bp 0x7f5b017a1330 sp 0x7f5b017a1328 READ of size 8 at 0x7f5b0d2405d0 thread T67 #0 0x7f5b27169491 in mozilla::dom::OfflineDestinationNodeEngine::ProduceAudioBlock(mozilla::AudioNodeStream*, mozilla::AudioChunk const&, mozilla::AudioChunk*, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/content/media/webaudio/AudioDestinationNode.cpp:67 0x7f5b0d2405d0 is located 0 bytes to the right of 16-byte region [0x7f5b0d2405c0,0x7f5b0d2405d0) allocated by thread T67 here: #0 0x441520 in __interceptor_malloc ??:0 #1 0x7f5b2e38d3a8 in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/memory/mozalloc/mozalloc.cpp:54 . . . ASAN-report: (debug-build) Assertion failure: i < Length() (invalid array index), at ../../dist/include/nsTArray.h:734 ASAN:SIGSEGV ================================================================= ==31638== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe6a24dec7e sp 0x7fe673fe7d40 bp 0x7fe673fe7d50 T26) AddressSanitizer can not provide additional info. #0 0x7fe6a24dec7d in nsTArray_Impl<void const*, nsTArrayInfallibleAllocator>::ElementAt(unsigned int) const /builds/slave/m-cen-l64-dbg-asan-00000000000/build/../../dist/include/nsTArray.h:734 #1 0x7fe6a256f05d in mozilla::dom::OfflineDestinationNodeEngine::ProduceAudioBlock(mozilla::AudioNodeStream*, mozilla::AudioChunk const&, mozilla::AudioChunk*, bool*) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/webaudio/AudioDestinationNode.cpp:67 #2 0x7fe6a24da4c8 in mozilla::AudioNodeStream::ProduceOutput(long, long) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/AudioNodeStream.cpp:425 #3 0x7fe6a2541222 in mozilla::MediaStreamGraphImpl::ProduceDataForStreamsBlockByBlock(unsigned int, int, long, long) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:937 #4 0x7fe6a2541c6a in mozilla::MediaStreamGraphImpl::RunThread() /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:1038 #5 0x7fe6a2550748 in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:1184 . . .
This is not reproducible anymore. Tested with m-i changeset: 133183:1c67a51e0fe5
Oh, pardon. This one is still reproducible with m-i changeset: 133183:1c67a51e0fe5
Blocks: webaudio
Severity: normal → critical
Keywords: crash, testcase
OS: Linux → All
Could you look at this, Ehsan? Thanks.
Assignee: nobody → ehsan
Attachment #755290 - Attachment mime type: text/plain → text/html
Attached patch Patch (v1)Splinter Review
I don't think there is any point in checking the testcase itself in.
Attachment #755546 - Flags: review?(roc)
https://hg.mozilla.org/mozilla-central/rev/06889c22f8c6
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox24: --- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Did this bug have any security impact?
(In reply to Atte Kettunen from comment #7) > Did this bug have any security impact? Yes it did - I only forgot to set the necessary keywords here. Give it a day or two so that the right people can look into it. ;-)
Keywords: csec-bounds, sec-critical
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
Flags: sec-bounty?
(In reply to Christoph Diehl [:cdiehl] from comment #8) > (In reply to Atte Kettunen from comment #7) > > Did this bug have any security impact? > > Yes it did - I only forgot to set the necessary keywords here. Give it a day > or two so that the right people can look into it. ;-) Not much to do other than maybe port to Aurora. It is fixed on trunk.
status-firefox21: --- → unaffected
status-firefox22: --- → disabled
status-firefox23: --- → affected
status-firefox-esr17: --- → unaffected
tracking-firefox23: --- → ?
Whiteboard: [asan]
Flags: sec-bounty? → sec-bounty+
Please nominate for uplift to aurora.
Christoph, can you please check whether the bug is reproducible on Aurora?
Flags: needinfo?(cdiehl)
Yes, will do.
Flags: needinfo?(cdiehl)
(In reply to :Ehsan Akhgari (needinfo? me!) from comment #13) > Christoph, can you please check whether the bug is reproducible on Aurora? I couldn't reproduce it against http://hg.mozilla.org/releases/mozilla-aurora/rev/7c1737dc2232
Thanks!
status-firefox23: affectedunaffected
status-firefox23: unaffecteddisabled
Whiteboard: [asan] → [asan][adv-main24-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: