Bug 169956

Summary:

[Crash] WebCore::AudioBuffer::AudioBuffer don't checking illegal value

Product:

WebKit

Reporter:

buch0 <buchob7>

Component:

Web Audio

Assignee:

Eric Carlson <eric.carlson>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, buildbot, commit-queue, eric.carlson, youennf

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Proposed patch.	none
Archive of layout-test-results from ews124 for ios-simulator-wk2	none
Archive of layout-test-results from ews122 for ios-simulator-wk2	none
Updated patch.	youennf: review+
Patch for landing.	none
Patch for landing.	none

buch0

Reported 2017-03-22 08:03:11 PDT

CODE: <script> var context = new webkitAudioContext().createBuffer(2, -1, 44100); </script> so i don't know which select component... maybe don't checking second argument value and don't check failed allocate. LLDB LOG: * thread #1: tid = 0x26f30, 0x00007fff7964ac08 JavaScriptCore`JSC::ArrayBufferView::setNeuterable(bool) + 8, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x18) frame #0: 0x00007fff7964ac08 JavaScriptCore`JSC::ArrayBufferView::setNeuterable(bool) + 8 JavaScriptCore`JSC::ArrayBufferView::setNeuterable: -> 0x7fff7964ac08 <+8>: movl 0x18(%rdi), %ecx 0x7fff7964ac0b <+11>: movl %ecx, %edx 0x7fff7964ac0d <+13>: shrl $0x1f, %edx 0x7fff7964ac10 <+16>: cmpl %edx, %eax (lldb) reg re General Purpose Registers: rax = 0x0000000000000000 rbx = 0x0000000000000002 rcx = 0x0000000000000000 rdx = 0x00000000fffffffc rdi = 0x0000000000000000 rsi = 0x0000000000000000 rbp = 0x00007fff5e8ead40 rsp = 0x00007fff5e8ead40 r8 = 0x00007fff5e8eae2c r9 = 0x0000000105b9eda0 r10 = 0x0000000104f78ce0 r11 = 0x00000001057f57d0 r12 = 0x00007fff5e8ead58 r13 = 0x000000000000000a r14 = 0x0000000104e7cd80 r15 = 0x0000000104e7cda0 rip = 0x00007fff7964ac08 JavaScriptCore`JSC::ArrayBufferView::setNeuterable(bool) + 8 rflags = 0x0000000000010246 cs = 0x000000000000002b fs = 0x0000000000000000 gs = 0x0000000000000000 (lldb) bt * thread #1: tid = 0x26f30, 0x00007fff7964ac08 JavaScriptCore`JSC::ArrayBufferView::setNeuterable(bool) + 8, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x18) * frame #0: 0x00007fff7964ac08 JavaScriptCore`JSC::ArrayBufferView::setNeuterable(bool) + 8 frame #1: 0x00007fff7e228907 WebCore`WebCore::AudioBuffer::AudioBuffer(unsigned int, unsigned long, float) + 151 frame #2: 0x00007fff7e2286fe WebCore`WebCore::AudioBuffer::create(unsigned int, unsigned long, float) + 94 frame #3: 0x00007fff7e22f4cf WebCore`WebCore::AudioContext::createBuffer(unsigned int, unsigned long, float, int&) + 31 frame #4: 0x00007fff7e6f10ee WebCore`WebCore::jsAudioContextPrototypeFunctionCreateBuffer(JSC::ExecState*) + 1102 frame #5: 0x000050543c201028 frame #6: 0x00007fff79bf2595 JavaScriptCore`llint_entry + 24967 frame #7: 0x00007fff79bec22b JavaScriptCore`vmEntryToJavaScript + 299 frame #8: 0x00007fff79ab1e0e JavaScriptCore`JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158 frame #9: 0x00007fff793cfdac JavaScriptCore`JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 16380 frame #10: 0x00007fff7975fcb5 JavaScriptCore`JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 469 frame #11: 0x00007fff7ece7f4e WebCore`WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) + 302 frame #12: 0x00007fff7dfc0d23 WebCore`WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 563 frame #13: 0x00007fff7dfbfd4a WebCore`WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 1066 frame #14: 0x00007fff7dfbf442 WebCore`WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) + 338 frame #15: 0x00007fff7dfbf280 WebCore`WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) + 48 frame #16: 0x00007fff7dfbf196 WebCore`WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 86 frame #17: 0x00007fff7e59fc7d WebCore`WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) + 669 frame #18: 0x00007fff7df57293 WebCore`WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 115 frame #19: 0x00007fff7e59ffb0 WebCore`WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) + 480 frame #20: 0x00007fff7e3a5edc WebCore`WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) + 92 frame #21: 0x00007fff7df55f4b WebCore`WebCore::DocumentWriter::end() + 43 frame #22: 0x00007fff7df4824c WebCore`WebCore::DocumentLoader::finishedLoading(double) + 268 frame #23: 0x00007fff7dfd5c5e WebCore`WebCore::CachedResource::checkNotify() + 158 frame #24: 0x00007fff7e279801 WebCore`WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 225 frame #25: 0x00007fff7dfd5a22 WebCore`WebCore::SubresourceLoader::didFinishLoading(double) + 1218 frame #26: 0x00007fff7f2e7507 WebKit`WebKit::WebResourceLoader::didFinishResourceLoad(double) + 159 frame #27: 0x00007fff7f52519a WebKit`WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 362 frame #28: 0x00007fff7f365f39 WebKit`IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 119 frame #29: 0x00007fff7f3688e6 WebKit`IPC::Connection::dispatchOneMessage() + 126 frame #30: 0x00007fff79dad439 JavaScriptCore`WTF::RunLoop::performWork() + 169 frame #31: 0x00007fff79dad652 JavaScriptCore`WTF::RunLoop::performWork(void*) + 34 frame #32: 0x00007fff76f5b981 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 frame #33: 0x00007fff76f3ca7d CoreFoundation`__CFRunLoopDoSources0 + 557 frame #34: 0x00007fff76f3bf76 CoreFoundation`__CFRunLoopRun + 934 frame #35: 0x00007fff76f3b974 CoreFoundation`CFRunLoopRunSpecific + 420 frame #36: 0x00007fff764c7a5c HIToolbox`RunCurrentEventLoopInMode + 240 frame #37: 0x00007fff764c7891 HIToolbox`ReceiveNextEventCommon + 432 frame #38: 0x00007fff764c76c6 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71 frame #39: 0x00007fff74a6d5b4 AppKit`_DPSNextEvent + 1120 frame #40: 0x00007fff751e7d6b AppKit`-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2789 frame #41: 0x00007fff74a61f35 AppKit`-[NSApplication run] + 926 frame #42: 0x00007fff74a2c850 AppKit`NSApplicationMain + 1237 frame #43: 0x00007fff8c6f78c7 libxpc.dylib`_xpc_objc_main + 775 frame #44: 0x00007fff8c6f62e4 libxpc.dylib`xpc_main + 494 frame #45: 0x00000001013137a2 com.apple.WebKit.WebContent`___lldb_unnamed_symbol1$$com.apple.WebKit.WebContent + 380 frame #46: 0x00007fff8c493255 libdyld.dylib`start + 1 (lldb)

Attachments
Proposed patch. (4.75 KB, patch) 2017-03-25 10:03 PDT, Eric Carlson	no flags	Details Formatted Diff Diff
Archive of layout-test-results from ews124 for ios-simulator-wk2 (978.19 KB, application/zip) 2017-03-26 08:36 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews122 for ios-simulator-wk2 (880.45 KB, application/zip) 2017-03-26 13:29 PDT, Build Bot	no flags	Details
Updated patch. (5.49 KB, patch) 2017-03-27 11:07 PDT, Eric Carlson	youennf: review+	Details Formatted Diff Diff
Patch for landing. (5.52 KB, patch) 2017-03-30 09:48 PDT, Eric Carlson	no flags	Details Formatted Diff Diff
Patch for landing. (5.58 KB, patch) 2017-03-30 12:46 PDT, Eric Carlson	no flags	Details Formatted Diff Diff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.

Eric Carlson

Comment 1 2017-03-25 10:03:32 PDT

Created attachment 305379 [details] Proposed patch.

buch0

Comment 2 2017-03-25 22:14:41 PDT

Thanks for Patch. i love apple

Build Bot

Comment 3 2017-03-26 08:36:43 PDT

Comment on attachment 305379 [details] Proposed patch. Attachment 305379 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/3413176 New failing tests: fast/scrolling/ios/touch-scroll-pointer-events-none.html fast/history/page-cache-createObjectURL-using-open-panel.html

Build Bot

Comment 4 2017-03-26 08:36:45 PDT

Created attachment 305423 [details] Archive of layout-test-results from ews124 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews124 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6

Eric Carlson

Comment 5 2017-03-26 12:57:46 PDT

(In reply to Build Bot from comment #4) > Created attachment 305423 [details] > Archive of layout-test-results from ews124 for ios-simulator-wk2 > > The attached test failures were seen while running run-webkit-tests on the > ios-sim-ews. > Bot: ews124 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6 These are unrelated to the patch.

Build Bot

Comment 6 2017-03-26 13:29:44 PDT

Comment on attachment 305379 [details] Proposed patch. Attachment 305379 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/3414049 New failing tests: fast/css/getComputedStyle/computed-style-font-family.html

Build Bot

Comment 7 2017-03-26 13:29:46 PDT

Created attachment 305433 [details] Archive of layout-test-results from ews122 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews122 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6

buch0

Comment 8 2017-03-27 01:55:44 PDT

(In reply to Build Bot from comment #6) > Comment on attachment 305379 [details] > Proposed patch. > > Attachment 305379 [details] did not pass ios-sim-ews (ios-simulator-wk2): > Output: http://webkit-queues.webkit.org/results/3414049 > > New failing tests: > fast/css/getComputedStyle/computed-style-font-family.html okay thanks man :D

Eric Carlson

Comment 9 2017-03-27 10:15:40 PDT

Comment on attachment 305379 [details] Proposed patch. I need to revise this.

Eric Carlson

Comment 10 2017-03-27 11:07:53 PDT

Created attachment 305487 [details] Updated patch.

youenn fablet

Comment 11 2017-03-27 16:41:07 PDT

Comment on attachment 305487 [details] Updated patch. View in context: https://bugs.webkit.org/attachment.cgi?id=305487&action=review > Source/WebCore/Modules/webaudio/AudioBuffer.cpp:47 > + RefPtr<AudioBuffer> buffer = adoptRef(*new AudioBuffer(numberOfChannels, numberOfFrames, sampleRate)); Should be auto or Ref<>. > Source/WebCore/Modules/webaudio/AudioBuffer.cpp:48 > + if (!buffer || !buffer->m_length) Should just be !buffer->m_length I guess. In the case of !buffer, we are probably in a very bad situation and will crash anyway. > Source/WebCore/Modules/webaudio/AudioBuffer.cpp:76 > m_channels.append(channelDataArray); Use WTFMove here. Or maybe refactor to put more code in common between the constructors, like an allocateChannelDataArray method that would be called fromAudioBuffer::create. > Source/WebCore/Modules/webaudio/AudioBuffer.cpp:95 > channelDataArray->setRange(bus.channel(i)->data(), m_length, 0); Why are we setting the range here but not in the other constructor?

Eric Carlson

Comment 12 2017-03-30 09:48:37 PDT

Created attachment 305866 [details] Patch for landing.

Eric Carlson

Comment 13 2017-03-30 12:46:10 PDT

Created attachment 305877 [details] Patch for landing.

WebKit Commit Bot

Comment 14 2017-03-30 13:17:18 PDT

Comment on attachment 305877 [details] Patch for landing. Clearing flags on attachment: 305877 Committed r214618: <http://trac.webkit.org/changeset/214618>

WebKit Commit Bot

Comment 15 2017-03-30 13:17:23 PDT

All reviewed patches have been landed. Closing bug.

Brent Fulgham

Comment 16 2017-06-05 14:47:02 PDT

<rdar://problem/25954398>

Note You need to log in before you can comment on or make changes to this bug.