Bug 64076

Summary: webkitAudioContext does not do proper sanity checking on its arguments.
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: DOMAssignee: Chris Rogers <crogers>
Status: RESOLVED FIXED    
Severity: Normal CC: crogers, dglazkov, eric, kbr, webkit.review.bot
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
Attachments:
Description Flags
Patch
none
Patch
none
Patch kbr: review+

Description Berend-Jan Wever 2011-07-07 02:14:58 PDT 
Chromium https://code.google.com/p/chromium/issues/detail?id=88638
Split off from bug 63997.

webkitAudioContext takes three arguments, which should be non-zero positive values that are limited by the amount of available memory. The code is currently not doing proper checks, which causes crashes when you supply invalid arguments:

Repro:
<script>
  // This should not crash but simply output "PASS".
  var aiArgs = [
      [-1,1,1], [0,1,1],
      [1,-1,1], [1,0,1],
      [1,1,-1], [1,1,0],
      [0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF]],
      bFail = false;
  if (!window.webkitAudioContext) {
    document.write('DISABLED');
  } else {
    for (var i = 0; i < aiArgs.length; i++) {
      var code = 'new webkitAudioContext(' + aiArgs[i].join(',') + ')';
      try { eval(code); }
      catch (e) { continue; }
      document.write('FAIL: ' + code);
      bFail = true;
    }
    if (!bFail) document.write('PASS');
  }
</script>
Comment 1 Berend-Jan Wever 2011-07-07 03:53:06 PDT 
See also bug 63997
Comment 2 Chris Rogers 2011-07-08 17:47:23 PDT 
Created attachment 100193 [details]
Patch
Comment 3 WebKit Review Bot 2011-07-08 18:03:50 PDT 
Comment on attachment 100193 [details]
Patch

Attachment 100193 [details] did not pass chromium-ews (chromium-xvfb):
Output: http://queues.webkit.org/results/8997835
Comment 4 Kenneth Russell 2011-07-08 18:12:51 PDT 
Comment on attachment 100193 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=100193&action=review

> Source/WebCore/bindings/js/JSAudioContextCustom.cpp:78
> +        signed numberOfChannels = exec->argument(0).toInt32(exec);
> +        signed numberOfFrames = exec->argument(1).toInt32(exec);

Why not use int32 rather than signed?

> Source/WebCore/bindings/js/JSAudioContextCustom.cpp:135
> +    signed numberOfChannels = exec->argument(0).toInt32(exec);
> +    signed numberOfFrames = exec->argument(1).toInt32(exec);

Same here.

> Source/WebCore/bindings/v8/custom/V8AudioContextCustom.cpp:70
> +        signed numberOfChannels = toInt32(args[0], ok);

Same here.

> Source/WebCore/bindings/v8/custom/V8AudioContextCustom.cpp:74
> +        signed numberOfFrames = toInt32(args[1], ok);

Same here.

> Source/WebCore/bindings/v8/custom/V8AudioContextCustom.cpp:133
> +    signed numberOfChannels = toInt32(args[0], ok);

And here.

> Source/WebCore/bindings/v8/custom/V8AudioContextCustom.cpp:137
> +    signed numberOfFrames = toInt32(args[1], ok);

And here.

> Source/WebCore/webaudio/AudioContext.cpp:91
> +PassRefPtr<AudioContext> AudioContext::createOfflineContext(Document* document, unsigned numberOfChannels, size_t numberOfFrames, double sampleRate, ExceptionCode& ec)

Why is numberOfChannels still unsigned if the caller is passing signed? Similar for numberOfFrames.
Comment 5 Kenneth Russell 2011-07-08 18:13:25 PDT 
Comment on attachment 100193 [details]
Patch

On second thought I'm r-'ing this.
Comment 6 Chris Rogers 2011-07-08 18:56:59 PDT 
Created attachment 100199 [details]
Patch
Comment 7 Chris Rogers 2011-07-08 18:58:36 PDT 
Fixed signed -> int32_t

The actual API is unsigned, but it seems useful to do bounds checking on the parameters as signed, since negative values can be easily dealt with.
Comment 8 WebKit Review Bot 2011-07-08 19:02:08 PDT 
Comment on attachment 100199 [details]
Patch

Attachment 100199 [details] did not pass chromium-ews (chromium-xvfb):
Output: http://queues.webkit.org/results/8999738
Comment 9 Chris Rogers 2011-07-08 19:07:16 PDT 
Created attachment 100200 [details]
Patch
Comment 10 Chris Rogers 2011-07-08 19:07:58 PDT 
Sorry - last patch fixes cr-linux compile error
Comment 11 Kenneth Russell 2011-07-12 11:36:59 PDT 
Comment on attachment 100200 [details]
Patch

OK, looks good.
Comment 12 Chris Rogers 2011-07-12 12:17:17 PDT 
Committed r90839: <http://trac.webkit.org/changeset/90839>