RESOLVED FIXED 177259
OfflineAudioContext does not validate allocation of destination buffer, results in null pointer dereference 
https://bugs.webkit.org/show_bug.cgi?id=177259
Summary OfflineAudioContext does not validate allocation of destination buffer, resul...
Avi Saven
Reported 2017-09-20 12:28:30 PDT
Created attachment 321343 [details] A testcase causing the bug to trigger. An OfflineAudioContext initialized with a frame size of -1 causes Float32Array to fail to allocate for m_renderTarget. m_renderTarget as a result gets set to null, this is not validated and as a result a null pointer is dereferenced, leading to a crash. Steps to reproduce: 1) Run new webkitOfflineAudioContext(1, -1, 44100.0); in console Expected results: 1) It throws an error Build Date & Hardware: Built 09-19-2017 from master, macOS 10.12.5 Additional Information: The allocation of the AudioBuffer occurs on AudioContext.cpp line 160, which directly passes numberOfFrames to Float32Array::create on AudioBuffer.cpp line 70. This failed allocation causes the allocation of the AudioBuffer to fail, returning null. This is directly passed to OfflineAudioDestinationNode::create, which goes to OfflineAudioDestinationNode::OfflineAudioDestinationNode, which calls renderTarget->sampleRate() in the constructor, causing the null pointer dereference.
Attachments
A testcase causing the bug to trigger. (176 bytes, text/html)
2017-09-20 12:28 PDT, Avi Saven 		no flags
Details
Patch which fixes the bug. (8.05 KB, patch)
2019-10-09 12:30 PDT, Bjorn Melinder 		no flags
DetailsFormatted DiffDiff
revised patch (8.04 KB, patch)
2019-10-09 22:02 PDT, Bjorn Melinder 		no flags
DetailsFormatted DiffDiff
whitespace fix (8.07 KB, patch)
2019-10-09 23:19 PDT, Bjorn Melinder 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2017-09-20 14:10:58 PDT
<rdar://problem/34557006>
Bjorn Melinder
Comment 2 2019-10-09 12:30:19 PDT
Created attachment 380556 [details] Patch which fixes the bug. Hi! Here's a patch which fixes the bug. This is my first contribution to WebKit, so I wasn't allowed to assign myself to the bug. I've added LayoutTests which crashes before the patch is applied, but passes once the patch is applied.
Bjorn Melinder
Comment 3 2019-10-09 22:02:46 PDT
Created attachment 380606 [details] revised patch
Bjorn Melinder
Comment 4 2019-10-09 23:19:28 PDT
Created attachment 380607 [details] whitespace fix
Eric Carlson
Comment 5 2019-10-10 06:57:39 PDT
Comment on attachment 380607 [details] whitespace fix Thanks for the patch bjornm! Set the cq? flag if you would like someone to add this to the commit queue.
WebKit Commit Bot
Comment 6 2019-10-10 14:39:04 PDT
Comment on attachment 380607 [details] whitespace fix Rejecting attachment 380607 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-03', 'land-attachment', '--force-clean', '--non-interactive', '--parent-command=commit-queue', 380607, '--port=mac']" exit_code: 2 cwd: /Volumes/Data/EWS/WebKit Logging in as commit-queue@webkit.org... Fetching: https://bugs.webkit.org/attachment.cgi?id=380607&action=edit Fetching: https://bugs.webkit.org/show_bug.cgi?id=177259&ctype=xml&excludefield=attachmentdata Processing 1 patch from 1 bug. Updating working directory Processing patch 380607 from bug 177259. Fetching: https://bugs.webkit.org/attachment.cgi?id=380607 Failed to run "['git', 'svn', 'dcommit', '--rmdir']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Committing to http://svn.webkit.org/repository/webkit/trunk ... M LayoutTests/ChangeLog ERROR from SVN: Item is out of date: File '/trunk/LayoutTests/ChangeLog' is out of date W: d353ef1dac081cecead024488cebf67049d1d6a5 and refs/remotes/origin/master differ, using rebase: :040000 040000 5b41967191d52892123402660994f4124311a7de e52780749b294b64c01f5d512889635447d01081 M LayoutTests :040000 040000 306bc68cae5cca6b352afe890b154353b8980d81 164d7496ca6450981ff22f035e81193c2b101837 M Source Current branch master is up to date. ERROR: Not all changes have been committed into SVN, however the committed ones (if any) seem to be successfully integrated into the working tree. Please see the above messages for details. Failed to run "['git', 'svn', 'dcommit', '--rmdir']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Committing to http://svn.webkit.org/repository/webkit/trunk ... M LayoutTests/ChangeLog ERROR from SVN: Item is out of date: File '/trunk/LayoutTests/ChangeLog' is out of date W: d353ef1dac081cecead024488cebf67049d1d6a5 and refs/remotes/origin/master differ, using rebase: :040000 040000 5b41967191d52892123402660994f4124311a7de e52780749b294b64c01f5d512889635447d01081 M LayoutTests :040000 040000 306bc68cae5cca6b352afe890b154353b8980d81 164d7496ca6450981ff22f035e81193c2b101837 M Source Current branch master is up to date. ERROR: Not all changes have been committed into SVN, however the committed ones (if any) seem to be successfully integrated into the working tree. Please see the above messages for details. Failed to run "['git', 'svn', 'dcommit', '--rmdir']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Updating OpenSource From https://git.webkit.org/git/WebKit 867cf4cdd0e..fe799a5a648 master -> origin/master Partial-rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc ... Currently at 250987 = 867cf4cdd0e763b3c4feae4fb680054c710fe41f r250988 = fe799a5a64859783d4bcc7fffeea4cc7db2a7d62 Done rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc First, rewinding head to replay your work on top of it... Fast-forwarded master to refs/remotes/origin/master. Full output: https://webkit-queues.webkit.org/results/13115952
WebKit Commit Bot
Comment 7 2019-10-11 07:18:08 PDT
Comment on attachment 380607 [details] whitespace fix Clearing flags on attachment: 380607 Committed r251007: <https://trac.webkit.org/changeset/251007>
WebKit Commit Bot
Comment 8 2019-10-11 07:18:10 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.