RESOLVED FIXED 64076
webkitAudioContext does not do proper sanity checking on its arguments. 
https://bugs.webkit.org/show_bug.cgi?id=64076
Summary webkitAudioContext does not do proper sanity checking on its arguments.
Berend-Jan Wever
Reported 2011-07-07 02:14:58 PDT
Chromium https://code.google.com/p/chromium/issues/detail?id=88638 Split off from bug 63997. webkitAudioContext takes three arguments, which should be non-zero positive values that are limited by the amount of available memory. The code is currently not doing proper checks, which causes crashes when you supply invalid arguments: Repro: <script> // This should not crash but simply output "PASS". var aiArgs = [ [-1,1,1], [0,1,1], [1,-1,1], [1,0,1], [1,1,-1], [1,1,0], [0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF]], bFail = false; if (!window.webkitAudioContext) { document.write('DISABLED'); } else { for (var i = 0; i < aiArgs.length; i++) { var code = 'new webkitAudioContext(' + aiArgs[i].join(',') + ')'; try { eval(code); } catch (e) { continue; } document.write('FAIL: ' + code); bFail = true; } if (!bFail) document.write('PASS'); } </script>
Attachments
Patch (9.76 KB, patch)
2011-07-08 17:47 PDT, Chris Rogers 		no flags
DetailsFormatted DiffDiff
Patch (9.76 KB, patch)
2011-07-08 18:56 PDT, Chris Rogers 		no flags
DetailsFormatted DiffDiff
Patch (9.77 KB, patch)
2011-07-08 19:07 PDT, Chris Rogers 		kbr: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Berend-Jan Wever
Comment 1 2011-07-07 03:53:06 PDT
See also bug 63997
Chris Rogers
Comment 2 2011-07-08 17:47:23 PDT
Created attachment 100193 [details] Patch
WebKit Review Bot
Comment 3 2011-07-08 18:03:50 PDT
Comment on attachment 100193 [details] Patch Attachment 100193 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/8997835
Kenneth Russell
Comment 4 2011-07-08 18:12:51 PDT
Comment on attachment 100193 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=100193&action=review > Source/WebCore/bindings/js/JSAudioContextCustom.cpp:78 > + signed numberOfChannels = exec->argument(0).toInt32(exec); > + signed numberOfFrames = exec->argument(1).toInt32(exec); Why not use int32 rather than signed? > Source/WebCore/bindings/js/JSAudioContextCustom.cpp:135 > + signed numberOfChannels = exec->argument(0).toInt32(exec); > + signed numberOfFrames = exec->argument(1).toInt32(exec); Same here. > Source/WebCore/bindings/v8/custom/V8AudioContextCustom.cpp:70 > + signed numberOfChannels = toInt32(args[0], ok); Same here. > Source/WebCore/bindings/v8/custom/V8AudioContextCustom.cpp:74 > + signed numberOfFrames = toInt32(args[1], ok); Same here. > Source/WebCore/bindings/v8/custom/V8AudioContextCustom.cpp:133 > + signed numberOfChannels = toInt32(args[0], ok); And here. > Source/WebCore/bindings/v8/custom/V8AudioContextCustom.cpp:137 > + signed numberOfFrames = toInt32(args[1], ok); And here. > Source/WebCore/webaudio/AudioContext.cpp:91 > +PassRefPtr<AudioContext> AudioContext::createOfflineContext(Document* document, unsigned numberOfChannels, size_t numberOfFrames, double sampleRate, ExceptionCode& ec) Why is numberOfChannels still unsigned if the caller is passing signed? Similar for numberOfFrames.
Kenneth Russell
Comment 5 2011-07-08 18:13:25 PDT
Comment on attachment 100193 [details] Patch On second thought I'm r-'ing this.
Chris Rogers
Comment 6 2011-07-08 18:56:59 PDT
Created attachment 100199 [details] Patch
Chris Rogers
Comment 7 2011-07-08 18:58:36 PDT
Fixed signed -> int32_t The actual API is unsigned, but it seems useful to do bounds checking on the parameters as signed, since negative values can be easily dealt with.
WebKit Review Bot
Comment 8 2011-07-08 19:02:08 PDT
Comment on attachment 100199 [details] Patch Attachment 100199 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/8999738
Chris Rogers
Comment 9 2011-07-08 19:07:16 PDT
Created attachment 100200 [details] Patch
Chris Rogers
Comment 10 2011-07-08 19:07:58 PDT
Sorry - last patch fixes cr-linux compile error
Kenneth Russell
Comment 11 2011-07-12 11:36:59 PDT
Comment on attachment 100200 [details] Patch OK, looks good.
Chris Rogers
Comment 12 2011-07-12 12:17:17 PDT
Committed r90839: <http://trac.webkit.org/changeset/90839>
Note You need to log in before you can comment on or make changes to this bug.