[Webkit-unassigned] [Bug 177259] New: OfflineAudioContext does not validate allocation of destination buffer, results in null pointer dereference
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 20 12:28:30 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=177259
Bug ID: 177259
Summary: OfflineAudioContext does not validate allocation of
destination buffer, results in null pointer
dereference
Product: WebKit
Version: WebKit Nightly Build
Hardware: Macintosh
OS: macOS 10.12.4
Status: NEW
Severity: Normal
Priority: P2
Component: Web Audio
Assignee: webkit-unassigned at lists.webkit.org
Reporter: avi.saven at gmail.com
Created attachment 321343
--> https://bugs.webkit.org/attachment.cgi?id=321343&action=review
A testcase causing the bug to trigger.
An OfflineAudioContext initialized with a frame size of -1 causes Float32Array to fail to allocate for m_renderTarget. m_renderTarget as a result gets set to null, this is not validated and as a result a null pointer is dereferenced, leading to a crash.
Steps to reproduce:
1) Run new webkitOfflineAudioContext(1, -1, 44100.0); in console
Expected results:
1) It throws an error
Build Date & Hardware:
Built 09-19-2017 from master, macOS 10.12.5
Additional Information:
The allocation of the AudioBuffer occurs on AudioContext.cpp line 160, which directly passes numberOfFrames to Float32Array::create on AudioBuffer.cpp line 70. This failed allocation causes the allocation of the AudioBuffer to fail, returning null. This is directly passed to OfflineAudioDestinationNode::create, which goes to OfflineAudioDestinationNode::OfflineAudioDestinationNode, which calls renderTarget->sampleRate() in the constructor, causing the null pointer dereference.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170920/3338b787/attachment.html>
More information about the webkit-unassigned
mailing list