New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 172331 link

Starred by 1 user

Issue metadata

Status: Fixed
Closed: Feb 2013
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Sign in to add a comment

Use-after-free in WebCore::VectorMath::vsmul

Reported by, Jan 25 2013

Issue description

Tested on:

OS: Ubuntu 12.04
Chromium: 26.0.1394.0 (Developer Build 178763) 


var context1= new webkitAudioContext()
var BiquadFilter8=context1.createBiquadFilter();
var Oscillator1=context1.createOscillator();
var Panner3=context1.createPanner();




ASAN-report:(The same repro-file causes multiple different ASAN-traces)

==11957== ERROR: AddressSanitizer: heap-use-after-free on address 0x7fa68c0dd040 at pc 0x7fa6aa5ba5f7 bp 0x7fa690f68b50 sp 0x7fa690f68b48
WRITE of size 16 at 0x7fa68c0dd040 thread T6 (AudioOutputDevic)
    #0 0x7fa6aa5ba5f6 in WebCore::VectorMath::vsmul(float const*, int, float const*, float*, int, unsigned long) ???:0
    #1 0x7fa6aa5bdf7b in WebCore::FFTFrame::doInverseFFT(float*) ???:0
    #2 0x7fa6aa7bda8d in WebCore::FFTConvolver::process(WebCore::FFTFrame*, float const*, float*, unsigned long) ???:0
    #3 0x7fa6aa7c552d in WebCore::HRTFPanner::pan(double, double, WebCore::AudioBus const*, WebCore::AudioBus*, unsigned long) ???:0
    #4 0x7fa6a7e58d37 in WebCore::PannerNode::process(unsigned long) ???:0
    #5 0x7fa6a7439d6c in WebCore::AudioNode::processIfNecessary(unsigned long) ???:0
freed by thread T0 (chrome) here:
    #0 0x7f5970aad832 in free ??:0
    #1 0x7f59775b0392 in WebCore::HRTFPanner::~HRTFPanner() ???:0
    #2 0x7f59775b002d in WebCore::HRTFPanner::~HRTFPanner() ???:0
    #3 0x7f5974c46f66 in WebCore::PannerNode::setPanningModel(unsigned int) ???:0
    #4 0x7f5979601820 in WebCore::V8PannerNode::panningModelAccessorSetter(v8::Local<v8::String>, v8::Local<v8::Value>, v8::AccessorInfo const&) ???:0
    #5 0x7f5977d82dff in v8::internal::StoreCallbackProperty(v8::internal::Arguments, v8::internal::Isolate*) ???:0

Status: Assigned

Comment 2 by, Jan 31 2013

Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High SecImpacts-Stable SecImpacts-Beta OS-All Mstone-24
filed upstream as

rtoy@ are you looking at this?

Comment 3 by, Feb 11 2013

Hey Raymond,

I'm following up on all the open high-severity security bugs since Pwnium/Pwn2Own ( is just around the corner (we're using M25).

Are you on this one? Otherwise we need to find a new owner quick. Thanks for any help!

Comment 4 by, Feb 11 2013

I am looking into this.  It may take some time to get to the bottom of
this, though.  I think it might be caused by using an object after it has
been freed.  Maybe.

Comment 5 by, Feb 12 2013

Ray, this looks like a thread safety issue in PannerNode::setPanningModel().  It looks like we need to have a mutex using a MutexTryLocker in PannerNode::process() analogous to how m_processLock is used in AudioBufferSourceNode (when m_buffer is changed)

Comment 6 by, Feb 12 2013

Yes, that's what I was seeing.  I'll take a look at doing it that way. (I
had made change that saved the new panner in setPanningModel and then
applied that change at the start of PannerNode::process.)


Comment 7 by, Feb 13 2013

Status: Fixed
looks like the fix landed in WebKit:

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved reward-topanel
Labels: -Mstone-24 -Merge-Approved Mstone-25 Merge-Merged Release-1
Labels: CVE-2013-0904
Labels: -reward-topanel reward-1000 reward-unpaid
Project Member

Comment 13 by, Mar 10 2013

Labels: -Type-Security -Area-WebKit -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta -Mstone-25 Cr-Content Security-Impact-Stable Security-Impact-Beta Security-Severity-High Type-Bug-Security M-25
Labels: -reward-unpaid reward-inprocess
Project Member

Comment 15 by, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 16 by, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 17 by, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 18 by, Apr 5 2013

Labels: -Cr-Content Cr-Blink
Labels: -reward-inprocess
Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Project Member

Comment 21 by, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 22 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 23 by, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment