Mixxx

EchoEffect buffer overflow

Bug #1658508 reported by RJ Skerry-Ryan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mixxx
Fix Released
Critical
RJ Skerry-Ryan
Mixxx 2.1.0

Bug Description

found using address sanitizer, happened when i turned the delay knob all the way left. unfortunately I was not running under a debugger

Warning [Main]: "EffectParameter(Mid)" WARNING: Value was outside of limits, clamped.
Warning [Main]: "EffectParameter(Mid)" WARNING: Value was outside of limits, clamped.
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Main]: "EffectParameter(Depth)" WARNING: Parameter default is outside of minimum/maximum range.
Warning [Main]: "EffectParameter(Mid)" WARNING: Value was outside of limits, clamped.
Warning [Main]: "EffectParameter(Depth)" WARNING: Parameter default is outside of minimum/maximum range.
Warning [Engine]: Delay buffer requested is larger than max buffer!
Warning [Engine]: Delay buffer requested is larger than max buffer!
=================================================================
==50919==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x00017e57ac00 at pc 0x00010646847e bp 0x7000028925d0 sp 0x7000028925c8
READ of size 4 at 0x00017e57ac00 thread T42
    #0 0x10646847d in EchoEffect::processChannel(ChannelHandle const&, EchoGroupState*, float const*, float*, unsigned int, unsigned int, EffectProcessor::EnableState, GroupFeatureState const&) echoeffect.cpp:146
    #1 0x1064688f4 in PerChannelEffectProcessor<EchoGroupState>::process(ChannelHandle const&, float const*, float*, unsigned int, unsigned int, EffectProcessor::EnableState, GroupFeatureState const&) effectprocessor.h:81
    #2 0x10664c2d6 in EngineEffect::process(ChannelHandle const&, float const*, float*, unsigned int, unsigned int, EffectProcessor::EnableState, GroupFeatureState const&) engineeffect.cpp:103
    #3 0x106651608 in EngineEffectChain::process(ChannelHandle const&, float*, unsigned int, unsigned int, GroupFeatureState const&) engineeffectchain.cpp:188
    #4 0x106654757 in EngineEffectRack::process(ChannelHandle const&, float*, unsigned int, unsigned int, GroupFeatureState const&) engineeffectrack.cpp:51
    #5 0x106658199 in EngineEffectsManager::process(ChannelHandle const&, float*, unsigned int, unsigned int, GroupFeatureState const&) engineeffectsmanager.cpp:139
    #6 0x10668357f in EngineDeck::process(float*, int) enginedeck.cpp:110
    #7 0x1066a728e in EngineMaster::processChannels(int) enginemaster.cpp:318
    #8 0x1066a7ec7 in EngineMaster::process(int) enginemaster.cpp:350
    #9 0x10706d901 in SoundDevicePortAudio::callbackProcessClkRef(unsigned int, float*, float const*, PaStreamCallbackTimeInfo const*, unsigned long) sounddeviceportaudio.cpp:947
    #10 0x10706a042 in (anonymous namespace)::paV19CallbackClkRef(void const*, void*, unsigned long, PaStreamCallbackTimeInfo const*, unsigned long, void*) sounddeviceportaudio.cpp:83
    #11 0x1097c1679 in AdaptingOutputOnlyProcess (libportaudio.2.dylib+0x7679)
    #12 0x1097c09b2 in PaUtil_EndBufferProcessing (libportaudio.2.dylib+0x69b2)
    #13 0x1097c5ef3 in AudioIOProc (libportaudio.2.dylib+0xbef3)
    #14 0x11e0396e8 in AUConverterBase::RenderBus(unsigned int&, AudioTimeStamp const&, unsigned int, unsigned int) (CoreAudio+0x26e8)
    #15 0x11e14a223 in AUBase::DoRenderBus(unsigned int&, AudioTimeStamp const&, unsigned int, AUOutputElement*, unsigned int, AudioBufferList&) (CoreAudio+0x113223)
    #16 0x11e149f23 in AUBase::DoRender(unsigned int&, AudioTimeStamp const&, unsigned int, unsigned int, AudioBufferList&) (CoreAudio+0x112f23)
    #17 0x11e03c8c8 in AUHAL::AUIOProc(unsigned int, AudioTimeStamp const*, AudioBufferList const*, AudioTimeStamp const*, AudioBufferList*, AudioTimeStamp const*, void*) (CoreAudio+0x58c8)
    #18 0x7fffaabf1d8c in HALC_ProxyIOContext::IOWorkLoop() (CoreAudio+0x3cd8c)
    #19 0x7fffaabf0666 in HALC_ProxyIOContext::IOThreadEntry(void*) (CoreAudio+0x3b666)
    #20 0x7fffaabf038a in HALB_IOThread::Entry(void*) (CoreAudio+0x3b38a)
    #21 0x7fffc07d9aaa in _pthread_body (libsystem_pthread.dylib+0x3aaa)
    #22 0x7fffc07d99f6 in _pthread_start (libsystem_pthread.dylib+0x39f6)
    #23 0x7fffc07d91fc in thread_start (libsystem_pthread.dylib+0x31fc)

RJ Skerry-Ryan (rryan)
Changed in mixxx:
importance: Undecided → Critical
milestone: none → 2.1.0
status: New → Confirmed
Revision history for this message
RJ Skerry-Ryan (rryan) wrote :

Ok, it's pretty straightforward -- at 96kHz the delay buffer is greater than MAX_BUFFER_LEN (2 seconds max vs 813ms). The code checks this case and warns about it but doesn't properly guard against reads past the end (I don't immediately see the bad read though).

Changed in mixxx:
assignee: nobody → RJ Ryan (rryan)
Revision history for this message
RJ Skerry-Ryan (rryan) wrote :

https://github.com/mixxxdj/mixxx/commit/de43d2d37700a59fc27251efa1a62e59e0257455

Changed in mixxx:
status: Confirmed → Fix Committed
Daniel Schürmann (daschuer)
Changed in mixxx:
status: Fix Committed → Fix Released
Revision history for this message
Swiftb0y (swiftb0y) wrote :

Mixxx now uses GitHub for bug tracking. This bug has been migrated to:
https://github.com/mixxxdj/mixxx/issues/8769

lock status: Metadata changes locked and limited to project staff
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.