Validate AudioContext options before constructing the context

Previously, an AudioContext object would be constructed, and then the sample rate would be tested for validity and an error is thrown if invalid. The invalid sample rate would get passed to FFTFRame::Initialize which causes an out-of-bounds access. This is backwards. We should verify that the supplied sample rate is valid before contructing the AudioContext object. Bug: 967117 Change-Id: Ifba65666f09d823f1e84d561252ce97d5225db02 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1635204 Commit-Queue: Raymond Toy <rtoy@chromium.org> Reviewed-by: Hongchan Choi <hongchan@chromium.org> Cr-Commit-Position: refs/heads/master@{#664396}

Validate AudioContext options before constructing the context
Previously, an AudioContext object would be constructed, and then the sample rate would be tested for validity and an error is thrown if invalid. The invalid sample rate would get passed to FFTFRame::Initialize which causes an out-of-bounds access. This is backwards. We should verify that the supplied sample rate is valid before contructing the AudioContext object. Bug: 967117 Change-Id: Ifba65666f09d823f1e84d561252ce97d5225db02 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1635204 Commit-Queue: Raymond Toy <rtoy@chromium.org> Reviewed-by: Hongchan Choi <hongchan@chromium.org> Cr-Commit-Position: refs/heads/master@{#664396}
ce81771c · Raymond Toy · Commit Bot · 23584fba · ce81771c · ce81771c
Commit ce81771c authored May 29, 2019 by Raymond Toy Committed by Commit Bot May 29, 2019
2 changed files
--- a/third_party/blink/renderer/modules/webaudio/audio_context.cc
+++ b/third_party/blink/renderer/modules/webaudio/audio_context.cc
@@ -74,23 +74,25 @@ AudioContext* AudioContext::Create(Document& document,
    sample_rate = context_options->sampleRate();
  }

-  AudioContext* audio_context =
-      MakeGarbageCollected<AudioContext>(document, latency_hint, sample_rate);
-  ++g_hardware_context_count;
-  audio_context->UpdateStateIfNeeded();
-
-  if (!audio_utilities::IsValidAudioBufferSampleRate(
-          audio_context->sampleRate())) {
+  // Validate options before trying to construct the actual context.
+  if (sample_rate.has_value() &&
+      !audio_utilities::IsValidAudioBufferSampleRate(sample_rate.value())) {
    exception_state.ThrowDOMException(
        DOMExceptionCode::kNotSupportedError,
        ExceptionMessages::IndexOutsideRange(
-            "hardware sample rate", audio_context->sampleRate(),
+            "hardware sample rate", sample_rate.value(),
            audio_utilities::MinAudioBufferSampleRate(),
            ExceptionMessages::kInclusiveBound,
            audio_utilities::MaxAudioBufferSampleRate(),
            ExceptionMessages::kInclusiveBound));
-    return audio_context;
+    return nullptr;
  }
+
+  AudioContext* audio_context =
+      MakeGarbageCollected<AudioContext>(document, latency_hint, sample_rate);
+  ++g_hardware_context_count;
+  audio_context->UpdateStateIfNeeded();
+
  // This starts the audio thread. The destination node's
  // provideInput() method will now be called repeatedly to render
  // audio.  Each time provideInput() is called, a portion of the

--- a/third_party/blink/renderer/platform/audio/pffft/fft_frame_pffft.cc
+++ b/third_party/blink/renderer/platform/audio/pffft/fft_frame_pffft.cc
@@ -136,6 +136,10 @@ void FFTFrame::Initialize(float sample_rate) {
  // need to know about how the HRTF panner uses FFTs.
  unsigned hrtf_order = static_cast<unsigned>(
      log2(HRTFPanner::FftSizeForSampleRate(sample_rate)));
+
+  DCHECK_GT(hrtf_order, kMinFFTPow2Size);
+  DCHECK_LE(hrtf_order, kMaxFFTPow2Size);
+
  InitializeFFTSetupForSize(hrtf_order);
  InitializeFFTSetupForSize(hrtf_order - 1);
 }