Found with m-c:
BuildID=20190404063228
SourceStamp=bdaf1b36c44275dd4f027b4a4c30afed86cdfe13

Seeking around the video while playing seems to trigger the failure most reliably.

==7108==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x122ed19ea93c at pc 0x7ffddf4d4de6 bp 0x00225b3fd3a0 sp 0x00225b3fd3e8
WRITE of size 4 at 0x122ed19ea93c thread T41
    #0 0x7ffddf4d4de5 in mozilla::AudioConverter::DownmixAudio src\dom\media\AudioConverter.cpp:238
    #1 0x7ffddfb6c1af in mozilla::AudioConverter::Process<mozilla::AudioConfig::FORMAT_FLT,float> src\obj-firefox\dist\include\AudioConverter.h:156
    #2 0x7ffddfb3f400 in mozilla::AudioConverter::Process<mozilla::AudioConfig::FORMAT_FLT,float> src\obj-firefox\dist\include\AudioConverter.h:142
    #3 0x7ffddfb39cf0 in mozilla::AudioSink::NotifyAudioNeeded src\dom\media\mediasink\AudioSink.cpp:420
    #4 0x7ffdd6f016ab in mozilla::detail::RunnableMethodImpl<nsCOMPtr<nsIThreadPool>,nsresult (nsIThreadPool::*)(),1,mozilla::RunnableKind::Standard>::Run src\xpcom\threads\nsThreadUtils.h:1174
    #5 0x7ffdd6f008ec in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run src\obj-firefox\dist\include\mozilla\TaskDispatcher.h:197
    #6 0x7ffdd6ef4041 in mozilla::TaskQueue::Runner::Run src\xpcom\threads\TaskQueue.cpp:199
    #7 0x7ffdd6f2dd38 in nsThreadPool::Run src\xpcom\threads\nsThreadPool.cpp:244
    #8 0x7ffdd6f21589 in nsThread::ProcessNextEvent src\xpcom\threads\nsThread.cpp:1180
    #9 0x7ffdd6f29238 in NS_ProcessNextEvent src\xpcom\threads\nsThreadUtils.cpp:486
    #10 0x7ffdd807afc1 in mozilla::ipc::MessagePumpForNonMainThreads::Run src\ipc\glue\MessagePump.cpp:303
    #11 0x7ffdd7fc695e in MessageLoop::RunHandler src\ipc\chromium\src\base\message_loop.cc:308
    #12 0x7ffdd7fc66f5 in MessageLoop::Run src\ipc\chromium\src\base\message_loop.cc:290
    #13 0x7ffdd6f19ee6 in nsThread::ThreadFunc src\xpcom\threads\nsThread.cpp:454
    #14 0x7ffdf164561d in _PR_NativeRunThread src\nsprpub\pr\src\threads\combined\pruthr.c:397
    #15 0x7ffdf16147b4 in pr_root src\nsprpub\pr\src\md\windows\w95thred.c:137
    #16 0x7ffe179de3fd in o_strcat_s+0x5d (C:\WINDOWS\System32\ucrtbase.dll+0x18001e3fd)
    #17 0x7ffdf1a4e888 in __asan::AsanThread::ThreadStart Z:\task_1553815194\build\src\build\build-clang\build-clang\src\llvm\projects\compiler-rt\lib\asan\asan_thread.cc:264
    #18 0x7ffe1a883dc3 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180013dc3)
    #19 0x7ffdf6bef701 in patched_BaseThreadInitThunk src\mozglue\build\WindowsDllBlocklist.cpp:712
    #20 0x7ffe1abe3690 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180073690)

0x122ed19ea93e is located 0 bytes to the right of 4158-byte region [0x122ed19e9900,0x122ed19ea93e)
allocated by thread T41 here:
    #0 0x7ffdf1a445d0 in malloc Z:\task_1553815194\build\src\build\build-clang\build-clang\src\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:69
    #1 0x7ffddf640fe9 in mozilla::AlignedBuffer<float,32>::EnsureCapacity src\dom\media\MediaData.h:213
    #2 0x7ffddfb6c13c in mozilla::AudioConverter::Process<mozilla::AudioConfig::FORMAT_FLT,float> src\obj-firefox\dist\include\AudioConverter.h:153
    #3 0x7ffddfb3f400 in mozilla::AudioConverter::Process<mozilla::AudioConfig::FORMAT_FLT,float> src\obj-firefox\dist\include\AudioConverter.h:142
    #4 0x7ffddfb39cf0 in mozilla::AudioSink::NotifyAudioNeeded src\dom\media\mediasink\AudioSink.cpp:420
    #5 0x7ffdd6f016ab in mozilla::detail::RunnableMethodImpl<nsCOMPtr<nsIThreadPool>,nsresult (nsIThreadPool::*)(),1,mozilla::RunnableKind::Standard>::Run src\xpcom\threads\nsThreadUtils.h:1174
    #6 0x7ffdd6f008ec in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run src\obj-firefox\dist\include\mozilla\TaskDispatcher.h:197
    #7 0x7ffdd6ef4041 in mozilla::TaskQueue::Runner::Run src\xpcom\threads\TaskQueue.cpp:199
    #8 0x7ffdd6f2dd38 in nsThreadPool::Run src\xpcom\threads\nsThreadPool.cpp:244
    #9 0x7ffdd6f21589 in nsThread::ProcessNextEvent src\xpcom\threads\nsThread.cpp:1180
    #10 0x7ffdd6f29238 in NS_ProcessNextEvent src\xpcom\threads\nsThreadUtils.cpp:486
    #11 0x7ffdd807afc1 in mozilla::ipc::MessagePumpForNonMainThreads::Run src\ipc\glue\MessagePump.cpp:303
    #12 0x7ffdd7fc695e in MessageLoop::RunHandler src\ipc\chromium\src\base\message_loop.cc:308
    #13 0x7ffdd7fc66f5 in MessageLoop::Run src\ipc\chromium\src\base\message_loop.cc:290
    #14 0x7ffdd6f19ee6 in nsThread::ThreadFunc src\xpcom\threads\nsThread.cpp:454
    #15 0x7ffdf164561d in _PR_NativeRunThread src\nsprpub\pr\src\threads\combined\pruthr.c:397
    #16 0x7ffdf16147b4 in pr_root src\nsprpub\pr\src\md\windows\w95thred.c:137
    #17 0x7ffe179de3fd in o_strcat_s+0x5d (C:\WINDOWS\System32\ucrtbase.dll+0x18001e3fd)
    #18 0x7ffdf1a4e888 in __asan::AsanThread::ThreadStart Z:\task_1553815194\build\src\build\build-clang\build-clang\src\llvm\projects\compiler-rt\lib\asan\asan_thread.cc:264
    #19 0x7ffe1a883dc3 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180013dc3)

Thread T41 created by T0 here:
    #0 0x7ffdf1a4f9b0 in __asan_wrap_CreateThread Z:\task_1553815194\build\src\build\build-clang\build-clang\src\llvm\projects\compiler-rt\lib\asan\asan_win.cc:146
    #1 0x7ffe179dde36 in beginthreadex+0x56 (C:\WINDOWS\System32\ucrtbase.dll+0x18001de36)
    #2 0x7ffdf16145dd in _PR_MD_CREATE_THREAD src\nsprpub\pr\src\md\windows\w95thred.c:151
    #3 0x7ffdf164652c in _PR_NativeCreateThread src\nsprpub\pr\src\threads\combined\pruthr.c:1044
    #4 0x7ffdf1646e89 in _PR_CreateThread src\nsprpub\pr\src\threads\combined\pruthr.c:1162
    #5 0x7ffdf16398df in PR_CreateThread src\nsprpub\pr\src\threads\combined\pruthr.c:1374
    #6 0x7ffdd6f1cc5a in nsThread::Init src\xpcom\threads\nsThread.cpp:661
    #7 0x7ffdd6f27dfc in nsThreadManager::NewNamedThread src\xpcom\threads\nsThreadManager.cpp:415
    #8 0x7ffdd6f2cc02 in NS_NewNamedThread src\xpcom\threads\nsThreadUtils.cpp:139
    #9 0x7ffdd6f2c348 in nsThreadPool::PutEvent src\xpcom\threads\nsThreadPool.cpp:111
    #10 0x7ffdd6f2f0bd in nsThreadPool::Dispatch src\xpcom\threads\nsThreadPool.cpp:290
    #11 0x7ffdd6efacaf in mozilla::SharedThreadPool::Dispatch src\obj-firefox\dist\include\mozilla\SharedThreadPool.h:70
    #12 0x7ffdd6ef2971 in mozilla::TaskQueue::DispatchLocked src\xpcom\threads\TaskQueue.cpp:105
    #13 0x7ffdd6efbb98 in mozilla::TaskQueue::Dispatch src\obj-firefox\dist\include\mozilla\TaskQueue.h:70
    #14 0x7ffdd6f003fb in mozilla::AutoTaskDispatcher::DispatchTaskGroup src\obj-firefox\dist\include\mozilla\TaskDispatcher.h:245
    #15 0x7ffdd6effb01 in mozilla::AutoTaskDispatcher::~AutoTaskDispatcher src\obj-firefox\dist\include\mozilla\TaskDispatcher.h:87
    #16 0x7ffdd6efdd4d in mozilla::EventTargetWrapper::FireTailDispatcher src\xpcom\threads\AbstractThread.cpp:72
    #17 0x7ffdd6f016ab in mozilla::detail::RunnableMethodImpl<nsCOMPtr<nsIThreadPool>,nsresult (nsIThreadPool::*)(),1,mozilla::RunnableKind::Standard>::Run src\xpcom\threads\nsThreadUtils.h:1174
    #18 0x7ffdd6ccc800 in mozilla::CycleCollectedJSContext::ProcessStableStateQueue src\xpcom\base\CycleCollectedJSContext.cpp:382
    #19 0x7ffdd6ccfb76 in mozilla::CycleCollectedJSContext::AfterProcessTask src\xpcom\base\CycleCollectedJSContext.cpp:441
    #20 0x7ffdd8d9e6b9 in XPCJSContext::AfterProcessTask src\js\xpconnect\src\XPCJSContext.cpp:1273
    #21 0x7ffdd6f221b2 in nsThread::ProcessNextEvent src\xpcom\threads\nsThread.cpp:1240
    #22 0x7ffdd6f29238 in NS_ProcessNextEvent src\xpcom\threads\nsThreadUtils.cpp:486
    #23 0x7ffdd8079d1c in mozilla::ipc::MessagePump::Run src\ipc\glue\MessagePump.cpp:110
    #24 0x7ffdd7fc695e in MessageLoop::RunHandler src\ipc\chromium\src\base\message_loop.cc:308
    #25 0x7ffdd7fc66f5 in MessageLoop::Run src\ipc\chromium\src\base\message_loop.cc:290
    #26 0x7ffde136a69a in nsBaseAppShell::Run src\widget\nsBaseAppShell.cpp:137
    #27 0x7ffde1501b68 in nsAppShell::Run src\widget\windows\nsAppShell.cpp:412
    #28 0x7ffde5553e5d in XRE_RunAppShell src\toolkit\xre\nsEmbedFunctions.cpp:919
    #29 0x7ffdd7fc695e in MessageLoop::RunHandler src\ipc\chromium\src\base\message_loop.cc:308
    #30 0x7ffdd7fc66f5 in MessageLoop::Run src\ipc\chromium\src\base\message_loop.cc:290
    #31 0x7ffde555314f in XRE_InitChildProcess src\toolkit\xre\nsEmbedFunctions.cpp:757

I can't reproduce.

Which OS are you running this on?
Can you attach the about:support output ? To enter that code you need specific settings set and audio out.

We no longer enter DownmixAudio under most circumstances as this is now done directly by the audio framework.

I can only reproduce on Windows. I verified with an ASan build from today.

It takes about 5-10 seconds of clicking around the seek bar while playing and it will crash.

Actually, I don't need a way to reproduce. I look in horror at that code; how could I have ever written such thing :(

No need to first downmix to stereo and then mono.

Comment on attachment 9057771 [details]
Bug 1542097 - Directly downmix to mono. r?bryce

Security Approval Request

• How easily could an exploit be constructed based on the patch?: you need to be on a device with a mono audio device or set a specific pref that force mono audio (accessibility pref).

It's pretty bad otherwise, we are writing on a buffer that is half the needed size.

• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which older supported branches are affected by this flaw?: esr60
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: No
• If not, how different, hard to create, and risky will they be?: patch should apply everywhere
• How likely is this patch to cause regressions; how much testing does it need?: little

Sec-approval+ for mozilla-central. We'll want Beta and ESR60 patches nominated as well.

https://hg.mozilla.org/integration/autoland/rev/32e046bfdeab

Please nominate this for Beta/ESR60 approval when you get a chance. It grafts cleanly to Beta as-landed but will need a rebased patch for ESR60.

https://hg.mozilla.org/mozilla-central/rev/32e046bfdeab

Comment on attachment 9057771 [details]
Bug 1542097 - Directly downmix to mono. r?bryce

Beta/Release Uplift Approval Request

• User impact if declined: Out of bound memory access.
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky):
• String changes made/needed:

No need to first downmix to stereo and then mono.

ESR60 rebase

Comment on attachment 9061564 [details]
Bug 1542097 - Directly downmix to mono. r=bryce

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration:
• User impact if declined:
• Fix Landed on Version:
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky):
• String or UUID changes made by this patch: none

Comment on attachment 9057771 [details]
Bug 1542097 - Directly downmix to mono. r?bryce

Fix for sec-high issue, let's uplift to beta.

Comment on attachment 9057771 [details]
Bug 1542097 - Directly downmix to mono. r?bryce

(use the other patch for esr)

https://hg.mozilla.org/releases/mozilla-beta/rev/a6d52faaa77c

https://hg.mozilla.org/releases/mozilla-esr60/rev/daf49b46f546