Closed Bug 1432678 Opened 2 years ago Closed 2 years ago

UBSan: signed integer overflow in [@ mozilla::image::DecodedSurfaceProvider::LogicalSizeInBytes]

Categories

(Core :: ImageLib, defect)

60 Branch
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla60
Tracking Status
firefox60 --- fixed

People

(Reporter: tsmith, Assigned: tnikkel)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined, testcase, Whiteboard: [gfx-noted])

Attachments

(2 files)

Attached image testcase.gif
Found with changeset: 400421:c5461973d6ee
Built with -fsanitize=signed-integer-overflow

/image/DecodedSurfaceProvider.cpp:125:21: runtime error: signed integer overflow: 65535 * 65535 cannot be represented in type 'int'
    #0 0x7fc95c178084 in mozilla::image::DecodedSurfaceProvider::LogicalSizeInBytes() const /image/DecodedSurfaceProvider.cpp:125:21
    #1 0x7fc95c215a70 in mozilla::image::SurfaceCacheImpl::Insert(mozilla::NotNull<mozilla::image::ISurfaceProvider*>, bool, mozilla::BaseAutoLock<mozilla::StaticMutex> const&) /image/SurfaceCache.cpp:747:28
    #2 0x7fc95c1d504f in mozilla::image::SurfaceCache::Insert(mozilla::NotNull<mozilla::image::ISurfaceProvider*>) /image/SurfaceCache.cpp:1499:21
    #3 0x7fc95c17bf3b in mozilla::image::DecoderFactory::CreateDecoder(mozilla::image::DecoderType, mozilla::NotNull<mozilla::image::RasterImage*>, mozilla::NotNull<mozilla::image::SourceBuffer*>, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) /image/DecoderFactory.cpp:154:7
    #4 0x7fc95c1c496d in mozilla::image::RasterImage::Decode(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, mozilla::image::PlaybackType) /image/RasterImage.cpp:1265:12
    #5 0x7fc95c1c3d92 in mozilla::image::RasterImage::LookupFrame(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, mozilla::image::PlaybackType) /image/RasterImage.cpp:374:20
    #6 0x7fc95c1cb03c in mozilla::image::RasterImage::RequestDecodeForSizeInternal(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned int) /image/RasterImage.cpp:1169:25
    #7 0x7fc95c1cabf3 in mozilla::image::RasterImage::RequestDecodeForSize(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned int) /image/RasterImage.cpp:1137:3
    #8 0x7fc95c1cd506 in mozilla::image::RasterImage::NotifyDecodeComplete(mozilla::image::DecoderFinalStatus const&, mozilla::image::ImageMetadata const&, mozilla::image::DecoderTelemetry const&, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<unsigned int> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) /image/RasterImage.cpp:1772:7
    #9 0x7fc95c1962b5 in mozilla::image::IDecodingTask::NotifyDecodeComplete(mozilla::NotNull<mozilla::image::RasterImage*>, mozilla::NotNull<mozilla::image::Decoder*>)::$_2::operator()() const /image/IDecodingTask.cpp:130:12
    #10 0x7fc95c196119 in mozilla::detail::RunnableFunction<mozilla::image::IDecodingTask::NotifyDecodeComplete(mozilla::NotNull<mozilla::image::RasterImage*>, mozilla::NotNull<mozilla::image::Decoder*>)::$_2>::Run() /xpcom/threads/nsThreadUtils.h:529:5
    #11 0x7fc958b7a431 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1040:14
    #12 0x7fc958bb5cfa in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:517:10
    #13 0x7fc959f04131 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:97:21
    #14 0x7fc959d64fe0 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:299:3
    #15 0x7fc960215005 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:157:27
    #16 0x7fc9661137b7 in nsAppStartup::Run() /toolkit/components/startup/nsAppStartup.cpp:288:30
    #17 0x7fc9662eac38 in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:4707:22
    #18 0x7fc9662ecaef in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:4842:8
    #19 0x7fc9662ed961 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:4934:21
    #20 0x51855e in do_main(int, char**, char**) /browser/app/nsBrowserApp.cpp:231:22
    #21 0x517d44 in main /browser/app/nsBrowserApp.cpp:304:16
    #22 0x7fc99106f1c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
    #23 0x4207a9 in _start (/objdir-ff-ubsan/dist/bin/firefox+0x4207a9)
:aosmond, can you comment to the bug?
Flags: needinfo?(aosmond)
Whiteboard: [gfx-noted]
Attached patch decoesizetSplinter Review
Assignee: nobody → tnikkel
Flags: needinfo?(aosmond)
Attachment #8948066 - Flags: review?(aosmond)
Attachment #8948066 - Flags: review?(aosmond) → review+
Pushed by tnikkel@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/dff22255b582
Convert to size_t in DecodedSurfaceProvider::LogicalSizeInBytes so multiplication doesn't overflow. r=aosmond
https://hg.mozilla.org/mozilla-central/rev/dff22255b582
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.