Closed Bug 1432678 Opened 8 years ago Closed 8 years ago

UBSan: signed integer overflow in [@ mozilla::image::DecodedSurfaceProvider::LogicalSizeInBytes]

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Version:
60 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla60
Tracking Flags:
Tracking Status
firefox60 --- fixed

People

(Reporter: tsmith, Assigned: tnikkel)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined, testcase, Whiteboard: [gfx-noted])

Attachments

(2 files)

testcase.gif
329 bytes, image/gif
Details
decoesizet
883 bytes, patch
aosmond
: review+
Details | Diff | Splinter Review
Attached image testcase.gif
Found with changeset: 400421:c5461973d6ee Built with -fsanitize=signed-integer-overflow /image/DecodedSurfaceProvider.cpp:125:21: runtime error: signed integer overflow: 65535 * 65535 cannot be represented in type 'int' #0 0x7fc95c178084 in mozilla::image::DecodedSurfaceProvider::LogicalSizeInBytes() const /image/DecodedSurfaceProvider.cpp:125:21 #1 0x7fc95c215a70 in mozilla::image::SurfaceCacheImpl::Insert(mozilla::NotNull<mozilla::image::ISurfaceProvider*>, bool, mozilla::BaseAutoLock<mozilla::StaticMutex> const&) /image/SurfaceCache.cpp:747:28 #2 0x7fc95c1d504f in mozilla::image::SurfaceCache::Insert(mozilla::NotNull<mozilla::image::ISurfaceProvider*>) /image/SurfaceCache.cpp:1499:21 #3 0x7fc95c17bf3b in mozilla::image::DecoderFactory::CreateDecoder(mozilla::image::DecoderType, mozilla::NotNull<mozilla::image::RasterImage*>, mozilla::NotNull<mozilla::image::SourceBuffer*>, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) /image/DecoderFactory.cpp:154:7 #4 0x7fc95c1c496d in mozilla::image::RasterImage::Decode(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, mozilla::image::PlaybackType) /image/RasterImage.cpp:1265:12 #5 0x7fc95c1c3d92 in mozilla::image::RasterImage::LookupFrame(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, mozilla::image::PlaybackType) /image/RasterImage.cpp:374:20 #6 0x7fc95c1cb03c in mozilla::image::RasterImage::RequestDecodeForSizeInternal(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned int) /image/RasterImage.cpp:1169:25 #7 0x7fc95c1cabf3 in mozilla::image::RasterImage::RequestDecodeForSize(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned int) /image/RasterImage.cpp:1137:3 #8 0x7fc95c1cd506 in mozilla::image::RasterImage::NotifyDecodeComplete(mozilla::image::DecoderFinalStatus const&, mozilla::image::ImageMetadata const&, mozilla::image::DecoderTelemetry const&, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<unsigned int> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) /image/RasterImage.cpp:1772:7 #9 0x7fc95c1962b5 in mozilla::image::IDecodingTask::NotifyDecodeComplete(mozilla::NotNull<mozilla::image::RasterImage*>, mozilla::NotNull<mozilla::image::Decoder*>)::$_2::operator()() const /image/IDecodingTask.cpp:130:12 #10 0x7fc95c196119 in mozilla::detail::RunnableFunction<mozilla::image::IDecodingTask::NotifyDecodeComplete(mozilla::NotNull<mozilla::image::RasterImage*>, mozilla::NotNull<mozilla::image::Decoder*>)::$_2>::Run() /xpcom/threads/nsThreadUtils.h:529:5 #11 0x7fc958b7a431 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1040:14 #12 0x7fc958bb5cfa in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:517:10 #13 0x7fc959f04131 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:97:21 #14 0x7fc959d64fe0 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:299:3 #15 0x7fc960215005 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:157:27 #16 0x7fc9661137b7 in nsAppStartup::Run() /toolkit/components/startup/nsAppStartup.cpp:288:30 #17 0x7fc9662eac38 in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:4707:22 #18 0x7fc9662ecaef in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:4842:8 #19 0x7fc9662ed961 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:4934:21 #20 0x51855e in do_main(int, char**, char**) /browser/app/nsBrowserApp.cpp:231:22 #21 0x517d44 in main /browser/app/nsBrowserApp.cpp:304:16 #22 0x7fc99106f1c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308 #23 0x4207a9 in _start (/objdir-ff-ubsan/dist/bin/firefox+0x4207a9)
:aosmond, can you comment to the bug?
Flags: needinfo?(aosmond)
Whiteboard: [gfx-noted]
Attached patch decoesizetSplinter Review
Assignee: nobody → tnikkel
Flags: needinfo?(aosmond)
Attachment #8948066 - Flags: review?(aosmond)
Attachment #8948066 - Flags: review?(aosmond) → review+
Pushed by tnikkel@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/dff22255b582 Convert to size_t in DecodedSurfaceProvider::LogicalSizeInBytes so multiplication doesn't overflow. r=aosmond
https://hg.mozilla.org/mozilla-central/rev/dff22255b582
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox60: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: