1432679 - UBSan: signed integer overflow in [@ mozilla::image::nsGIFDecoder2::FinishImageDescriptor]

Status: RESOLVED FIXED

(Core :: Graphics: ImageLib, defect)

Description

[Tyson Smith [:tsmith] (PTO)]

Attachment: testcase.gif

Found with changeset: 400421:c5461973d6ee
Built with -fsanitize=signed-integer-overflow

/image/decoders/nsGIFDecoder2.cpp:883:51: runtime error: signed integer overflow: 65535 * 65535 cannot be represented in type 'int'
    #0 0x7fc95c26ef96 in mozilla::image::nsGIFDecoder2::FinishImageDescriptor(char const*) /image/decoders/nsGIFDecoder2.cpp:883:51
    #1 0x7fc95c26df7e in mozilla::image::nsGIFDecoder2::ReadImageDescriptor(char const*) /image/decoders/nsGIFDecoder2.cpp:770:12
    #2 0x7fc95c289270 in mozilla::image::nsGIFDecoder2::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::$_1::operator()(mozilla::image::nsGIFDecoder2::State, char const*, unsigned long) const /image/decoders/nsGIFDecoder2.cpp:489:16
    #3 0x7fc95c288a7d in mozilla::Maybe<mozilla::Variant<mozilla::image::TerminalState, mozilla::image::Yield> > mozilla::image::StreamingLexer<mozilla::image::nsGIFDecoder2::State, 16ul>::BufferedRead<mozilla::image::nsGIFDecoder2::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::$_1>(mozilla::image::SourceBufferIterator&, mozilla::image::nsGIFDecoder2::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::$_1) /image/StreamingLexer.h:649:28
    #4 0x7fc95c26b4f2 in mozilla::Variant<mozilla::image::TerminalState, mozilla::image::Yield> mozilla::image::StreamingLexer<mozilla::image::nsGIFDecoder2::State, 16ul>::Lex<mozilla::image::nsGIFDecoder2::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::$_1>(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*, mozilla::image::nsGIFDecoder2::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::$_1) /image/StreamingLexer.h:512:20
    #5 0x7fc95c26afc3 in mozilla::image::nsGIFDecoder2::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /image/decoders/nsGIFDecoder2.cpp:465:17
    #6 0x7fc95c16f102 in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) /image/Decoder.cpp:133:20
    #7 0x7fc95c17825a in mozilla::image::DecodedSurfaceProvider::Run() /image/DecodedSurfaceProvider.cpp:139:34
    #8 0x7fc95c177136 in mozilla::image::DecodePool::SyncRunIfPreferred(mozilla::image::IDecodingTask*, nsTString<char> const&) /image/DecodePool.cpp:326:12
    #9 0x7fc95c1cb3d9 in mozilla::image::LaunchDecodingTask(mozilla::image::IDecodingTask*, mozilla::image::RasterImage*, unsigned int, bool) /image/RasterImage.cpp:1189:39
    #10 0x7fc95c1c4a18 in mozilla::image::RasterImage::Decode(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, mozilla::image::PlaybackType) /image/RasterImage.cpp:1278:10
    #11 0x7fc95c1c3d92 in mozilla::image::RasterImage::LookupFrame(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, mozilla::image::PlaybackType) /image/RasterImage.cpp:374:20
    #12 0x7fc95c1cc554 in mozilla::image::RasterImage::Draw(gfxContext*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::image::ImageRegion const&, unsigned int, mozilla::gfx::SamplingFilter, mozilla::Maybe<mozilla::SVGImageContext> const&, unsigned int, float) /image/RasterImage.cpp:1464:5
    #13 0x7fc9609e98bb in DrawImageInternal(gfxContext&, nsPresContext*, imgIContainer*, mozilla::gfx::SamplingFilter, nsRect const&, nsRect const&, nsPoint const&, nsRect const&, mozilla::Maybe<mozilla::SVGImageContext> const&, unsigned int, mozilla::gfx::ExtendMode, float) /layout/base/nsLayoutUtils.cpp:6976:22
    #14 0x7fc9609ea061 in nsLayoutUtils::DrawSingleImage(gfxContext&, nsPresContext*, imgIContainer*, mozilla::gfx::SamplingFilter, nsRect const&, nsRect const&, mozilla::Maybe<mozilla::SVGImageContext> const&, unsigned int, nsPoint const*, nsRect const*) /layout/base/nsLayoutUtils.cpp:7071:10
    #15 0x7fc960f291f0 in nsImageBoxFrame::PaintImage(gfxContext&, nsRect const&, nsPoint, unsigned int) /layout/xul/nsImageBoxFrame.cpp:416:10
    #16 0x7fc960f29c4f in nsDisplayXULImage::Paint(nsDisplayListBuilder*, gfxContext*) /layout/xul/nsImageBoxFrame.cpp:544:5
    #17 0x7fc9610f5e78 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) /layout/painting/FrameLayerBuilder.cpp:6029:21
    #18 0x7fc9610f6f07 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /layout/painting/FrameLayerBuilder.cpp:6190:19
    #19 0x7fc95bc61fb4 in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) /gfx/layers/client/ClientPaintedLayer.cpp:158:5
    #20 0x7fc95bc63a62 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /gfx/layers/client/ClientPaintedLayer.cpp:314:3
    #21 0x7fc95bcab020 in mozilla::layers::ClientContainerLayer::RenderLayer() /gfx/layers/client/ClientContainerLayer.h:58:29
    #22 0x7fc95bc5ce03 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /gfx/layers/client/ClientLayerManager.cpp:359:13
    #23 0x7fc95bc5d6df in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /gfx/layers/client/ClientLayerManager.cpp:423:3
    #24 0x7fc96115db19 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /layout/painting/nsDisplayList.cpp:2632:17
    #25 0x7fc9609d9ad1 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /layout/base/nsLayoutUtils.cpp:3976:12
    #26 0x7fc9608f459a in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /layout/base/PresShell.cpp:6476:5
    #27 0x7fc96017d87b in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /view/nsViewManager.cpp:480:19
    #28 0x7fc96017cf5d in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /view/nsViewManager.cpp:412:33
    #29 0x7fc96017f3eb in nsViewManager::ProcessPendingUpdates() /view/nsViewManager.cpp:1102:5
    #30 0x7fc96086e1fc in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:2046:11
    #31 0x7fc960879167 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /layout/base/nsRefreshDriver.cpp:306:7
    #32 0x7fc960878e7c in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:328:5
    #33 0x7fc96087d937 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:769:5
    #34 0x7fc96087c2e0 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:682:35
    #35 0x7fc960877238 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /layout/base/nsRefreshDriver.cpp:528:20
    #36 0x7fc958b7a431 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1040:14
    #37 0x7fc958bb5cfa in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:517:10
    #38 0x7fc959f04131 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:97:21
    #39 0x7fc959d64fe0 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:299:3
    #40 0x7fc960215005 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:157:27
    #41 0x7fc9661137b7 in nsAppStartup::Run() /toolkit/components/startup/nsAppStartup.cpp:288:30
    #42 0x7fc9662eac38 in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:4707:22
    #43 0x7fc9662ecaef in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:4842:8
    #44 0x7fc9662ed961 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:4934:21
    #45 0x51855e in do_main(int, char**, char**) /browser/app/nsBrowserApp.cpp:231:22
    #46 0x517d44 in main /browser/app/nsBrowserApp.cpp:304:16
    #47 0x7fc99106f1c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
    #48 0x4207a9 in _start (/objdir-ff-ubsan/dist/bin/firefox+0x4207a9)

Comment 1

[Sotaro Ikeda [:sotaro]]

:aosmond, can you comment to the bug?

Comment 2

[Timothy Nikkel (:tnikkel)]

Attachment: gifint64

Comment 3

[Pulsebot]

Pushed by tnikkel@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3509bf5962d1
Do multiplication in nsGIFDecoder2::FinishImageDescriptor as int64_t to avoid overflow. r=aosmond

Comment 4

[Stefan Hindli [:stefan_hindli]]

https://hg.mozilla.org/mozilla-central/rev/3509bf5962d1