Open Bug 1443915 Opened 7 years ago Updated 2 years ago

UBSan: addition of unsigned offset overflowed in mozilla-central/dom/canvas/WebGLTexelConversions.cpp:218

Categories

(Core :: Graphics: CanvasWebGL, defect, P3)

Product:
Core
Component:
Graphics: CanvasWebGL
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox60 --- affected
firefox61 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined, Whiteboard: gfx-noted)

Found with mozilla-central changeset: 406904:493e45400842 Built with -fsanitize=pointer-overflow Triggered when using google street view. mozilla-central/dom/canvas/WebGLTexelConversions.cpp:218:25: runtime error: addition of unsigned offset to 0x00001dbc76c0 overflowed to 0x00001dbc74c0 #0 0x7f39d183f65f in run<mozilla::WebGLTexelFormat::BGRX8, mozilla::WebGLTexelFormat::RGB565, mozilla::WebGLTexelPremultiplicationOp::None> mozilla-central/dom/canvas/WebGLTexelConversions.cpp:218:25 #1 0x7f39d183f65f in run<mozilla::WebGLTexelFormat::BGRX8, mozilla::WebGLTexelFormat::RGB565> mozilla-central/dom/canvas/WebGLTexelConversions.cpp:233 #2 0x7f39d183f65f in void mozilla::(anonymous namespace)::WebGLImageConverter::run<(mozilla::WebGLTexelFormat)26>(mozilla::WebGLTexelFormat, mozilla::WebGLTexelPremultiplicationOp) mozilla-central/dom/canvas/WebGLTexelConversions.cpp:267 #3 0x7f39d17d578b in mozilla::ConvertImage(unsigned long, unsigned long, void const*, unsigned long, mozilla::gl::OriginPos, mozilla::WebGLTexelFormat, bool, void*, unsigned long, mozilla::gl::OriginPos, mozilla::WebGLTexelFormat, bool, bool*) mozilla-central/dom/canvas/WebGLTexelConversions.cpp:422:15 #4 0x7f39d171afaa in mozilla::webgl::TexUnpackBlob::ConvertIfNeeded(mozilla::WebGLContext*, char const*, unsigned int, unsigned int, mozilla::WebGLTexelFormat, unsigned char const*, long, mozilla::WebGLTexelFormat, long, unsigned char const**, mozilla::UniqueBuffer*) const mozilla-central/dom/canvas/TexUnpackBlob.cpp:384:10 #5 0x7f39d171e50c in mozilla::webgl::TexUnpackSurface::TexOrSubImage(bool, bool, char const*, mozilla::WebGLTexture*, StrongGLenum<TexImageTargetDetails>, int, mozilla::webgl::DriverUnpackInfo const*, int, int, int, mozilla::webgl::PackingInfo const&, unsigned int*) const mozilla-central/dom/canvas/TexUnpackBlob.cpp:882:10 #6 0x7f39d17ea51c in mozilla::WebGLTexture::TexImage(char const*, StrongGLenum<TexImageTargetDetails>, int, unsigned int, mozilla::webgl::PackingInfo const&, mozilla::webgl::TexUnpackBlob const*) mozilla-central/dom/canvas/WebGLTextureUpload.cpp:1286:16 #7 0x7f39d17e9d06 in mozilla::WebGLTexture::TexImage(char const*, StrongGLenum<TexImageTargetDetails>, int, unsigned int, int, int, int, int, mozilla::webgl::PackingInfo const&, mozilla::TexImageSource const&) mozilla-central/dom/canvas/WebGLTextureUpload.cpp:474:5 #8 0x7f39d178e199 in mozilla::WebGLContext::TexImage(char const*, unsigned char, unsigned int, int, unsigned int, int, int, int, int, unsigned int, unsigned int, mozilla::TexImageSource const&) mozilla-central/dom/canvas/WebGLContextTextures.cpp:391:10 #9 0x7f39d1329e97 in TexImage2D mozilla-central/dom/canvas/WebGLContext.h:1212:9 #10 0x7f39d1329e97 in void mozilla::WebGLContext::TexImage2D<mozilla::dom::HTMLImageElement>(unsigned int, int, unsigned int, int, int, int, unsigned int, unsigned int, mozilla::dom::HTMLImageElement const&, mozilla::ErrorResult&) mozilla-central/dom/canvas/WebGLContext.h:1190 #11 0x7f39d12c0e26 in TexImage2D<mozilla::dom::HTMLImageElement> mozilla-central/dom/canvas/WebGLContext.h:1167:9 #12 0x7f39d12c0e26 in mozilla::dom::WebGLRenderingContextBinding::texImage2D(JSContext*, JS::Handle<JSObject*>, mozilla::WebGLContext*, JSJitMethodCallArgs const&) mozilla-central/objdir-ff-ubsan/dom/bindings/WebGLRenderingContextBinding.cpp:13620 #13 0x7f39d1670b4b in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) mozilla-central/dom/bindings/BindingUtils.cpp:3031:13 #14 0x7f39d609934c in CallJSNative mozilla-central/js/src/vm/JSContext-inl.h:290:15 #15 0x7f39d609934c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) mozilla-central/js/src/vm/Interpreter.cpp:467 #16 0x7f39d6099a79 in InternalCall(JSContext*, js::AnyInvokeArgs const&) mozilla-central/js/src/vm/Interpreter.cpp:516:12 #17 0x7f39d6093095 in CallFromStack mozilla-central/js/src/vm/Interpreter.cpp:522:12 #18 0x7f39d6093095 in Interpret(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:3085 #19 0x7f39d607d136 in js::RunScript(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:417:12 #20 0x7f39d6099419 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) mozilla-central/js/src/vm/Interpreter.cpp:489:15 #21 0x7f39d6099a79 in InternalCall(JSContext*, js::AnyInvokeArgs const&) mozilla-central/js/src/vm/Interpreter.cpp:516:12 #22 0x7f39d61b65f3 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) mozilla-central/js/src/jit/BaselineIC.cpp:2379:14 #23 0x2b4857712185 (<unknown module>)
Flags: needinfo?(jgilbert)
Yeah, I saw this a while back. "It works", but that's not super reassuring. Basically it's doing addition with effectively-negative strides for y-flip.
Severity: normal → minor
Flags: needinfo?(jgilbert)
Priority: -- → P3
Whiteboard: gfx-noted
status-firefox61: --- → affected
Severity: minor → S4
Blocks: ubsan
You need to log in before you can comment on or make changes to this bug.