UBSan: signed integer overflow in [@ mozilla::BitReader::ReadUE]

RESOLVED FIXED in Firefox 67

Status

()

defect
RESOLVED FIXED
3 months ago
3 months ago

People

(Reporter: tsmith, Assigned: jya)

Tracking

(Blocks 2 bugs, {csectype-undefined, testcase})

unspecified
mozilla67
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox67 fixed)

Details

Attachments

(2 attachments)

Reporter

Description

3 months ago
Posted video testcase.mp4

Found in m-c commit 78601cacfe69

This was build with undefined behavior sanitizer checks enabled via mozconfig.
ac_add_options --enable-undefined-sanitizer="signed-integer-overflow"

src/dom/media/BitReader.cpp:70:17: runtime error: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
    #0 0x7f57dac49a7b in mozilla::BitReader::ReadUE() src/dom/media/BitReader.cpp:70:17
    #1 0x7f57db231b5b in mozilla::H264::vui_parameters(mozilla::BitReader&, mozilla::SPSData&) src/dom/media/platforms/agnostic/bytestreams/H264.cpp:681:5
    #2 0x7f57db2305c4 in mozilla::H264::DecodeSPS(mozilla::MediaByteBuffer const*, mozilla::SPSData&) src/dom/media/platforms/agnostic/bytestreams/H264.cpp:445:10
    #3 0x7f57db23221d in mozilla::H264::DecodeSPSFromExtraData(mozilla::MediaByteBuffer const*, mozilla::SPSData&) src/dom/media/platforms/agnostic/bytestreams/H264.cpp:701:16
    #4 0x7f57db4ab270 in mozilla::AccumulateSPSTelemetry(mozilla::MediaByteBuffer const*) src/dom/media/mp4/MP4Demuxer.cpp:83:7
    #5 0x7f57db4b2a18 in mozilla::MP4TrackDemuxer::MP4TrackDemuxer(mozilla::MediaResource*, mozilla::UniquePtr<mozilla::TrackInfo, mozilla::DefaultDelete<mozilla::TrackInfo> >&&, mozilla::IndiceWrapper const&) src/dom/media/mp4/MP4Demuxer.cpp:359:28
    #6 0x7f57db4ad220 in mozilla::MP4Demuxer::Init() src/dom/media/mp4/MP4Demuxer.cpp:261:45
    #7 0x7f57dadf8bb3 in operator() src/dom/media/MediaFormatReader.cpp:898:47
    #8 0x7f57dadf8bb3 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_9, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, true> >::Run() src/objdir-ff-ubsan/dist/include/mozilla/MozPromise.h:1419
    #9 0x7f57d578e450 in mozilla::TaskQueue::Runner::Run() src/xpcom/threads/TaskQueue.cpp:199:12
    #10 0x7f57d57bdfc3 in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:241:14
    #11 0x7f57d57be33c in non-virtual thunk to nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp
    #12 0x7f57d57b5fd1 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1166:14
    #13 0x7f57d57ba9fd in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:482:10
    #14 0x7f57d68b8a5a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:303:20
    #15 0x7f57d677f650 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308:3
    #16 0x7f57d677f650 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #17 0x7f57d57b0902 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:453:11
    #18 0x7f57fba3e592 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #19 0x7f57fb6be6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #20 0x7f57fa69c88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Assignee

Comment 1

3 months ago

In C++14, this operation is fully defined and the warning is incorrect.

Comment 2

3 months ago
Pushed by jyavenard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/df1b1891f2f8
Force unsigned operation. r=gerald

Comment 3

3 months ago
bugherder
Status: NEW → RESOLVED
Last Resolved: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Assignee: nobody → jyavenard
You need to log in before you can comment on or make changes to this bug.