1566515 - signed integer overflow in [@ lut_interp_linear16]

Status: RESOLVED DUPLICATE of bug 1473570

(Core :: Graphics: Color Management, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: clusterfuzz-testcase-minimized-fuzz-6260624383279104

This issue was found in oss-fuzz and is also publicly visible here: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9246

transform_util.c:31:32: runtime error: signed integer overflow: 61439 * 36895 cannot be represented in type 'int'
    #0 0x4dc779 in lut_interp_linear16 mozilla-central/gfx/qcms/transform_util.c:31:32
    #1 0x4dd230 in lut_inverse_interp16 mozilla-central/gfx/qcms/transform_util.c:290:15
    #2 0x4dda6b in invert_lut mozilla-central/gfx/qcms/transform_util.c:361:29
    #3 0x4dd935 in compute_precache mozilla-central/gfx/qcms/transform_util.c:434:36
    #4 0x4d6fe7 in qcms_profile_precache_output_transform mozilla-central/gfx/qcms/transform.cpp:1065:6
    #5 0x4de086 in transform(_qcms_profile*, _qcms_profile*, unsigned long) mozilla-central/gfx/qcms/fuzztest/qcms_fuzzer.cpp:43:5
    #6 0x4ddf51 in LLVMFuzzerTestOneInput mozilla-central/gfx/qcms/fuzztest/qcms_fuzzer.cpp:95:3
    #7 0x45c501 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:553:15
    #8 0x446e41 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
    #9 0x44c9ce in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:775:9
    #10 0x475f72 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #11 0x7f8837a8482f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
    #12 0x406b78 in _start

Comment 1

[Ryan VanderMeulen [:RyanVM]]

Is this a dupe of bug 1473570? Both are linked from the same upstream oss-fuzz issue.

Comment 2

[Tyson Smith [:tsmith]]

Yes it is, thanks.