Open Bug 1583402 Opened 5 years ago Updated 2 years ago

invalid shift in media/libvorbis/lib/vorbis_sharedbook.c:417

Categories

(Core :: Audio/Video: Playback, defect, P2)

defect

Tracking

()

Tracking Status
firefox69 --- wontfix
firefox70 --- affected
firefox71 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined, testcase)

Attachments

(1 file)

Attached video testcase.ogg

This is triggered with an UBSan build. To enable this check add the following to your mozconfig:

ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer="shift"
ac_add_options --disable-jemalloc
media/libvorbis/lib/vorbis_sharedbook.c:417:30: runtime error: left shift of 16 by 27 places cannot be represented in type 'int'
    #0 0x7f3dd7d18620 in vorbis_book_init_decode media/libvorbis/lib/vorbis_sharedbook.c
    #1 0x7f3dd7cec596 in _vds_shared_init media/libvorbis/lib/vorbis_block.c:240:12
    #2 0x7f3dd7cf4a73 in vorbis_synthesis_init media/libvorbis/lib/vorbis_block.c:709:6
    #3 0x7f3dd5c7d642 in mozilla::VorbisState::Init() dom/media/ogg/OggCodecState.cpp:639:13
    #4 0x7f3dd5c8a33e in mozilla::OggDemuxer::ReadHeaders(mozilla::TrackInfo::TrackType, mozilla::OggCodecState*) dom/media/ogg/OggDemuxer.cpp:288:18
    #5 0x7f3dd5c89342 in mozilla::OggDemuxer::ReadMetadata() dom/media/ogg/OggDemuxer.cpp:468:18
    #6 0x7f3dd5c88ca6 in mozilla::OggDemuxer::Init() dom/media/ogg/OggDemuxer.cpp:173:7
    #7 0x7f3dd57abc23 in mozilla::MediaFormatReader::DemuxerProxy::Init()::$_13::operator()() const dom/media/MediaFormatReader.cpp:722:47
    #8 0x7f3dd57ab7e4 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_13, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, true> >::Run() objdir-ff-ubsan/dist/include/mozilla/MozPromise.h:1440:29
    #9 0x7f3dcf74ba15 in mozilla::TaskQueue::Runner::Run() xpcom/threads/TaskQueue.cpp:199:12
    #10 0x7f3dcf783d46 in nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:246:14
    #11 0x7f3dcf78439c in non-virtual thunk to nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp
    #12 0x7f3dcf77c61d in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1225:14
    #13 0x7f3dcf780f46 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:486:10
    #14 0x7f3dd090f113 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:303:20
    #15 0x7f3dd07a3f24 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:290:3
    #16 0x7f3dcf77772d in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:458:11
    #17 0x7f3df6422dd8 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:198:5
    #18 0x7f3df60776da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #19 0x7f3df505588e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?
Priority: -- → P2
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: