Closed Bug 1603271 Opened 6 years ago Closed 2 months ago

addition of unsigned offset overflowed in media/ffvpx/libavcodec/videodsp_template.c:47

Categories

(Core :: Audio/Video: Playback, defect, P3)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
151 Branch
Tracking Flags:
Tracking Status
firefox73 --- wontfix
firefox151 --- fixed

People

(Reporter: tsmith, Assigned: padenot)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined)

Attachments

(1 file)

Bug 1603271 - Avoid UBSan pointer-overflow in videodsp_template.c. r?#media-playback-reviewers
48 bytes, text/x-phabricator-request
Details | Review

Found with m-c:
BuildID=20191211174245
SourceStamp=b823b005f00e2b9ea65145289bea41db07ad8a2e

I don't have a test case at this time.

src/media/ffvpx/libavcodec/videodsp_template.c:47:14: runtime error: addition of unsigned offset to 0x7f200ab6d400 overflowed to 0x7f200ab6d3fe
    #0 0x7f2020e2b264 in ff_emulated_edge_mc_16 src/media/ffvpx/libavcodec/videodsp_template.c
    #1 0x7f20210838db in mc_luma_unscaled src/media/ffvpx/libavcodec/vp9recon.c:323:9
    #2 0x7f20210838db in inter_pred_16bpp src/media/ffvpx/libavcodec/vp9_mc_template.c:413:9
    #3 0x7f202101afb9 in inter_recon src/media/ffvpx/libavcodec/vp9recon.c:585:13
    #4 0x7f202101afb9 in ff_vp9_inter_recon_16bpp src/media/ffvpx/libavcodec/vp9recon.c:643:5
    #5 0x7f2020eaf3de in ff_vp9_decode_block src/media/ffvpx/libavcodec/vp9block.c:1387:13
    #6 0x7f2020eab143 in decode_sb src/media/ffvpx/libavcodec/vp9.c:1074:17
    #7 0x7f2020eab2c1 in decode_sb src/media/ffvpx/libavcodec/vp9.c
    #8 0x7f2020eab3f7 in decode_sb src/media/ffvpx/libavcodec/vp9.c:1090:17
    #9 0x7f2020e91201 in decode_tiles src/media/ffvpx/libavcodec/vp9.c:1309:25
    #10 0x7f2020e91201 in vp9_decode_frame src/media/ffvpx/libavcodec/vp9.c:1646:19
    #11 0x7f2020e1d4d7 in frame_worker_thread src/media/ffvpx/libavcodec/pthread_frame.c:201:21
    #12 0x7f20cb563668 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9668)
    #13 0x7f20cb121322 in clone /build/glibc-4WA41p/glibc-2.30/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Priority: -- → P3
Severity: normal → S3
Assignee: nobody → padenot
Status: NEW → ASSIGNED
Pushed by padenot@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/d1683397da8e https://hg.mozilla.org/integration/autoland/rev/435043ea968a Avoid UBSan pointer-overflow in videodsp_template.c. r=media-playback-reviewers,alwu

https://hg.mozilla.org/mozilla-central/rev/435043ea968a

Status: ASSIGNED → RESOLVED
Closed: 2 months ago
status-firefox151: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 151 Branch
QA Whiteboard: [qa-triage-done-c152/b151]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: