1724460 - runtime error: load of value 108, which is not a valid value for type 'qcms_TransferCharacteristics'

Status: RESOLVED FIXED

(Core :: Graphics: ImageLib, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.avif

Found while fuzzing m-c 20210806-b19fdf435550 (--enable-address-sanitizer --enable-undefined-behavior-sanitizer --enable-fuzzing)

src/image/decoders/nsAVIFDecoder.cpp:919:53: runtime error: load of value 108, which is not a valid value for type 'qcms_TransferCharacteristics'
    #0 0x7fb7e682e7a5 in mozilla::image::Dav1dDecoder::Dav1dPictureToDecodedData(NclxColourInformation const*, Dav1dPicture*, Dav1dPicture*, bool) src/image/decoders/nsAVIFDecoder.cpp:919:53
    #1 0x7fb7e688d7be in mozilla::image::Dav1dDecoder::Decode(bool, Mp4parseAvifImage const&) src/image/decoders/nsAVIFDecoder.cpp:485:26
    #2 0x7fb7e68322e6 in mozilla::image::nsAVIFDecoder::Decode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) src/image/decoders/nsAVIFDecoder.cpp:1171:16
    #3 0x7fb7e6830b71 in mozilla::image::nsAVIFDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) src/image/decoders/nsAVIFDecoder.cpp:1050:25
    #4 0x7fb7e67197c7 in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) src/image/Decoder.cpp:177:19
    #5 0x7fb7e673a5fa in mozilla::image::AnonymousDecodingTask::Run() src/image/IDecodingTask.cpp:188:36
    #6 0x7fb7e675627f in mozilla::image::ImageOps::DecodeToSurface(mozilla::image::ImageOps::ImageBuffer*, nsTSubstring<char> const&, unsigned int, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&) src/image/ImageOps.cpp:229:9
    #7 0x7fb7e6755bf7 in mozilla::image::ImageOps::DecodeToSurface(already_AddRefed<nsIInputStream>, nsTSubstring<char> const&, unsigned int, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&) src/image/ImageOps.cpp:201:10
    #8 0x7fb7e2b393fe in DecodeToSurfaceRunnableFuzzing::Go() src/image/test/fuzzing/TestDecoders.cpp:54:16
    #9 0x7fb7e2b39158 in DecodeToSurfaceRunnableFuzzing::Run() src/image/test/fuzzing/TestDecoders.cpp:49:5
    #10 0x7fb7e38b818c in nsThreadSyncDispatch::Run() src/xpcom/threads/nsThreadSyncDispatch.h:35:51
    #11 0x7fb7e389e75b in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1142:16
    #12 0x7fb7e38a8bfc in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:466:10
    #13 0x7fb7e4ab4475 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:300:20
    #14 0x7fb7e49a4361 in RunInternal src/ipc/chromium/src/base/message_loop.cc:331:10
    #15 0x7fb7e49a4361 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
    #16 0x7fb7e49a4361 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
    #17 0x7fb7e3898208 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:390:10
    #18 0x7fb80135c3fe in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #19 0x7fb804c83608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
    #20 0x7fb80484c292 in clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Comment 1

[Timothy Nikkel (:tnikkel)]

Guessing this is caused by bug 1634741.

Comment 2

[Jon Bauman [:jbauman:]]

Both this and bug 1724463 are essentially the same issue, and will be addressed in qcms: avoid undefined behavior when handling CICP values