Closed
Bug 1724463
Opened 3 years ago
Closed 3 years ago
runtime error: load of value 252, which is not a valid value for type 'const qcms_MatrixCoefficients'
Categories
(Core :: Graphics: ImageLib, defect)
Core
Graphics: ImageLib
Tracking
()
RESOLVED
FIXED
93 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox-esr91 | --- | unaffected |
| firefox91 | --- | unaffected |
| firefox92 | --- | fixed |
| firefox93 | --- | fixed |
People
(Reporter: tsmith, Assigned: jbauman)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase)
Attachments
(1 file)
|
7.90 KB,
image/avif
|
Details |
testcase.avif
Found while fuzzing m-c 20210806-b19fdf435550 (--enable-address-sanitizer --enable-undefined-behavior-sanitizer --enable-fuzzing)
src/gfx/thebes/gfxUtils.cpp:1199:11: runtime error: load of value 252, which is not a valid value for type 'const qcms_MatrixCoefficients'
#0 0x7f8d2ec3a66b in gfxUtils::CicpToColorSpace(qcms_MatrixCoefficients, qcms_ColourPrimaries, mozilla::LazyLogModule&) src/gfx/thebes/gfxUtils.cpp:1199:11
#1 0x7f8d322220bd in mozilla::DAV1DDecoder::GetColorSpace(Dav1dPicture const&, mozilla::LazyLogModule&) src/dom/media/platforms/agnostic/DAV1DDecoder.cpp:199:10
#2 0x7f8d2ee7beab in operator() src/image/decoders/nsAVIFDecoder.cpp:903:12
#3 0x7f8d2ee7beab in valueOrFrom<(lambda at src/image/decoders/nsAVIFDecoder.cpp:899:50) &> /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:498:12
#4 0x7f8d2ee7beab in GetAVIFColorSpace<(lambda at src/image/decoders/nsAVIFDecoder.cpp:899:50)> src/image/decoders/nsAVIFDecoder.cpp:302:8
#5 0x7f8d2ee7beab in mozilla::image::Dav1dDecoder::Dav1dPictureToDecodedData(NclxColourInformation const*, Dav1dPicture*, Dav1dPicture*, bool) src/image/decoders/nsAVIFDecoder.cpp:899:25
#6 0x7f8d2eedb7be in mozilla::image::Dav1dDecoder::Decode(bool, Mp4parseAvifImage const&) src/image/decoders/nsAVIFDecoder.cpp:485:26
#7 0x7f8d2ee802e6 in mozilla::image::nsAVIFDecoder::Decode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) src/image/decoders/nsAVIFDecoder.cpp:1171:16
#8 0x7f8d2ee7eb71 in mozilla::image::nsAVIFDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) src/image/decoders/nsAVIFDecoder.cpp:1050:25
#9 0x7f8d2ed677c7 in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) src/image/Decoder.cpp:177:19
#10 0x7f8d2ed885fa in mozilla::image::AnonymousDecodingTask::Run() src/image/IDecodingTask.cpp:188:36
#11 0x7f8d2eda427f in mozilla::image::ImageOps::DecodeToSurface(mozilla::image::ImageOps::ImageBuffer*, nsTSubstring<char> const&, unsigned int, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&) src/image/ImageOps.cpp:229:9
#12 0x7f8d2eda3bf7 in mozilla::image::ImageOps::DecodeToSurface(already_AddRefed<nsIInputStream>, nsTSubstring<char> const&, unsigned int, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&) src/image/ImageOps.cpp:201:10
#13 0x7f8d2b1873fe in DecodeToSurfaceRunnableFuzzing::Go() src/image/test/fuzzing/TestDecoders.cpp:54:16
#14 0x7f8d2b187158 in DecodeToSurfaceRunnableFuzzing::Run() src/image/test/fuzzing/TestDecoders.cpp:49:5
#15 0x7f8d2bf0618c in nsThreadSyncDispatch::Run() src/xpcom/threads/nsThreadSyncDispatch.h:35:51
#16 0x7f8d2beec75b in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1142:16
#17 0x7f8d2bef6bfc in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:466:10
#18 0x7f8d2d102475 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:300:20
#19 0x7f8d2cff2361 in RunInternal src/ipc/chromium/src/base/message_loop.cc:331:10
#20 0x7f8d2cff2361 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#21 0x7f8d2cff2361 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#22 0x7f8d2bee6208 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:390:10
#23 0x7f8d499aa3fe in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#24 0x7f8d4d2d1608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
#25 0x7f8d4ce9a292 in clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
||
Updated•3 years ago
|
Flags: needinfo?(jbauman)
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
|
||
Updated•3 years ago
|
Keywords: regression
|
Assignee | |
Comment 2•3 years ago
|
||
Both this and bug 1724460 are essentially the same issue, and will be addressed in qcms: avoid undefined behavior when handling CICP values
Flags: needinfo?(jbauman)
|
||
Updated•3 years ago
|
status-firefox91:
--- → unaffected
status-firefox93:
--- → affected
status-firefox-esr78:
--- → unaffected
status-firefox-esr91:
--- → unaffected
|
|
Assignee | |
Updated•3 years ago
|
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
Assignee: nobody → jbauman
Target Milestone: --- → 93 Branch
|
|
||
Updated•3 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•