Closed Bug 1725742 Opened 4 months ago Closed 4 months ago

Hit MOZ_CRASH(attempt to add with overflow) at gfx/qcms/src/iccread.rs:494

Categories

(Core :: GFX: Color Management, defect)

defect

Tracking

()

VERIFIED FIXED
93 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- wontfix
firefox91 --- wontfix
firefox92 --- wontfix
firefox93 --- verified

People

(Reporter: tsmith, Assigned: jrmuizel)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Attached image testcase.jpg

Found while fuzzing m-c 20210809-0f323b67aa6b (--enable-debug --enable-fuzzing)

Hit MOZ_CRASH(attempt to add with overflow) at gfx/qcms/src/iccread.rs:494

#0 0x7f9f0a1e2835 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:256:3
#1 0x7f9f0a1e2835 in RustMozCrash src/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f9f0a1e27b4 in mozglue_static::panic_hook::h9f467a86ae616c8e src/mozglue/static/rust/lib.rs:91:9
#3 0x7f9f0a1e222b in core::ops::function::Fn::call::h8065936f167ffca5 /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/ops/function.rs:70:5
#4 0x7f9f0afa3358 in std::panicking::rust_panic_with_hook::h7ee9e1a2d0f8975a /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/std/src/panicking.rs:626:17
#5 0x7f9f0afa2dd6 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h8ab3b4491718b2c7 /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/std/src/panicking.rs:517:13
#6 0x7f9f0af9f17b in std::sys_common::backtrace::__rust_end_short_backtrace::hd489062ffa586a9f /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/std/src/sys_common/backtrace.rs:141:18
#7 0x7f9f0afa2d68 in rust_begin_unwind /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/std/src/panicking.rs:515:5
#8 0x7f9f019314b0 in core::panicking::panic_fmt::hca6330e3e14086b4 /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/panicking.rs:92:14
#9 0x7f9f019313fc in core::panicking::panic::h1a48d878ff3dcd40 /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/panicking.rs:50:5
#10 0x7f9f0927bac8 in qcms::iccread::read_tag_XYZType::hf8fd936a1c425a2c src/gfx/qcms/src/iccread.rs
#11 0x7f9f09282a2c in qcms::iccread::Profile::new_from_slice::h24f51b8b075172a1 src/gfx/qcms/src/iccread.rs:1666:44
#12 0x7f9f09273040 in qcms_profile_from_memory src/gfx/qcms/src/c_bindings.rs:81:19
#13 0x7f9f035ab9c1 in mozilla::image::GetICCProfile(jpeg_decompress_struct&) src/image/decoders/nsJPEGDecoder.cpp:58:15
#14 0x7f9f035a9a13 in mozilla::image::nsJPEGDecoder::ReadJPEGData(char const*, unsigned long) src/image/decoders/nsJPEGDecoder.cpp:288:27
#15 0x7f9f035f6018 in operator() src/image/decoders/nsJPEGDecoder.cpp:186:34
#16 0x7f9f035f6018 in mozilla::Maybe<mozilla::Variant<mozilla::image::TerminalState, mozilla::image::Yield> > mozilla::image::StreamingLexer<mozilla::image::nsJPEGDecoder::State, 16ul>::ContinueUnbufferedRead<mozilla::image::nsJPEGDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::$_8>(char const*, unsigned long, unsigned long, mozilla::image::nsJPEGDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::$_8) src/image/StreamingLexer.h:555:9
#17 0x7f9f035a8842 in UnbufferedRead<(lambda at src/image/decoders/nsJPEGDecoder.cpp:183:21)> src/image/StreamingLexer.h:501:12
#18 0x7f9f035a8842 in Lex<(lambda at src/image/decoders/nsJPEGDecoder.cpp:183:21)> src/image/StreamingLexer.h:469:26
#19 0x7f9f035a8842 in mozilla::image::nsJPEGDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) src/image/decoders/nsJPEGDecoder.cpp:182:17
#20 0x7f9f034ca3c7 in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) src/image/Decoder.cpp:177:19
#21 0x7f9f034d2dbd in mozilla::image::DecodedSurfaceProvider::Run() src/image/DecodedSurfaceProvider.cpp:123:34
#22 0x7f9f034edb23 in mozilla::image::DecodingTask::Run() src/image/DecodePool.cpp:146:12
#23 0x7f9f01b0508f in mozilla::TaskController::RunPoolThread() src/xpcom/threads/TaskController.cpp:287:33
#24 0x7f9f16ea2ac7 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#25 0x7f9f17c1d608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#26 0x7f9f177e6292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210816094534-36974366b0fb.
The bug appears to have been introduced in the following build range:

Start: bd174309203d44991ab64f5ff1dbe95b495be0f8 (20200921214538)
End: c8ad715374b3f442cba2df19c9664f000a5040c9 (20200921215039)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bd174309203d44991ab64f5ff1dbe95b495be0f8&tochange=c8ad715374b3f442cba2df19c9664f000a5040c9

Whiteboard: [bugmon:bisected,confirmed]
Component: ImageLib → GFX: Color Management
Regressed by: 1666057
Assignee: nobody → jmuizelaar
Status: NEW → ASSIGNED
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/56c0e8e558e6
Validate tag offsets upfront to avoid weird overflow situations later on. r=aosmond
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → 93 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210819214942-d425eea582f4.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

Should we land the attached image as a crashtest?

Flags: needinfo?(jmuizelaar)

Nah. This was just a harmless debug assertion and was caught by the existing fuzzing coverage. The only reason I bothered to fix it was so that it wouldn't be hit by the fuzzers in the future.

Flags: needinfo?(jmuizelaar)
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.