1817442 - AddressSanitizer: negative-size-param: (size=-1956016352) [@ __asan_memcpy]

Status: VERIFIED FIXED

(Core :: Graphics: Canvas2D, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 36b67e826e2d (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 36b67e826e2d --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

AddressSanitizer: negative-size-param: (size=-1956016352) [@ __asan_memcpy]

    =================================================================
    ==76541==ERROR: AddressSanitizer: negative-size-param: (size=-1956016352)
        #0 0x559ed3cfaa94 in __asan_memcpy /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
        #1 0x7fc066fce14d in CopySurfaceDataToPackedArray /gfx/2d/DataSurfaceHelpers.cpp:120:5
        #2 0x7fc066fce14d in mozilla::gfx::SurfaceToPackedBGRA(mozilla::gfx::DataSourceSurface*) /gfx/2d/DataSurfaceHelpers.cpp:158:3
        #3 0x7fc06a52ddac in mozilla::dom::ImageBitmapRenderingContext::GetImageBuffer(int*) /dom/canvas/ImageBitmapRenderingContext.cpp:168:10
        #4 0x7fc06a4859ea in mozilla::dom::CanvasRenderingContextHelper::ToBlob(mozilla::dom::EncodeCompleteCallback*, nsTSubstring<char16_t>&, nsTSubstring<char16_t> const&, bool, bool, mozilla::ErrorResult&) /dom/canvas/CanvasRenderingContextHelper.cpp:118:36
        #5 0x7fc06a485566 in mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, mozilla::dom::EncodeCompleteCallback*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, bool, mozilla::ErrorResult&) /dom/canvas/CanvasRenderingContextHelper.cpp:91:3
        #6 0x7fc06a534e7a in mozilla::dom::OffscreenCanvas::ToBlob(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/canvas/OffscreenCanvas.cpp:410:33
        #7 0x7fc068e60573 in toBlob /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasBinding.cpp:1457:60
        #8 0x7fc068e60573 in mozilla::dom::OffscreenCanvas_Binding::toBlob_promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasBinding.cpp:1473:13
        #9 0x7fc06a28d742 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3318:13
        #10 0x7fc073140bf4 in CallJSNative /js/src/vm/Interpreter.cpp:459:13
        #11 0x7fc073140bf4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:547:12
        #12 0x7fc07312fbda in InternalCall /js/src/vm/Interpreter.cpp:614:10
        #13 0x7fc07312fbda in CallFromStack /js/src/vm/Interpreter.cpp:619:10
        #14 0x7fc07312fbda in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3362:16
        #15 0x7fc073113cfc in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:431:13
        #16 0x7fc073140d10 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:579:13
        #17 0x7fc0731429cf in InternalCall /js/src/vm/Interpreter.cpp:614:10
        #18 0x7fc0731429cf in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:646:8
        #19 0x7fc07324bc9d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #20 0x7fc069e5e3e2 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
        #21 0x7fc06ad93a05 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #22 0x7fc06ad934c3 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1308:43
        #23 0x7fc06ad94dbb in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1504:17
        #24 0x7fc06ad82d02 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:347:17
        #25 0x7fc06ad815b4 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:549:16
        #26 0x7fc06ad8572a in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1122:11
        #27 0x7fc06ad8b3e5 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
        #28 0x7fc0685b7423 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/base/nsINode.cpp:1373:17
        #29 0x7fc067eac377 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /dom/base/nsContentUtils.cpp:4579:28
        #30 0x7fc067eac0c5 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /dom/base/nsContentUtils.cpp:4549:10
        #31 0x7fc06821b07f in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:7908:3
        #32 0x7fc06830ca2a in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
        #33 0x7fc06830ca2a in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
        #34 0x7fc06830ca2a in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
        #35 0x7fc064ea05df in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:114:20
        #36 0x7fc064eb4759 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:539:16
        #37 0x7fc064eaab87 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:852:26
        #38 0x7fc064ea7e08 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:684:15
        #39 0x7fc064ea8530 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:462:36
        #40 0x7fc064ebac31 in operator() /xpcom/threads/TaskController.cpp:188:37
        #41 0x7fc064ebac31 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
        #42 0x7fc064ede42e in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1225:16
        #43 0x7fc064ee8964 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:477:10
        #44 0x7fc0666e769e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #45 0x7fc066566627 in RunInternal /ipc/chromium/src/base/message_loop.cc:381:10
        #46 0x7fc066566627 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #47 0x7fc066566627 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #48 0x7fc06dd1a049 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #49 0x7fc072d20aa8 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:742:20
        #50 0x7fc066566627 in RunInternal /ipc/chromium/src/base/message_loop.cc:381:10
        #51 0x7fc066566627 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #52 0x7fc066566627 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #53 0x7fc072d2023f in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:675:34
        #54 0x559ed3d38394 in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #55 0x559ed3d38857 in main /browser/app/nsBrowserApp.cpp:353:18
        #56 0x7fc087c58d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #57 0x7fc087c58e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #58 0x559ed3c76e18 in _start (/home/jkratzer/builds/m-c-20230213170842-fuzzing-asan-opt/firefox+0x111e18) (BuildId: 3e36c83cf0a85bdc20ed3ecbc744e333cd422c09)
    
    0x7fbfbce66800 is located 0 bytes inside of 2338950944-byte region [0x7fbfbce66800,0x7fc0484ff720)
    allocated by thread T0 (Isolated Web Co) here:
        #0 0x559ed3cfb928 in calloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3
        #1 0x7fc071321087 in sk_calloc_canfail /gfx/skia/skia/include/private/SkMalloc.h:74:12
        #2 0x7fc071321087 in SkMallocPixelRef::MakeAllocate(SkImageInfo const&, unsigned long) /gfx/skia/skia/src/core/SkMallocPixelRef.cpp:59:18
        #3 0x7fc07109a961 in SkSurface::MakeRaster(SkImageInfo const&, unsigned long, SkSurfaceProps const*) /gfx/skia/skia/src/image/SkSurface_Raster.cpp:201:28
        #4 0x7fc06700b56e in mozilla::gfx::DrawTargetSkia::Init(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) /gfx/2d/DrawTargetSkia.cpp:1745:25
        #5 0x7fc06700b020 in mozilla::gfx::DrawTargetSkia::CreateSimilarDrawTarget(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) const /gfx/2d/DrawTargetSkia.cpp:1583:16
        #6 0x7fc06e4cf6f7 in nsLayoutUtils::SurfaceFromOffscreenCanvas(mozilla::dom::OffscreenCanvas*, unsigned int, RefPtr<mozilla::gfx::DrawTarget>&) /layout/base/nsLayoutUtils.cpp:7090:16
        #7 0x7fc06a51a08a in SurfaceFromOffscreenCanvas /builds/worker/workspace/obj-build/dist/include/nsLayoutUtils.h:2209:12
        #8 0x7fc06a51a08a in mozilla::dom::ImageBitmap::CreateFromOffscreenCanvas(nsIGlobalObject*, mozilla::dom::OffscreenCanvas&, mozilla::ErrorResult&) /dom/canvas/ImageBitmap.cpp:852:34
        #9 0x7fc06a5336f3 in mozilla::dom::OffscreenCanvas::TransferToImageBitmap(mozilla::ErrorResult&) /dom/canvas/OffscreenCanvas.cpp:257:7
        #10 0x7fc068e5f9f8 in mozilla::dom::OffscreenCanvas_Binding::transferToImageBitmap(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasBinding.cpp:1180:78
        #11 0x7fc06a28cc25 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3318:13
        #12 0x7fc073140bf4 in CallJSNative /js/src/vm/Interpreter.cpp:459:13
        #13 0x7fc073140bf4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:547:12
        #14 0x7fc07312fbda in InternalCall /js/src/vm/Interpreter.cpp:614:10
        #15 0x7fc07312fbda in CallFromStack /js/src/vm/Interpreter.cpp:619:10
        #16 0x7fc07312fbda in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3362:16
        #17 0x7fc073113cfc in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:431:13
        #18 0x7fc073140d10 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:579:13
        #19 0x7fc0731429cf in InternalCall /js/src/vm/Interpreter.cpp:614:10
        #20 0x7fc0731429cf in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:646:8
        #21 0x7fc07324bc9d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #22 0x7fc069e5e3e2 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
        #23 0x7fc06ad93a05 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #24 0x7fc06ad934c3 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1308:43
        #25 0x7fc06ad94dbb in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1504:17
        #26 0x7fc06ad82d02 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:347:17
        #27 0x7fc06ad815b4 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:549:16
        #28 0x7fc06ad8572a in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1122:11
        #29 0x7fc06ad8b3e5 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
        #30 0x7fc0685b7423 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/base/nsINode.cpp:1373:17
        #31 0x7fc067eac377 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /dom/base/nsContentUtils.cpp:4579:28
        #32 0x7fc067eac0c5 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /dom/base/nsContentUtils.cpp:4549:10
        #33 0x7fc06821b07f in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:7908:3
        #34 0x7fc06830ca2a in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
        #35 0x7fc06830ca2a in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
        #36 0x7fc06830ca2a in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
        #37 0x7fc064ea05df in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:114:20
    
    SUMMARY: AddressSanitizer: negative-size-param /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
    ==76541==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230217091713-41710d48be48.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 6938c3b26d145c7e2c77f078566463df66d45359 (20220218090822)
End: 36b67e826e2dfa1eedbc9567f9bb3be61c431a7e (20230213170842)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Comment 3

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 4

[Timothy Nikkel (:tnikkel)]

The size of the canvas (from the test case 30152 x 19393) in bytes is 30152 x 19393 x 4 = 2.3 billion > 2^31. memcpy takes a size_t but the calculation in this function happens in an signed int32. Easy enough to fix this one function but are there other places that will have the assumption the canvas size in bytes fits in a signed int?

Comment 5

[Lee Salzman [:lsalzman]]

Attachment: Bug 1817442. r?tnikkel

Comment 6

[Andrew McCreight [:mccr8]]

I'm not sure how exploitable this is really, but I'll mark it sec-high to be on the safe side, given that there's a clear fix here. We can adjust it if you want.

Comment 7

[Lee Salzman [:lsalzman]]

Comment on attachment 9319340 [details]
Bug 1817442. r?tnikkel

Security Approval Request

• How easily could an exploit be constructed based on the patch?: Unknown. This can be used to overwrite the bounds of a freshly allocated piece of memory for the destination buffer on the heap, but without much control of what is written to that memory, since the memory could only be sourced from outside the bounds of the source buffer as well.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
• Which older supported branches are affected by this flaw?: All (30+)
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: Yes
• If not, how different, hard to create, and risky will they be?:
• How likely is this patch to cause regressions; how much testing does it need?: Unlikely
• Is Android affected?: Yes

Comment 8

[Tom Ritter [:tjr]]

Comment on attachment 9319340 [details]
Bug 1817442. r?tnikkel

Approved to request uplift and land.

Do we intend to land a test for this? If so please add [reminder-test 2023-04-25] to the whiteboard

Comment 9

[Donal Meehan [:dmeehan]]

:lsalzman the final 111 beta builds on 2023-03-02. Next week is RC week.
This needs to land if it's going to make it for the 111 cycle.

Comment 10

[Lee Salzman [:lsalzman]]

Comment on attachment 9319340 [details]
Bug 1817442. r?tnikkel

Beta/Release Uplift Approval Request

• User impact if declined: Potential heap buffer overflows when using offscreen canvas.
• Is this code covered by automated tests?: Unknown
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Restructures some math to use 64-bit checked integers to avoid overflow.
• String changes made/needed:
• Is Android affected?: Yes

Comment 11

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

r=tnikkel
https://hg.mozilla.org/integration/autoland/rev/b8ad457dace4074017033fb5d62e33545d4375a5
https://hg.mozilla.org/mozilla-central/rev/b8ad457dace4

Comment 12

[Donal Meehan [:dmeehan]]

Comment on attachment 9319340 [details]
Bug 1817442. r?tnikkel

Approved for 111.0 RC1

Comment 13

[Donal Meehan [:dmeehan]]

https://hg.mozilla.org/releases/mozilla-beta/rev/3a949c192c59

Comment 14

[Donal Meehan [:dmeehan]]

:lsalzman could you add an esr uplift request on this? It grafts cleanly to esr102

Comment 15

[Lee Salzman [:lsalzman]]

Comment on attachment 9319340 [details]
Bug 1817442. r?tnikkel

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration: Potential heap overrun.
• User impact if declined:
• Fix Landed on Version: 112
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky):

Comment 16

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20230305214646-535b8e8d4e77.

Comment 17

[Donal Meehan [:dmeehan]]

Comment on attachment 9319340 [details]
Bug 1817442. r?tnikkel

Approved for 102.9esr.

Comment 18

[Donal Meehan [:dmeehan]]

https://hg.mozilla.org/releases/mozilla-esr102/rev/cb3e04d66a89cf43abc3c787bd0deb3442f97416