1839270 - Assertion failure: mIsValid (Invalid checked integer (division by zero or integer overflow)), at /builds/worker/workspace/obj-build/dist/include/mozilla/CheckedInt.h:562

Status: VERIFIED FIXED

(Core :: Audio/Video: Web Codecs, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20230616-6bc2d3f9b1aa (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing --cpu x86 -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: mIsValid (Invalid checked integer (division by zero or integer overflow)), at /builds/worker/workspace/obj-build/dist/include/mozilla/CheckedInt.h:562

#0 0x7fad316ff2eb in value /builds/worker/workspace/obj-build/dist/include/mozilla/CheckedInt.h:560:5
#1 0x7fad316ff2eb in mozilla::dom::ComputeLayoutAndAllocationSize(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::dom::VideoFrame::Format const&, mozilla::dom::Sequence<mozilla::dom::PlaneLayout> const*) /builds/worker/checkouts/gecko/dom/media/webcodecs/VideoFrame.cpp:576:35
#2 0x7fad316f7a0b in CreateVideoFrameFromBuffer<mozilla::dom::TypedArray<JS::ArrayBuffer> > /builds/worker/checkouts/gecko/dom/media/webcodecs/VideoFrame.cpp:1004:3
#3 0x7fad316f7a0b in CreateVideoFrameFromBuffer<mozilla::dom::TypedArray<JS::ArrayBuffer> > /builds/worker/checkouts/gecko/dom/media/webcodecs/VideoFrame.cpp:1061:12
#4 0x7fad316f7a0b in mozilla::dom::VideoFrame::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::TypedArray<JS::ArrayBuffer> const&, mozilla::dom::VideoFrameBufferInit const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/media/webcodecs/VideoFrame.cpp:1618:10
#5 0x7fad2fcdc89c in mozilla::dom::VideoFrame_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/VideoFrameBinding.cpp:2318:64
#6 0x7fad34cb53c5 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
#7 0x7fad34ceb549 in CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:502:8
#8 0x7fad34cc93fe in ConstructFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:755:10
#9 0x7fad34cc93fe in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3380:16
#10 0x7fad34cb416d in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
#11 0x7fad34cb4c39 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
#12 0x7fad34cb624d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
#13 0x7fad34da02f2 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#14 0x7fad30236f6c in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
#15 0x7fad30bb2426 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#16 0x7fad30bb220a in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1235:43
#17 0x7fad30bb2cde in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1427:21
#18 0x7fad30ba7930 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:412:5
#19 0x7fad30ba7930 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:342:17
#20 0x7fad30ba6e2b in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:551:16
#21 0x7fad30ba968c in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1152:11
#22 0x7fad32bb1e23 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1082:7
#23 0x7fad34280ba2 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6393:20
#24 0x7fad342800c3 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5786:7
#25 0x7fad34281c76 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#26 0x7fad2e170159 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1380:3
#27 0x7fad2e16f702 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:978:14
#28 0x7fad2e16d91b in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:797:9
#29 0x7fad2e16ebb4 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5
#30 0x7fad342b7b0f in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13848:23
#31 0x7fad2d3ab7bf in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:631:22
#32 0x7fad2d3acce0 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:535:10
#33 0x7fad2ed5ab4c in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11638:18
#34 0x7fad2ed40ea4 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8118:3
#35 0x7fad2edefb29 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#36 0x7fad2edefb29 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#37 0x7fad2edefb29 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#38 0x7fad2edefb29 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#39 0x7fad2edefb29 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#40 0x7fad2edefb29 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#41 0x7fad2edefb29 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
#42 0x7fad2d16ec67 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#43 0x7fad2d1668f1 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:880:26
#44 0x7fad2d165287 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:704:15
#45 0x7fad2d1656e5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#46 0x7fad2d172aa6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#47 0x7fad2d172aa6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#48 0x7fad2d18912a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#49 0x7fad2d18fe9d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#50 0x7fad2de3b415 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#51 0x7fad2dd55071 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#52 0x7fad2dd55071 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#53 0x7fad3274bd68 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#54 0x7fad34a74d8b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:717:20
#55 0x7fad2de3c2f6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#56 0x7fad2dd55071 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#57 0x7fad2dd55071 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#58 0x7fad34a7465a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:34
#59 0x5608add07526 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#60 0x5608add07526 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#61 0x7fad40e29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#62 0x7fad40e29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#63 0x5608adcde7c8 in _start (/home/user/workspace/browsers/m-c-20230619093216-fuzzing-debug/firefox-bin+0x587c8) (BuildId: 0b688c66d3ea777ac5699d31dab145245c89bf47)

Comment 1

[Mayank Bansal]

Got a crash from the testcase : https://crash-stats.mozilla.org/report/index/57cd6bd6-6696-465b-94cd-980300230620#tab-bugzilla

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230620035345-edef1940a6bd.
The bug appears to have been introduced in the following build range:

Start: 7183c524620f567af6e8518132738a0ce1a605b8 (20230615195928)
End: ba00fe639072b671be556332e4628092d64d31df (20230615205119)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7183c524620f567af6e8518132738a0ce1a605b8&tochange=ba00fe639072b671be556332e4628092d64d31df

Comment 3

[C.M.Chang[:chunmin] | PTO]

RGBA buffer with 1458585599 width will cause a overflow since sourceWidthBytes will be 1,458,585,599 * 4 = 5,834,342,396, but its max value is 4,294,967,295. I'll submit a patch to return an error in this case.

Comment 4

[C.M.Chang[:chunmin] | PTO]

Attachment: Bug 1839270 - Prevent overflow in ComputeLayoutAndAllocationSize

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:chunmin, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1838487

Comment 7

[C.M.Chang[:chunmin] | PTO]

Attachment: Bug 1839270 - Test case for bug

Depends on D181589

Comment 8

[Pulsebot]

Pushed by cchang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/987200678bba
Prevent overflow in ComputeLayoutAndAllocationSize r=padenot
https://hg.mozilla.org/integration/autoland/rev/058746576305
Test case for bug r=padenot

Comment 9

[Norisz Fay [:noriszfay]]

https://hg.mozilla.org/mozilla-central/rev/987200678bba
https://hg.mozilla.org/mozilla-central/rev/058746576305

Comment 10

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20230628091831-eed85d208f78.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 11

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1838487