1991494 - Crash [@ MOZ_CrashSequence]

Status: VERIFIED FIXED

(Core :: WebRTC, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 2dfd502d8f50 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 2dfd502d8f50 --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

[@ MOZ_CrashSequence]

    ==533344==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7e0212c0ee3e bp 0x7e01fcd40200 sp 0x7e01fcd3fd90 T533504)
    ==533344==The signal is caused by a WRITE memory access.
    ==533344==Hint: address points to the zero page.
        #0 0x7e0212c0ee3e in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:238:3
        #1 0x7e0212c0ee3e in AssertedCast<int, double> /builds/worker/workspace/obj-build/dist/include/mozilla/Casting.h:256:5
        #2 0x7e0212c0ee3e in mozilla::CalculateDesiredSize(mozilla::DesiredSizeInput) /dom/media/webrtc/MediaEngineRemoteVideoSource.cpp:158:17
        #3 0x7e0212c129b2 in mozilla::MediaEngineRemoteVideoSource::DeliverFrame(unsigned char*, mozilla::camera::VideoFrameProperties const&) /dom/media/webrtc/MediaEngineRemoteVideoSource.cpp:634:26
        #4 0x7e0212c1398f in non-virtual thunk to mozilla::MediaEngineRemoteVideoSource::DeliverFrame(unsigned char*, mozilla::camera::VideoFrameProperties const&) /dom/media/webrtc/MediaEngineRemoteVideoSource.cpp:0:0
        #5 0x7e0212a9c96b in mozilla::camera::CamerasChild::RecvDeliverFrame(int const&, mozilla::ipc::Shmem&&, mozilla::camera::VideoFrameProperties const&) /dom/media/systemservices/CamerasChild.cpp:497:22
        #6 0x7e0212acb16d in mozilla::camera::PCamerasChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCamerasChild.cpp:562:52
        #7 0x7e020f0123b2 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5097:32
        #8 0x7e020efb27be in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1797:25
        #9 0x7e020efafd40 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, std::unique_ptr<IPC::Message, std::default_delete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1723:9
        #10 0x7e020efb0747 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1512:3
        #11 0x7e020efb1729 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1614:14
        #12 0x7e020e3d89ea in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1151:16
        #13 0x7e020e3df0df in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:462:10
        #14 0x7e020efb9360 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:299:20
        #15 0x7e020ef12441 in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
        #16 0x7e020ef12441 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
        #17 0x7e020e3d464e in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:366:10
        #18 0x7e021f2a3a1f in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:191:3
        #19 0x7e021f348aa3 in start_thread ./nptl/pthread_create.c:447:8
        #20 0x7e021f3d5c6b in clone3 ./misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78:0
    
    ==533344==Register values:
    rax = 0x0000000000000100  rbx = 0x00007e01fcd3fdd0  rcx = 0x00005563016c9320  rdx = 0x00007e021f4b0563
    rdi = 0x00007e021f4b1700  rsi = 0x0000000000000000  rbp = 0x00007e01fcd40200  rsp = 0x00007e01fcd3fd90
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000000  r11 = 0x0000000000000293
    r12 = 0x0000000080000040  r13 = 0x0000000000000500  r14 = 0x0000000000000000  r15 = 0x0000000000000500
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV (/home/jkratzer/builds/m-c-20250929081533-fuzzing-debug/libxul.so+0x8b72e3e) (BuildId: 83bad32a41ab9caec670e0e2c425a87b8d770e58)
    ==533344==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Andreas, didn't we fix a negative height recently? Deja vu

Comment 3

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20250929160404-e0d24a0fe50f.
The bug appears to have been introduced in the following build range:

Start: 791aa9e079a26ef1917ec8b83fa2f3c7dde49593 (20250829132804)
End: 0d7ae4c7f831989237613a491b990ff72b57d519 (20250829093033)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=791aa9e079a26ef1917ec8b83fa2f3c7dde49593&tochange=0d7ae4c7f831989237613a491b990ff72b57d519

Comment 4

[Andreas Pehrson [:pehrsons]]

Attachment: Bug 1991494 - Add crashtest. r?jib

Comment 5

[Andreas Pehrson [:pehrsons]]

Attachment: Bug 1991494 - Restrict dimensions calculation to int32_t rather than assert bounds. r?jib

Comment 7

[Pulsebot]

Pushed by pehrsons@gmail.com:
https://github.com/mozilla-firefox/firefox/commit/1a23e1d76bfb
https://hg.mozilla.org/integration/autoland/rev/32178ee8917d
Add crashtest. r=jib
https://github.com/mozilla-firefox/firefox/commit/7b1f82c392e8
https://hg.mozilla.org/integration/autoland/rev/12cd429f614c
Restrict dimensions calculation to int32_t rather than assert bounds. r=jib

Comment 8

[agoloman]

https://hg.mozilla.org/mozilla-central/rev/32178ee8917d
https://hg.mozilla.org/mozilla-central/rev/12cd429f614c

Comment 9

[Andreas Pehrson [:pehrsons]]

Attachment: Bug 1991494 - Add crashtest. r?jib

Original Revision: https://phabricator.services.mozilla.com/D266764

Comment 10

[Phabricator Automation]

firefox-beta Uplift Approval Request

• User impact if declined: Possible integer overflow
• Code covered by automated testing: yes
• Fix verified in Nightly: no
• Needs manual QE test: no
• Steps to reproduce for manual QE testing:
• Risk associated with taking this patch: low
• Explanation of risk level: trivial
• String changes made/needed: none
• Is Android affected?: yes

Comment 11

[Andreas Pehrson [:pehrsons]]

Attachment: Bug 1991494 - Restrict dimensions calculation to int32_t rather than assert bounds. r?jib

Original Revision: https://phabricator.services.mozilla.com/D266765

Comment 12

[Phabricator Automation]

firefox-beta Uplift Approval Request

• User impact if declined: Possible undefined behavior converting a double to an integer
• Code covered by automated testing: yes
• Fix verified in Nightly: no
• Needs manual QE test: no
• Steps to reproduce for manual QE testing:
• Risk associated with taking this patch: low
• Explanation of risk level: trivial
• String changes made/needed: none
• Is Android affected?: yes

Comment 13

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20251003043611-55dcb5b5074b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 14

[Pulsebot]

https://github.com/mozilla-firefox/firefox/commit/e78163220885
https://hg.mozilla.org/releases/mozilla-beta/rev/89f2b31242ed
https://github.com/mozilla-firefox/firefox/commit/d855b6e7567a
https://hg.mozilla.org/releases/mozilla-beta/rev/cf1d36bae961