Closed
Bug 1414898
Opened 7 years ago
Closed 7 years ago
UBSan: shift exponent is too large [@ mozilla::image::nsGIFDecoder2::ReadImageDataBlock]
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1413762
| Tracking | Status | |
|---|---|---|
| firefox58 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-undefined, testcase)
Attachments
(1 file)
|
7.68 KB,
image/gif
|
Details |
testcase.gif
This is triggered by loading the testcase when built with "-fsanitize=shift"
/mozilla-central/image/decoders/nsGIFDecoder2.h:74:36: runtime error: shift exponent 72 is too large for 32-bit type 'int'
#0 0x7f59fd6ff536 in mozilla::image::nsGIFDecoder2::ClearCode() const /mozilla-central/image/decoders/nsGIFDecoder2.h:74:36
#1 0x7f59fd6d9005 in mozilla::image::nsGIFDecoder2::ReadImageDataBlock(char const*) /mozilla-central/image/decoders/nsGIFDecoder2.cpp:963:25
#2 0x7f59fd6f0d9b in mozilla::image::nsGIFDecoder2::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::$_1::operator()(mozilla::image::nsGIFDecoder2::State, char const*, unsigned long) const /mozilla-central/image/decoders/nsGIFDecoder2.cpp:497:16
#3 0x7f59fd6f0807 in mozilla::Maybe<mozilla::Variant<mozilla::image::TerminalState, mozilla::image::Yield> > mozilla::image::StreamingLexer<mozilla::image::nsGIFDecoder2::State, 16ul>::BufferedRead<mozilla::image::nsGIFDecoder2::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::$_1>(mozilla::image::SourceBufferIterator&, mozilla::image::nsGIFDecoder2::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::$_1) /mozilla-central/image/StreamingLexer.h:648:28
#4 0x7f59fd6d5482 in mozilla::Variant<mozilla::image::TerminalState, mozilla::image::Yield> mozilla::image::StreamingLexer<mozilla::image::nsGIFDecoder2::State, 16ul>::Lex<mozilla::image::nsGIFDecoder2::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::$_1>(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*, mozilla::image::nsGIFDecoder2::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::$_1) /mozilla-central/image/StreamingLexer.h:511:20
#5 0x7f59fd6d4f53 in mozilla::image::nsGIFDecoder2::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /mozilla-central/image/decoders/nsGIFDecoder2.cpp:465:17
#6 0x7f59fd5e7672 in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) /mozilla-central/image/Decoder.cpp:130:20
#7 0x7f59fd5e71bc in mozilla::image::AnimationSurfaceProvider::Run() /mozilla-central/image/AnimationSurfaceProvider.cpp:142:36
#8 0x7f59fd61e3e5 in mozilla::image::DecodePoolWorker::Run() /mozilla-central/image/DecodePool.cpp:178:23
#9 0x7f59fa489369 in nsThread::ProcessNextEvent(bool, bool*) /mozilla-central/xpcom/threads/nsThread.cpp:1037:14
#10 0x7f59fa4c19b1 in NS_ProcessNextEvent(nsIThread*, bool) /mozilla-central/xpcom/threads/nsThreadUtils.cpp:513:10
#11 0x7f59fb5c9183 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /mozilla-central/ipc/glue/MessagePump.cpp:334:20
#12 0x7f59fb4497d0 in MessageLoop::Run() /mozilla-central/ipc/chromium/src/base/message_loop.cc:299:3
#13 0x7f59fa4858af in nsThread::ThreadFunc(void*) /mozilla-central/xpcom/threads/nsThread.cpp:425:11
#14 0x7f5a2ca7138d in _pt_root /mozilla-central/nsprpub/pr/src/pthreads/ptthread.c:216:5
#15 0x7f5a302a17fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)
#16 0x7f5a2f2cfb0e in clone /build/glibc-CxtIbX/glibc-2.26/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
||
Comment 1•7 years ago
|
||
We have yet to land the fix in bug 1413762, but should resolve it.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
Reporter | |
Comment 2•7 years ago
|
||
Oops sorry, I missed this one in my bucketing.
You need to log in
before you can comment on or make changes to this bug.
Description
•