Open Bug 1841190 Opened 1 year ago Updated 1 year ago

src/gfx/cairo/cairo/src/cairo-fixed-private.h:64:14: runtime error: left shift of negative value -4

Categories

(Core :: Printing: Output, defect, P3)

Product:
Core
Component:
Printing: Output
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox115 --- wontfix
firefox116 --- affected
firefox117 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined, testcase)

Attachments

(1 file)

testcase.html
146 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20230626-1432959f9b86 (--enable-undefined-sanitizer="shift" --enable-fuzzing)

src/gfx/cairo/cairo/src/cairo-fixed-private.h:64:14: runtime error: left shift of negative value -4
    #0 0x7fb4c018cb36 in _cairo_fixed_from_int src/gfx/cairo/cairo/src/cairo-fixed-private.h:64:14
    #1 0x7fb4c0198896 in _cairo_box_from_rectangle src/gfx/cairo/cairo/src/cairo-rectangle.c:77:17
    #2 0x7fb4bfe1cf69 in _cairo_pdf_surface_fill src/gfx/cairo/cairo/src/cairo-pdf-surface.c:8382:2
    #3 0x7fb4c00001b9 in _cairo_analysis_surface_fill src/gfx/cairo/cairo/src/cairo-analysis-surface.c:580:6
    #4 0x7fb4c022624c in _cairo_surface_fill src/gfx/cairo/cairo/src/cairo-surface.c:2473:14
    #5 0x7fb4bfebb79d in _cairo_surface_wrapper_fill src/gfx/cairo/cairo/src/cairo-surface-wrapper.c:384:14
    #6 0x7fb4c0196a9d in _cairo_recording_surface_replay_internal src/gfx/cairo/cairo/src/cairo-recording-surface.c:1948:12
    #7 0x7fb4c0197d44 in _cairo_recording_surface_replay_and_create_regions src/gfx/cairo/cairo/src/cairo-recording-surface.c:2159:12
    #8 0x7fb4c0104a90 in _paint_page src/gfx/cairo/cairo/src/cairo-paginated-surface.c:417:14
    #9 0x7fb4c0102687 in _cairo_paginated_surface_show_page src/gfx/cairo/cairo/src/cairo-paginated-surface.c:583:14
    #10 0x7fb4c023c2f3 in INT__moz_cairo_surface_show_page src/gfx/cairo/cairo/src/cairo-surface.c:2555:40
    #11 0x7fb4a86e171c in mozilla::gfx::PrintTargetPDF::EndPage() src/gfx/thebes/PrintTargetPDF.cpp:78:3
    #12 0x7fb4a701226c in nsDeviceContext::EndPage() src/gfx/src/nsDeviceContext.cpp:346:5
    #13 0x7fb4b9f00bdd in mozilla::layout::RemotePrintJobParent::PrintPage(mozilla::layout::PRFileDescStream&, nsRefCountedHashtable<nsIntegralHashKey<unsigned long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface>>*) src/layout/printing/ipc/RemotePrintJobParent.cpp:167:29
    #14 0x7fb4b9f00248 in mozilla::layout::RemotePrintJobParent::FinishProcessingPage(nsRefCountedHashtable<nsIntegralHashKey<unsigned long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface>>*) src/layout/printing/ipc/RemotePrintJobParent.cpp:142:17
    #15 0x7fb4b9effd6e in mozilla::layout::RemotePrintJobParent::RecvProcessPage(nsTArray<unsigned long>&&) src/layout/printing/ipc/RemotePrintJobParent.cpp:117:5
    #16 0x7fb4b882d259 in mozilla::layout::PRemotePrintJobParent::OnMessageReceived(IPC::Message const&) src/objdir-ff-ubsan/ipc/ipdl/PRemotePrintJobParent.cpp:348:52
    #17 0x7fb4b63a703a in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) src/objdir-ff-ubsan/ipc/ipdl/PContentParent.cpp:6681:32
    #18 0x7fb4a5614ec2 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:1811:25
    #19 0x7fb4a560f2a6 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) src/ipc/glue/MessageChannel.cpp:1736:9
    #20 0x7fb4a56101f6 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1536:3
    #21 0x7fb4a56123bc in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1634:14
    #22 0x7fb4a1a2f26b in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:555:16
    #23 0x7fb4a19f65ef in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:880:26
    #24 0x7fb4a19f119b in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:704:15
    #25 0x7fb4a19f202a in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:491:36
    #26 0x7fb4a19fffb9 in mozilla::TaskController::TaskController()::$_0::operator()() const src/xpcom/threads/TaskController.cpp:218:37
    #27 0x7fb4a19ffedc in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() src/xpcom/threads/nsThreadUtils.h:548:5
    #28 0x7fb4a1a99973 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1199:16
    #29 0x7fb4a1aa73bf in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:480:10
    #30 0x7fb4a5625ad4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
    #31 0x7fb4a51708f6 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:370:10
    #32 0x7fb4a5170806 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:363:3
    #33 0x7fb4a5170749 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:345:3
    #34 0x7fb4b7f02d13 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:148:27
    #35 0x7fb4c712aa45 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:295:30
    #36 0x7fb4c769fc8e in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:5671:22
    #37 0x7fb4c76a1c6f in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5872:8
    #38 0x7fb4c76a24e3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5928:21
    #39 0x7fb4c76e2548 in mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/Bootstrap.cpp:45:12
    #40 0x55ce9e26a2b5 in do_main(int, char**, char**) src/browser/app/nsBrowserApp.cpp:227:22
    #41 0x55ce9e268c18 in main src/browser/app/nsBrowserApp.cpp:445:16
    #42 0x7fb4ea0d5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #43 0x55ce9e192148 in _start (src/objdir-ff-ubsan/dist/bin/firefox+0x2c8148) (BuildId: a035742d1e2b63527db78db086f6d3e3)
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/vOrBKlgeHHZFyzy0qPhHIQ/index.html

(In reply to ajohnson@redneon.com from comment #2)

https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/484

Awesome, thanks!

Jonathan, do we want to cherry-pick this into our tree? Or update cairo to tip? Or just let it be for now?

Severity: -- → S3
Flags: needinfo?(jfkthame)
Priority: -- → P3

Although it seems unlikely (I guess) for this to cause real-world issues for users, I'd be inclined to cherry-pick it in order to silence the ubsan warning (and let the fuzzers keep exploring for further issues...)

Flags: needinfo?(jfkthame)

No hurry from the fuzzing perspective. The shift check is not enabled in the fuzzing builds yet so we are not blocked.

Great to have it fixed, thanks ajohnson :)

You need to log in before you can comment on or make changes to this bug.