Closed Bug 1534709 Opened 6 years ago Closed 6 years ago

UBSan: shift exponent is too large for type in [@ mozilla::BitReader::ReadBits]

Categories

(Core :: Audio/Video: Playback, defect, P3)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1413750
Tracking Flags:
Tracking Status
firefox67 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-undefined, testcase)

Attachments

(1 file)

testcase.mp4
292.18 KB, video/mp4
Details
Attached video testcase.mp4

Found in m-c commit af29567ecdba

This was build with undefined behavior sanitizer checks enabled via mozconfig.
ac_add_options --enable-undefined-sanitizer="shift"

src/dom/media/BitReader.cpp:44:22: runtime error: shift exponent 32 is too large for 32-bit type 'uint32_t' (aka 'unsigned int')
    #0 0x7f98335242a6 in mozilla::BitReader::ReadBits(unsigned long) src/dom/media/BitReader.cpp:44:22
    #1 0x7f9833baf64d in mozilla::H264::vui_parameters(mozilla::BitReader&, mozilla::SPSData&) src/dom/media/platforms/agnostic/bytestreams/H264.cpp:687:9
    #2 0x7f9833bae4a8 in mozilla::H264::DecodeSPS(mozilla::MediaByteBuffer const*, mozilla::SPSData&) src/dom/media/platforms/agnostic/bytestreams/H264.cpp:445:10
    #3 0x7f9833bafa5a in GetSPSData src/dom/media/platforms/agnostic/bytestreams/H264.cpp:179:12
    #4 0x7f9833bafa5a in mozilla::H264::DecodeSPSFromExtraData(mozilla::MediaByteBuffer const*, mozilla::SPSData&) src/dom/media/platforms/agnostic/bytestreams/H264.cpp:701
    #5 0x7f9833e3c2b0 in mozilla::AccumulateSPSTelemetry(mozilla::MediaByteBuffer const*) src/dom/media/mp4/MP4Demuxer.cpp:83:7
    #6 0x7f9833e46c70 in mozilla::MP4TrackDemuxer::MP4TrackDemuxer(mozilla::MediaResource*, mozilla::UniquePtr<mozilla::TrackInfo, mozilla::DefaultDelete<mozilla::TrackInfo> >&&, mozilla::IndiceWrapper const&) src/dom/media/mp4/MP4Demuxer.cpp:359:28
    #7 0x7f9833e3e855 in mozilla::MP4Demuxer::Init() src/dom/media/mp4/MP4Demuxer.cpp:261:45
    #8 0x7f98336f44c9 in operator() src/dom/media/MediaFormatReader.cpp:898:47
    #9 0x7f98336f44c9 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_15, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, true> >::Run() src/objdir-ff-ubsan/dist/include/mozilla/MozPromise.h:1419
    #10 0x7f982dc3d57b in mozilla::TaskQueue::Runner::Run() src/xpcom/threads/TaskQueue.cpp:199:12
    #11 0x7f982dc70107 in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:241:14
    #12 0x7f982dc70b5c in non-virtual thunk to nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp
    #13 0x7f982dc66822 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1179:14
    #14 0x7f982dc6c66d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:482:10
    #15 0x7f982ed6f64a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:303:20
    #16 0x7f982ec4a287 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #17 0x7f982ec4a287 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #18 0x7f982ec4a287 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #19 0x7f982dc60710 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:454:11
    #20 0x7f984cd3630e in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #21 0x7f984c9886da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #22 0x7f984b96688e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?
Priority: -- → P3
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: