Closed Bug 1532849 Opened 6 years ago Closed 6 years ago

UBSan: Value outside the range of representable values of type 'unsigned int' [@ mozilla::ChannelMediaDecoder::ComputePlaybackRate]

Categories

(Core :: Audio/Video: Playback, defect, P2)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox67 --- wontfix
firefox68 --- fixed

People

(Reporter: tsmith, Assigned: jya)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-undefined, testcase)

Attachments

(2 files)

testcase.mp4
193.67 KB, video/mp4
Details
Bug 1532849 - Prevent arithmetic overflow. r?bryce
47 bytes, text/x-phabricator-request
Details | Review
Attached video testcase.mp4

Found in m-c commit 78601cacfe69

This was build with undefined behavior sanitizer checks enabled via mozconfig.
ac_add_options --enable-undefined-sanitizer="enum"

src/dom/media/ChannelMediaDecoder.cpp:413:22: runtime error: 7.08286e+09 is outside the range of representable values of type 'unsigned int'
    #0 0x7f0354945dd8 in mozilla::ChannelMediaDecoder::ComputePlaybackRate(mozilla::MediaChannelStatistics const&, mozilla::BaseMediaResource*, double) src/dom/media/ChannelMediaDecoder.cpp:413:22
    #1 0x7f035495c5a1 in operator() src/dom/media/ChannelMediaDecoder.cpp:366:21
    #2 0x7f035495c5a1 in mozilla::detail::RunnableFunction<mozilla::ChannelMediaDecoder::DurationChanged()::$_1>::Run() src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:562
    #3 0x7f034f478c83 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() src/objdir-ff-ubsan/dist/include/mozilla/TaskDispatcher.h:197:35
    #4 0x7f034f46e450 in mozilla::TaskQueue::Runner::Run() src/xpcom/threads/TaskQueue.cpp:199:12
    #5 0x7f034f49dfc3 in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:241:14
    #6 0x7f034f49e33c in non-virtual thunk to nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp
    #7 0x7f034f495fd1 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1166:14
    #8 0x7f034f49a9fd in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:482:10
    #9 0x7f0350598a5a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:303:20
    #10 0x7f035045f650 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308:3
    #11 0x7f035045f650 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #12 0x7f034f490902 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:453:11
    #13 0x7f037571e592 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #14 0x7f037539e6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #15 0x7f037437c88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Rank: 19
Priority: -- → P2

Jean-Yves, any thoughts on who should take a look at this?

Flags: needinfo?(jyavenard)
Assignee: nobody → jyavenard
Flags: needinfo?(jyavenard)
Pushed by jyavenard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5abd778efd7a Prevent arithmetic overflow. r=bryce

https://hg.mozilla.org/mozilla-central/rev/5abd778efd7a

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox68: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: