Open Bug 1829910 Opened 2 years ago Updated 2 years ago

gecko/dom/canvas/TexUnpackBlob.cpp:615:37: runtime error: applying non-zero offset 1047552 to null pointer

Categories

(Core :: Graphics: CanvasWebGL, defect, P5)

Product:
Core
Component:
Graphics: CanvasWebGL
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox114 --- affected

People

(Reporter: truber, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-nullptr)

Attachments

(1 file)

matrix.html
(deleted), text/html
Details
Attached file matrix.html (deleted) —

Attached testcase crashes with UBSan enabled. m-c 20230425-a5a273e3b1fd on X11 with NVidia driver 525.116.03.

/builds/worker/checkouts/gecko/dom/canvas/TexUnpackBlob.cpp:615:37: runtime error: applying non-zero offset 1047552 to null pointer
    #0 0x7f72af29bafc in mozilla::webgl::TexUnpackBytes::TexOrSubImage(bool, bool, mozilla::WebGLTexture*, int, mozilla::webgl::DriverUnpackInfo const*, int, int, int, mozilla::webgl::PackingInfo const&, unsigned int*) const /builds/worker/checkouts/gecko/dom/canvas/TexUnpackBlob.cpp:615:37
    #1 0x7f72af5150fb in mozilla::WebGLTexture::TexImage(unsigned int, unsigned int, mozilla::avec3<unsigned int> const&, mozilla::webgl::PackingInfo const&, mozilla::webgl::TexUnpackBlobDesc const&) /builds/worker/checkouts/gecko/dom/canvas/WebGLTextureUpload.cpp:1116:14
    #2 0x7f72af40f534 in mozilla::WebGLContext::TexImage(unsigned int, unsigned int, mozilla::avec3<unsigned int>, mozilla::webgl::PackingInfo const&, mozilla::webgl::TexUnpackBlobDesc const&) const /builds/worker/checkouts/gecko/dom/canvas/WebGLContextTextures.cpp:211:8
    #3 0x7f72af4b933e in TexImage /builds/worker/checkouts/gecko/dom/canvas/HostWebGLContext.h:567:15
    #4 0x7f72af4b933e in auto bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 75ul, void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, mozilla::avec3<unsigned int> const&, mozilla::webgl::PackingInfo const&, mozilla::webgl::TexUnpackBlobDesc const&) const, &mozilla::HostWebGLContext::TexImage(unsigned int, unsigned int, mozilla::avec3<unsigned int> const&, mozilla::webgl::PackingInfo const&, mozilla::webgl::TexUnpackBlobDesc const&) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&)::'lambda'(auto&...)::operator()<unsigned int, unsigned int, mozilla::avec3<unsigned int>, mozilla::webgl::PackingInfo, mozilla::webgl::TexUnpackBlobDesc>(auto&...) const /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:253:13

SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-nonzero-offset /builds/worker/checkouts/gecko/dom/canvas/TexUnpackBlob.cpp:615:37 in

The severity field is not set for this bug.
:jgilbert, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jgilbert)

The way we do this, it's fine in practice.

Severity: -- → S4
Flags: needinfo?(jgilbert)
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: