WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
274027
REGRESSION(
277476@main
): [GTK] Crash in WebCore::GIFImageDecoder::haveDecodedRow
https://bugs.webkit.org/show_bug.cgi?id=274027
Summary
REGRESSION(277476@main): [GTK] Crash in WebCore::GIFImageDecoder::haveDecodedRow
Kdwk
Reported
2024-05-10 18:58:48 PDT
Created
attachment 471366
[details]
gdb (bt full; c).txt WebKitGTK 2.45.1 crashes on many websites, including bugs.webkit.org, in WebCore::GIFImageDecoder::haveDecodedRow.
Attachments
gdb (bt full; c).txt
(87.64 KB, text/plain)
2024-05-10 18:58 PDT
,
Kdwk
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Carlos Garcia Campos
Comment 1
2024-05-13 03:02:53 PDT
Why is this related to skia? This could have regressed in
https://commits.webkit.org/277476@main
Michael Catanzaro
Comment 2
2024-05-13 05:38:32 PDT
This crash is happening 100% of the time when trying to load any page on this Bugzilla. Also on a very large number of other websites. I had to downgrade to post this comment.
Michael Catanzaro
Comment 3
2024-05-13 07:07:22 PDT
This is a libstdc++ assertion failure due to buffer overflow when indexing a std::span, so
277476@main
is a very likely suspect. The assertion is: /usr/bin/../lib/gcc/x86_64-redhat-linux/14/../../../../include/c++/14/span:286: reference std::span<const unsigned char>::operator[](size_type) const [_Type = const unsigned char, _Extent = 18446744073709551615]: Assertion '__idx < size()' failed To reproduce, build with -DCMAKE_CXX_FLAGS="-Wp,-D_GLIBCXX_ASSERTIONS"
Michael Catanzaro
Comment 4
2024-05-13 07:24:37 PDT
Confirmed, this regressed in
277476@main
Michael Catanzaro
Comment 5
2024-05-13 08:16:58 PDT
There is a preexisting buffer overread here in GIFImageDecoder::haveDecodedRow: const size_t colorIndex = static_cast<size_t>(sourceValue) * 3; buffer.backingStore()->setPixel(currentAddress, colorMap[colorIndex], colorMap[colorIndex + 1], colorMap[colorIndex + 2], 255); Here the values of colorIndex are in practice much larger than the values of colorMapSize.
Michael Catanzaro
Comment 6
2024-05-13 09:11:03 PDT
Actually I think I'm wrong about there being a preexisting bug. The semantic "size" of the color map was actually three times its size in bytes. This explains why the code was willing to read exactly 1 or 2 bytes past the "end" of the color map.
Michael Catanzaro
Comment 7
2024-05-13 09:21:55 PDT
(In reply to Michael Catanzaro from
comment #6
)
> The semantic "size" of the color map was actually three times its size in bytes.
Sorry, I mean its semantic size was one third its size in bytes. After
277476@main
, only the first third of the color map is still available and the rest of the map is missing.
Michael Catanzaro
Comment 8
2024-05-13 09:29:16 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/28477
EWS
Comment 9
2024-05-14 00:34:46 PDT
Committed
278739@main
(cae3dbd2f345): <
https://commits.webkit.org/278739@main
> Reviewed commits have been landed. Closing PR #28477 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug