Created attachment 471366 [details] gdb (bt full; c).txt WebKitGTK 2.45.1 crashes on many websites, including bugs.webkit.org, in WebCore::GIFImageDecoder::haveDecodedRow.
Why is this related to skia? This could have regressed in https://commits.webkit.org/277476@main
This crash is happening 100% of the time when trying to load any page on this Bugzilla. Also on a very large number of other websites. I had to downgrade to post this comment.
This is a libstdc++ assertion failure due to buffer overflow when indexing a std::span, so 277476@main is a very likely suspect. The assertion is: /usr/bin/../lib/gcc/x86_64-redhat-linux/14/../../../../include/c++/14/span:286: reference std::span<const unsigned char>::operator[](size_type) const [_Type = const unsigned char, _Extent = 18446744073709551615]: Assertion '__idx < size()' failed To reproduce, build with -DCMAKE_CXX_FLAGS="-Wp,-D_GLIBCXX_ASSERTIONS"
Confirmed, this regressed in 277476@main
There is a preexisting buffer overread here in GIFImageDecoder::haveDecodedRow: const size_t colorIndex = static_cast<size_t>(sourceValue) * 3; buffer.backingStore()->setPixel(currentAddress, colorMap[colorIndex], colorMap[colorIndex + 1], colorMap[colorIndex + 2], 255); Here the values of colorIndex are in practice much larger than the values of colorMapSize.
Actually I think I'm wrong about there being a preexisting bug. The semantic "size" of the color map was actually three times its size in bytes. This explains why the code was willing to read exactly 1 or 2 bytes past the "end" of the color map.
(In reply to Michael Catanzaro from comment #6) > The semantic "size" of the color map was actually three times its size in bytes. Sorry, I mean its semantic size was one third its size in bytes. After 277476@main, only the first third of the color map is still available and the rest of the map is missing.
Pull request: https://github.com/WebKit/WebKit/pull/28477
Committed 278739@main (cae3dbd2f345): <https://commits.webkit.org/278739@main> Reviewed commits have been landed. Closing PR #28477 and removing active labels.