[Webkit-unassigned] [Bug 189419] New: [GStreamer] Fix overflow in buffered ranges
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 7 10:54:26 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=189419
Bug ID: 189419
Summary: [GStreamer] Fix overflow in buffered ranges
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit Gtk
Assignee: webkit-unassigned at lists.webkit.org
Reporter: aboya at igalia.com
CC: bugs-noreply at webkitgtk.org
I found one case of overflow when scaling the results of a GstQuery. The code was like this:
rangeStart * toGstUnsigned64Time(mediaDuration) / GST_FORMAT_PERCENT_MAX
In this case mediaDuration was 24 hours. rangeStart was a signed integer. Computing the multiplication:
rangeStart = (int64_t) 999999
toGstUnsigned64Time(mediaDuration) = (uint64_t) 86408208000000
> (int64_t) 999999 * (uint64_t) 86408208000000
12621145296953793536
Which does not look that strange on first sight, but if you actually run the calculation on a calculator supporting big ints, like Python's:
In [1]: 999999 * 86408208000000
Out[1]: 86408121591792000000
It's now clear that the previous value was wrong: the result overflew. This caused an inconsistency that was fortunately caught by an assertion:
ASSERTION FAILED: start <= end
#0 WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:267
#1 0x00007ff7f03cd413 in WebCore::PlatformTimeRanges::add (this=0x21ff490, start=..., end=...) at ../../Source/WebCore/platform/graphics/PlatformTimeRanges.cpp:141
#2 0x00007ff7f0d80d3a in WebCore::MediaPlayerPrivateGStreamer::buffered (this=0x7ff760856a80) at ../../Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:1127
#3 0x00007ff7f03bdf6b in WebCore::MediaPlayer::buffered (this=0x7ff7cd168410) at ../../Source/WebCore/platform/graphics/MediaPlayer.cpp:818
#4 0x00007ff7efcf9a73 in WebCore::HTMLMediaElement::buffered (this=0x7ff760c00778) at ../../Source/WebCore/html/HTMLMediaElement.cpp:5116
#5 0x00007ff7f10b244e in WebCore::RenderThemeGtk::paintMediaSliderTrack (this=0x7ff7f67cf440 <WebCore::RenderTheme::singleton()::theme>, o=..., paintInfo=..., r=...)
at ../../Source/WebCore/rendering/RenderThemeGtk.cpp:1893
#6 0x00007ff7f07e9f93 in WebCore::RenderTheme::paint (this=0x7ff7f67cf440 <WebCore::RenderTheme::singleton()::theme>, box=..., controlStates=..., paintInfo=..., rect=...)
at ../../Source/WebCore/rendering/RenderTheme.cpp:385
[...]
GStreamer has utility functions to perform these scale operations safely, the attached patch uses them.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180907/80736943/attachment.html>
More information about the webkit-unassigned
mailing list