[Webkit-unassigned] [Bug 189419] New: [GStreamer] Fix overflow in buffered ranges

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Sep 7 10:54:26 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=189419

            Bug ID: 189419
           Summary: [GStreamer] Fix overflow in buffered ranges
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Gtk
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: aboya at igalia.com
                CC: bugs-noreply at webkitgtk.org

I found one case of overflow when scaling the results of a GstQuery. The code was like this:

rangeStart * toGstUnsigned64Time(mediaDuration) / GST_FORMAT_PERCENT_MAX

In this case mediaDuration was 24 hours. rangeStart was a signed integer. Computing the multiplication:

rangeStart = (int64_t) 999999
toGstUnsigned64Time(mediaDuration) = (uint64_t) 86408208000000

> (int64_t) 999999 * (uint64_t) 86408208000000
12621145296953793536

Which does not look that strange on first sight, but if you actually run the calculation on a calculator supporting big ints, like Python's:

In [1]: 999999 * 86408208000000
Out[1]: 86408121591792000000

It's now clear that the previous value was wrong: the result overflew.  This caused an inconsistency that was fortunately caught by an assertion:

ASSERTION FAILED: start <= end
#0  WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:267
#1  0x00007ff7f03cd413 in WebCore::PlatformTimeRanges::add (this=0x21ff490, start=..., end=...) at ../../Source/WebCore/platform/graphics/PlatformTimeRanges.cpp:141
#2  0x00007ff7f0d80d3a in WebCore::MediaPlayerPrivateGStreamer::buffered (this=0x7ff760856a80) at ../../Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:1127
#3  0x00007ff7f03bdf6b in WebCore::MediaPlayer::buffered (this=0x7ff7cd168410) at ../../Source/WebCore/platform/graphics/MediaPlayer.cpp:818
#4  0x00007ff7efcf9a73 in WebCore::HTMLMediaElement::buffered (this=0x7ff760c00778) at ../../Source/WebCore/html/HTMLMediaElement.cpp:5116
#5  0x00007ff7f10b244e in WebCore::RenderThemeGtk::paintMediaSliderTrack (this=0x7ff7f67cf440 <WebCore::RenderTheme::singleton()::theme>, o=..., paintInfo=..., r=...)
    at ../../Source/WebCore/rendering/RenderThemeGtk.cpp:1893
#6  0x00007ff7f07e9f93 in WebCore::RenderTheme::paint (this=0x7ff7f67cf440 <WebCore::RenderTheme::singleton()::theme>, box=..., controlStates=..., paintInfo=..., rect=...)
    at ../../Source/WebCore/rendering/RenderTheme.cpp:385
[...]

GStreamer has utility functions to perform these scale operations safely, the attached patch uses them.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180907/80736943/attachment.html>

More information about the webkit-unassigned mailing list