| Summary: | [GStreamer] Fix overflow in buffered ranges | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Alicia Boya García <aboya> | ||||
| Component: | WebKitGTK | Assignee: | Alicia Boya García <aboya> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | bugs-noreply, calvaris, commit-queue, eocanha, pnormand | ||||
| Priority: | P2 | ||||||
| Version: | WebKit Nightly Build | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Attachments: |
|
||||||
Created attachment 349161 [details]
Patch
Comment on attachment 349161 [details]
Patch
Nice catch :)
Comment on attachment 349161 [details] Patch Clearing flags on attachment: 349161 Committed r235848: <https://trac.webkit.org/changeset/235848> All reviewed patches have been landed. Closing bug. |
I found one case of overflow when scaling the results of a GstQuery. The code was like this: rangeStart * toGstUnsigned64Time(mediaDuration) / GST_FORMAT_PERCENT_MAX In this case mediaDuration was 24 hours. rangeStart was a signed integer. Computing the multiplication: rangeStart = (int64_t) 999999 toGstUnsigned64Time(mediaDuration) = (uint64_t) 86408208000000 > (int64_t) 999999 * (uint64_t) 86408208000000 12621145296953793536 Which does not look that strange on first sight, but if you actually run the calculation on a calculator supporting big ints, like Python's: In [1]: 999999 * 86408208000000 Out[1]: 86408121591792000000 It's now clear that the previous value was wrong: the result overflew. This caused an inconsistency that was fortunately caught by an assertion: ASSERTION FAILED: start <= end #0 WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:267 #1 0x00007ff7f03cd413 in WebCore::PlatformTimeRanges::add (this=0x21ff490, start=..., end=...) at ../../Source/WebCore/platform/graphics/PlatformTimeRanges.cpp:141 #2 0x00007ff7f0d80d3a in WebCore::MediaPlayerPrivateGStreamer::buffered (this=0x7ff760856a80) at ../../Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:1127 #3 0x00007ff7f03bdf6b in WebCore::MediaPlayer::buffered (this=0x7ff7cd168410) at ../../Source/WebCore/platform/graphics/MediaPlayer.cpp:818 #4 0x00007ff7efcf9a73 in WebCore::HTMLMediaElement::buffered (this=0x7ff760c00778) at ../../Source/WebCore/html/HTMLMediaElement.cpp:5116 #5 0x00007ff7f10b244e in WebCore::RenderThemeGtk::paintMediaSliderTrack (this=0x7ff7f67cf440 <WebCore::RenderTheme::singleton()::theme>, o=..., paintInfo=..., r=...) at ../../Source/WebCore/rendering/RenderThemeGtk.cpp:1893 #6 0x00007ff7f07e9f93 in WebCore::RenderTheme::paint (this=0x7ff7f67cf440 <WebCore::RenderTheme::singleton()::theme>, box=..., controlStates=..., paintInfo=..., rect=...) at ../../Source/WebCore/rendering/RenderTheme.cpp:385 [...] GStreamer has utility functions to perform these scale operations safely, the attached patch uses them.