serenity icon indicating copy to clipboard operation
serenity copied to clipboard
verified publisher icon SerenityOS

LibGfx: UB when painting GitHub.com homepage with CPU painter

Open ADKaster opened this issue 2 years ago • 0 comments

steps:

  • enable ASAN + UBSAN
  • go to GitHub.com
  • scroll down

🤯

Backtrace 
/Users/andrew/Source/serenity/Userland/Libraries/LibGfx/AntiAliasingPainter.cpp:348:23: runtime error: signed integer overflow: 153000 * 153000 cannot be represented in type 'int'
    #0 0x10508d99c in Gfx::AntiAliasingPainter::draw_ellipse_part(Gfx::Point<int>, int, int, Gfx::Color, bool, AK::Optional<Gfx::AntiAliasingPainter::Range>, Gfx::AntiAliasingPainter::BlendMode) AntiAliasingPainter.cpp:348
    #1 0x10508ace8 in Gfx::AntiAliasingPainter::fill_circle(Gfx::Point<int>, int, Gfx::Color, Gfx::AntiAliasingPainter::BlendMode) AntiAliasingPainter.cpp:292
    #2 0x10508a83c in Gfx::AntiAliasingPainter::fill_ellipse(Gfx::Rect<int> const&, Gfx::Color, Gfx::AntiAliasingPainter::BlendMode) AntiAliasingPainter.cpp:303
    #3 0x105092064 in auto Gfx::AntiAliasingPainter::fill_rect_with_rounded_corners(Gfx::Rect<int> const&, Gfx::Color, Gfx::AntiAliasingPainter::CornerRadius, Gfx::AntiAliasingPainter::CornerRadius, Gfx::AntiAliasingPainter::CornerRadius, Gfx::AntiAliasingPainter::CornerRadius, Gfx::AntiAliasingPainter::BlendMode)::$_0::operator()<Gfx::Point<int>, Gfx::Point<int>>(Gfx::Point<int> const&, Gfx::Point<int> const&, Gfx::AntiAliasingPainter::CornerRadius const&) const AntiAliasingPainter.cpp:588
    #4 0x10508fe50 in Gfx::AntiAliasingPainter::fill_rect_with_rounded_corners(Gfx::Rect<int> const&, Gfx::Color, Gfx::AntiAliasingPainter::CornerRadius, Gfx::AntiAliasingPainter::CornerRadius, Gfx::AntiAliasingPainter::CornerRadius, Gfx::AntiAliasingPainter::CornerRadius, Gfx::AntiAliasingPainter::BlendMode) AntiAliasingPainter.cpp:593
    #5 0x10b3bf64c in Web::Painting::PaintingCommandExecutorCPU::fill_rect_with_rounded_corners(Gfx::Rect<int> const&, Gfx::Color const&, Gfx::AntiAliasingPainter::CornerRadius const&, Gfx::AntiAliasingPainter::CornerRadius const&, Gfx::AntiAliasingPainter::CornerRadius const&, Gfx::AntiAliasingPainter::CornerRadius const&, AK::Optional<Gfx::Point<float>> const&) PaintingCommandExecutorCPU.cpp:265
    #6 0x10b3ee7ac in Web::Painting::RecordingPainter::execute(Web::Painting::PaintingCommandExecutor&) RecordingPainter.cpp:444
    #7 0x102dd01e0 in WebContent::PageClient::paint(Gfx::Rect<AK::DistinctNumeric<int, Web::__DevicePixels_tag, AK::DistinctNumericFeature::Arithmetic, AK::DistinctNumericFeature::CastToUnderlying, AK::DistinctNumericFeature::Comparison, AK::DistinctNumericFeature::Increment>> const&, Gfx::Bitmap&, Web::PaintOptions)+0x840 (WebContent:arm64+0x1001cc1e0)
    #8 0x102c2a2c4 in WebContent::ConnectionFromClient::flush_pending_paint_requests()+0x220 (WebContent:arm64+0x1000262c4)
    #9 0x10a0b3174 in JS::SafeFunction<void ()>::operator()() const SafeFunction.h:85
    #10 0x104ba8098 in AK::Function<void ()>::operator()() const Function.h:115
    #11 0x104ba54f4 in Core::EventReceiver::dispatch_event(Core::Event&, Core::EventReceiver*) EventReceiver.cpp:163
    #12 0x104c38c28 in Core::ThreadEventQueue::process() ThreadEventQueue.cpp:111
    #13 0x104b83d00 in Core::EventLoop::spin_until(AK::Function<bool ()>) EventLoop.cpp:93
    #14 0x10b47c790 in Web::Platform::EventLoopPluginSerenity::spin_until(JS::SafeFunction<bool ()>) EventLoopPluginSerenity.cpp:19
    #15 0x10aaecae4 in Web::HTML::EventLoop::spin_until(JS::SafeFunction<bool ()>) EventLoop.cpp:78
    #16 0x10adefca4 in Web::HTML::HTMLParser::the_end() HTMLParser.cpp:271
    #17 0x10adef364 in Web::HTML::HTMLParser::run(AK::URL const&) HTMLParser.cpp:224
    #18 0x10a63b404 in Web::parse_document(Web::DOM::Document&, AK::Detail::ByteBuffer<32ul> const&, AK::Optional<AK::String>) DocumentLoading.cpp:217
    #19 0x10a64fca0 in JS::SafeFunction<void (AK::Detail::ByteBuffer<32ul>)>::CallableWrapper<Web::load_document(AK::Optional<Web::HTML::NavigationParams>)::$_0>::call(AK::Detail::ByteBuffer<32ul>) SafeFunction.h:133
    #20 0x10a92b8e0 in JS::SafeFunction<void (AK::Detail::ByteBuffer<32ul>)>::operator()(AK::Detail::ByteBuffer<32ul>) const SafeFunction.h:85
    #21 0x10a92b1c8 in JS::SafeFunction<void ()>::CallableWrapper<Web::Fetch::Infrastructure::Body::fully_read(JS::Realm&, JS::SafeFunction<void (AK::Detail::ByteBuffer<32ul>)>, JS::SafeFunction<void (JS::GCPtr<Web::WebIDL::DOMException>)>, AK::Variant<AK::Empty, JS::NonnullGCPtr<JS::Object>>) const::$_0::operator()(AK::Detail::ByteBuffer<32ul> const&)::'lambda'()>::call() SafeFunction.h:133
    #22 0x10a0b3174 in JS::SafeFunction<void ()>::operator()() const SafeFunction.h:85
    #23 0x10aaed300 in Web::HTML::EventLoop::process() EventLoop.cpp:111
    #24 0x10a0b3174 in JS::SafeFunction<void ()>::operator()() const SafeFunction.h:85
    #25 0x104ba8098 in AK::Function<void ()>::operator()() const Function.h:115
    #26 0x104ba54f4 in Core::EventReceiver::dispatch_event(Core::Event&, Core::EventReceiver*) EventReceiver.cpp:163
    #27 0x104c38c28 in Core::ThreadEventQueue::process() ThreadEventQueue.cpp:111
    #28 0x104b88eac in Core::EventLoopImplementationUnix::exec() EventLoopImplementationUnix.cpp:101
    #29 0x104b83a34 in Core::EventLoop::exec() EventLoop.cpp:86
    #30 0x102c122e8 in serenity_main(Main::Arguments) main.cpp:133
    #31 0x102f396f4 in main+0x400 (WebContent:arm64+0x1003356f4)
    #32 0x18bdb10dc  (<unknown module>)
    #33 0x6e7d7ffffffffffc  (<unknown module>)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Users/andrew/Source/serenity/Userland/Libraries/LibGfx/AntiAliasingPainter.cpp:348:23 in

cc @kalenikaliaksandr

ADKaster avatar Dec 19 '23 22:12 ADKaster