Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

index out of bounds: the len is 512 but the index is 567 #306

Open
glandium opened this issue Feb 27, 2025 · 1 comment
Open

index out of bounds: the len is 512 but the index is 567 #306

glandium opened this issue Feb 27, 2025 · 1 comment

Comments

@glandium
Copy link

After enabling zlib-rs/libz-rs-sys 0.4.1 in Firefox nightly, we've started receiving crash reports for out of bound accesses in State::d_code:
https://crash-stats.mozilla.org/report/index/113ebfb1-9197-44e2-88ce-322b20250223
8 xul.dll core::panicking::panic_bounds_check() library/core/src/panicking.rs:273 cfi
9 xul.dll zlib_rs::deflate::State::d_code(unsigned long long) third_party/rust/zlib-rs/src/deflate.rs:1063 inlined
9 xul.dll zlib_rs::deflate::BitWriter::emit_dist(ref$<slice2$<zlib_rs::deflate::Value> >, ref$<slice2$<zlib_rs::deflate::Value> >, unsigned char, unsigned long long) third_party/rust/zlib-rs/src/deflate.rs:1077 inlined
9 xul.dll zlib_rs::deflate::BitWriter::compress_block_help(ref$<slice2$ >, ref$<slice2$<zlib_rs::deflate::Value> >, ref$<slice2$<zlib_rs::deflate::Value> >) third_party/rust/zlib-rs/src/deflate.rs:1105 cfi
10 xul.dll zlib_rs::deflate::State::compress_block_dynamic_trees() third_party/rust/zlib-rs/src/deflate.rs:1469 inlined
10 xul.dll zlib_rs::deflate::zng_tr_flush_block(zlib_rs::deflate::DeflateStream*, enum2$<core::option::Option >, unsigned int, bool) third_party/rust/zlib-rs/src/deflate.rs:2327 inlined
10 xul.dll zlib_rs::deflate::flush_block_only(zlib_rs::deflate::DeflateStream*, bool) third_party/rust/zlib-rs/src/deflate.rs:2343 cfi
11 xul.dll zlib_rs::deflate::algorithm::medium::deflate_medium(zlib_rs::deflate::DeflateStream*, zlib_rs::DeflateFlush) third_party/rust/zlib-rs/src/deflate/algorithm/mod.rs:19 cfi
12 xul.dll zlib_rs::deflate::algorithm::run(zlib_rs::deflate::DeflateStream*, zlib_rs::DeflateFlush) third_party/rust/zlib-rs/src/deflate.rs:2706 inlined
12 xul.dll zlib_rs::deflate::deflate(zlib_rs::deflate::DeflateStream*, zlib_rs::DeflateFlush) third_party/rust/zlib-rs/src/deflate.rs:2612 cfi
13 xul.dll MOZ_PNG_compress_IDAT(png_struct_def*, unsigned char const*, unsigned long long, int)

I unfortunately don't have more information than the stack trace that says it starts from compressing data while creating a PNG IDAT section (so I can't give an example of what specific data leads to this), and we have yet to update to 0.4.2, but it doesn't look like the relevant code was updated since 0.4.1.
@glandium
Copy link
Author

This could be a CPU bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1950764#c3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@glandium