Closed
Bug 1109371
Opened 10 years ago
Closed 9 years ago
invalid memcpy in openh264p
Categories
(Core :: Audio/Video: GMP, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: abillings, Unassigned)
References
Details
(Keywords: csectype-bounds, sec-critical, Whiteboard: [reporter-external])
Attachments
(3 files)
security@mozilla.org received the following report: Attached file will expose an invalid memcpy in openh264. I haven't done a thorough analysis (and I feel I'm probably not skilled enough to judge exploitability). I've attached address sanitizer output and a gdb backtrace for further analysis. This was found with american fuzzy lop. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: BBB51E42
|
Reporter | |
Comment 1•10 years ago
|
||
|
|
Reporter | |
Comment 2•10 years ago
|
||
|
|
Reporter | |
Updated•10 years ago
|
Flags: sec-bounty?
|
||
Comment 3•10 years ago
|
||
Ethan: the symptoms seem like they might be exploitable. Can you tell?
Flags: needinfo?(ethanhugg)
Whiteboard: [reporter-external]
|
||
Comment 4•10 years ago
|
||
I will have the team analyze it tonight. The crash looks like it's in CabacContextInit which is not in the v1.1-Firefox34 branch that we are shipping, but is in the master branch which I'm hoping to branch from soon for our next FF build. We will make sure it's fixed before we call our next build.
Flags: needinfo?(ethanhugg)
|
|
||
Comment 5•10 years ago
|
||
Fix reviewed here: https://rbcommons.com/s/OpenH264/r/1008/ And merged here: https://github.com/cisco/openh264/commit/7f27198c6857096d755b592c7f55f7b1469c50ab So it should be in OpenH264 v1.3
|
|
||
Updated•10 years ago
|
Keywords: csectype-bounds,
sec-critical
|
||
Updated•9 years ago
|
Component: WebRTC: Audio/Video → OpenH264
Product: Core → Plugins
|
|
Reporter | |
Comment 6•9 years ago
|
||
Randell, when are we going to take OpenH264 1.3 on Firefox?
status-firefox34:
--- → wontfix
status-firefox35:
--- → affected
status-firefox36:
--- → affected
status-firefox37:
--- → affected
status-firefox-esr31:
--- → unaffected
tracking-firefox37:
--- → +
Flags: needinfo?(rjesup)
|
|
||
Comment 7•9 years ago
|
||
The bug to get OpenH264 1.3 into Firefox is here - Bug 1113777
|
|
||
Comment 8•9 years ago
|
||
From bug 1113777: "My assumption is that we'll put this version in for 36+ and let it ride the train from there."
Flags: needinfo?(rjesup)
|
|
Reporter | |
Updated•9 years ago
|
status-firefox38:
--- → affected
tracking-firefox37:
+ → ---
|
|
||
Updated•9 years ago
|
Group: media-core-security
|
|
||
Comment 9•9 years ago
|
||
OpenH264 1.3 has this fix and is now downloaded for Firefox 34+ so marking this as fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•9 years ago
|
Group: media-core-security
|
||
Updated•9 years ago
|
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
|
Assignee | |
Updated•2 years ago
|
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•