Closed Bug 958958 Opened 10 years ago Closed 10 years ago

OpenH264: global-buffer-overflow crash [@WelsDec::IdctResAddPred_c]

Categories

(Core :: WebRTC: Audio/Video, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox30 --- disabled
firefox-esr24 --- unaffected

People

(Reporter: posidron, Unassigned)

References

(Blocks 1 open bug)

Details

(5 keywords)

Attachments

(2 files)

Attached file testcase.264
Similar to https://bugzilla.mozilla.org/show_bug.cgi?id=958935 but has a different stack and uses kiStride2.

codec/decoder/core/src/decode_mb_aux.cpp:102

void_t IdctResAddPred_c (uint8_t* pPred, const int32_t kiStride, int16_t* pRs) {
  [...]
  const int32_t kiStride2   = kiStride << 1;
  [...]
  pDst[i + kiStride2] = pClip[ ((32 + kT1 - kT2) >> 6) + pDst[i + kiStride2] ];
  [...]
}

Tested with https://github.com/cisco/openh264/commit/4a8a9aabc1
Attached file callstack
Component: Video/Audio → WebRTC: Audio/Video
root cause found, reason same as 958948, pull request can be seen via https://github.com/cisco/openh264/pull/146
Hi Christoph:
   fix it. Could you verify it on cisco/master branch? thanks!
Fixed.

Tested with https://github.com/cisco/openh264/commit/fcd7a13816
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
What versions of Firefox were affected by this? What version took the github fix into it (if any yet)?
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: