Closed
Bug 1106397
Opened 10 years ago
Closed 10 years ago
Openh264: ASAN attempting free on address which was not malloc() in WelsDec::FreePicture
Categories
(Core :: Audio/Video: GMP, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: nils, Unassigned)
References
Details
(Keywords: reporter-external, sec-high)
Attachments
(2 files)
The attached testcase crashes an ASAN build of the Firefox branch of openh264 ( https://github.com/cisco/openh264/tree/v1.1-Firefox34 ) as follows:
=================================================================
==486==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0xf3e38800 in thread T0
#0 0x80f09db in __interceptor_free /home/bobthebuilder/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30:3
#1 0x8182dc6 in WelsFree (/home/nils/264/h264dec-ff+0x8182dc6)
#2 0x81846de in WelsDec::FreePicture(WelsDec::TagPicture*) (/home/nils/264/h264dec-ff+0x81846de)
#3 0x8120539 in WelsFreeMem (/home/nils/264/h264dec-ff+0x8120539)
#4 0x81239b4 in WelsEndDecoder (/home/nils/264/h264dec-ff+0x81239b4)
#5 0x811c049 in WelsDec::CWelsDecoder::Uninitialize() (/home/nils/264/h264dec-ff+0x811c049)
#6 0x8118e82 in main (/home/nils/264/h264dec-ff+0x8118e82)
#7 0xf7417a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
#8 0x807cd8b in _start (/home/nils/264/h264dec-ff+0x807cd8b)
0xf3e38800 is located 203196400 bytes to the right of 4091772928-byte region [0xf3e38010,0xe7c70010)
ASAN:SIGSEGV
==486==AddressSanitizer: while reporting a bug found another one. Ignoring.
The attached mp4 contains the same stream in an mp4 container. It crashes the nightly plugin process on Windows with an security check error.
|
||
Updated•10 years ago
|
Component: Video/Audio → WebRTC: Audio/Video
Thanks for the information.
Checked it with latest openh264 codec (master), no heap-buffer-overflow found.
It should have been fixed already by early pull requests.
Could you please check if it is OK with latest codec? Thanks.
If OK, we can schedule and update new codec.
|
||
Comment 3•10 years ago
|
||
(In reply to wayne from comment #2)
> Thanks for the information.
> Checked it with latest openh264 codec (master), no heap-buffer-overflow
> found.
> It should have been fixed already by early pull requests.
> Could you please check if it is OK with latest codec? Thanks.
> If OK, we can schedule and update new codec.
When you check this with the master branch did you do so with an ASAN build? Thanks.
(In reply to Ethan Hugg [:ehugg] from comment #3)
> (In reply to wayne from comment #2)
> > Thanks for the information.
> > Checked it with latest openh264 codec (master), no heap-buffer-overflow
> > found.
> > It should have been fixed already by early pull requests.
> > Could you please check if it is OK with latest codec? Thanks.
> > If OK, we can schedule and update new codec.
>
> When you check this with the master branch did you do so with an ASAN build?
> Thanks.
Yeah. I used USE_ASAN=Yes to check it, and found no critical information.
|
|
||
Updated•10 years ago
|
Component: WebRTC: Audio/Video → OpenH264
Product: Core → Plugins
Version: Trunk → unspecified
I can confirm that the 1.3 branch of openh264 doesn't crash on the testcase anymore. I also haven't seen any similar crashes while fuzzing several different builds of the 1.3 branch.
Flags: needinfo?(nils)
|
||
Comment 7•10 years ago
|
||
Seems like it was a dupe of an upstream fix.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
|
||
Updated•10 years ago
|
Flags: sec-bounty?
|
|
||
Updated•10 years ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•7 years ago
|
Group: core-security-release
|
Assignee | |
Updated•2 years ago
|
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•