Closed
Bug 1106399
Opened 10 years ago
Closed 10 years ago
Openh264: ASAN heap-buffer-overflow in WelsDec::McChroma_sse2
Categories
(Core :: Audio/Video: GMP, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: nils, Unassigned)
References
Details
(Keywords: csectype-bounds, reporter-external, sec-high)
Attachments
(1 file)
1.61 KB,
application/octet-stream
|
Details |
The attached testcase crashes an ASAN build of the Firefox branch of openh264 ( https://github.com/cisco/openh264/tree/v1.1-Firefox34 ) as follows:
=================================================================
==962==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5b45820 at pc 0x081829ff bp 0xffa1c978 sp 0xffa1c970
WRITE of size 1 at 0xf5b45820 thread T0
#0 0x81829fe in WelsDec::McChroma_sse2(unsigned char const*, int, unsigned char*, int, short, short, int, int) (/home/nils/264/h264dec-ff+0x81829fe)
#1 0x81ea424 in WelsDec::BaseMC(WelsDec::TagMCRefMember*, int, int, WelsDec::TagMcFunc*, int, int, short*) (/home/nils/264/h264dec-ff+0x81ea424)
#2 0x81e83a7 in WelsDec::GetInterPred(unsigned char*, unsigned char*, unsigned char*, WelsDec::TagWelsDecoderContext*) (/home/nils/264/h264dec-ff+0x81e83a7)
#3 0x81b1e6b in WelsDec::WelsTargetMbConstruction(WelsDec::TagWelsDecoderContext*) (/home/nils/264/h264dec-ff+0x81b1e6b)
#4 0x81b0ffc in WelsDec::WelsTargetSliceConstruction(WelsDec::TagWelsDecoderContext*) (/home/nils/264/h264dec-ff+0x81b0ffc)
#5 0x8145f27 in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (/home/nils/264/h264dec-ff+0x8145f27)
#6 0x8141c9d in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (/home/nils/264/h264dec-ff+0x8141c9d)
#7 0x8123d6d in WelsDecodeBs (/home/nils/264/h264dec-ff+0x8123d6d)
#8 0x811d193 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) (/home/nils/264/h264dec-ff+0x811d193)
#9 0x8115778 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*) (/home/nils/264/h264dec-ff+0x8115778)
#10 0x8118774 in main (/home/nils/264/h264dec-ff+0x8118774)
#11 0xf7463a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
#12 0x807cd8b in _start (/home/nils/264/h264dec-ff+0x807cd8b)
0xf5b45820 is located 9 bytes to the right of 86039-byte region [0xf5b30800,0xf5b45817)
allocated by thread T0 here:
#0 0x80f0cdb in malloc /home/bobthebuilder/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
#1 0x8182c7f in WelsMalloc (/home/nils/264/h264dec-ff+0x8182c7f)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 WelsDec::McChroma_sse2(unsigned char const*, int, unsigned char*, int, short, short, int, int)
Shadow bytes around the buggy address:
0x3eb68ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3eb68ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3eb68ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3eb68ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3eb68af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3eb68b00: 00 00 07 fa[fa]fa fa fa fa fa fa fa fa fa fa fa
0x3eb68b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eb68b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eb68b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eb68b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3eb68b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==962==ABORTING
Updated•10 years ago
|
Component: Video/Audio → WebRTC: Audio/Video
Keywords: csectype-bounds
Thanks for the information.
Checked it with latest openh264 codec (master), no heap-buffer-overflow found.
It should have been fixed already by early pull requests.
Could you please check if it is OK with latest codec? Thanks.
If OK, we can schedule and update new codec.
Updated•10 years ago
|
Component: WebRTC: Audio/Video → OpenH264
Product: Core → Plugins
Version: Trunk → unspecified
I can confirm that the 1.3 branch of openh264 doesn't crash on the testcase anymore. I also haven't seen any similar crashes while fuzzing several different builds of the 1.3 branch.
Flags: needinfo?(nils)
Comment 4•10 years ago
|
||
Calling this "worksforme" because we don't know exactly what fixed it and it's likely a dupe. If we weren't already planning on taking bug 1113777 "fixed" might be better.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
Updated•10 years ago
|
Flags: sec-bounty?
Updated•10 years ago
|
Flags: sec-bounty? → sec-bounty-
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•7 years ago
|
Group: core-security-release
Assignee | ||
Updated•2 years ago
|
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
Updated•6 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•