Openh264: ASAN heap-buffer-overflow in WelsDec::McChroma_sse2

RESOLVED WORKSFORME

Status

defect
RESOLVED WORKSFORME
5 years ago
2 years ago

People

(Reporter: nils, Unassigned)

Tracking

({csectype-bounds, sec-high})

Dependency tree / graph
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

1.61 KB, application/octet-stream
Details
Reporter

Description

5 years ago
Posted file repro.264
The attached testcase crashes an ASAN build of the Firefox branch of openh264 ( https://github.com/cisco/openh264/tree/v1.1-Firefox34 ) as follows:

=================================================================
==962==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5b45820 at pc 0x081829ff bp 0xffa1c978 sp 0xffa1c970
WRITE of size 1 at 0xf5b45820 thread T0
    #0 0x81829fe in WelsDec::McChroma_sse2(unsigned char const*, int, unsigned char*, int, short, short, int, int) (/home/nils/264/h264dec-ff+0x81829fe)
    #1 0x81ea424 in WelsDec::BaseMC(WelsDec::TagMCRefMember*, int, int, WelsDec::TagMcFunc*, int, int, short*) (/home/nils/264/h264dec-ff+0x81ea424)
    #2 0x81e83a7 in WelsDec::GetInterPred(unsigned char*, unsigned char*, unsigned char*, WelsDec::TagWelsDecoderContext*) (/home/nils/264/h264dec-ff+0x81e83a7)
    #3 0x81b1e6b in WelsDec::WelsTargetMbConstruction(WelsDec::TagWelsDecoderContext*) (/home/nils/264/h264dec-ff+0x81b1e6b)
    #4 0x81b0ffc in WelsDec::WelsTargetSliceConstruction(WelsDec::TagWelsDecoderContext*) (/home/nils/264/h264dec-ff+0x81b0ffc)
    #5 0x8145f27 in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (/home/nils/264/h264dec-ff+0x8145f27)
    #6 0x8141c9d in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (/home/nils/264/h264dec-ff+0x8141c9d)
    #7 0x8123d6d in WelsDecodeBs (/home/nils/264/h264dec-ff+0x8123d6d)
    #8 0x811d193 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) (/home/nils/264/h264dec-ff+0x811d193)
    #9 0x8115778 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*) (/home/nils/264/h264dec-ff+0x8115778)
    #10 0x8118774 in main (/home/nils/264/h264dec-ff+0x8118774)
    #11 0xf7463a82  (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #12 0x807cd8b in _start (/home/nils/264/h264dec-ff+0x807cd8b)

0xf5b45820 is located 9 bytes to the right of 86039-byte region [0xf5b30800,0xf5b45817)
allocated by thread T0 here:
    #0 0x80f0cdb in malloc /home/bobthebuilder/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
    #1 0x8182c7f in WelsMalloc (/home/nils/264/h264dec-ff+0x8182c7f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 WelsDec::McChroma_sse2(unsigned char const*, int, unsigned char*, int, short, short, int, int)
Shadow bytes around the buggy address:
  0x3eb68ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3eb68ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3eb68ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3eb68ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3eb68af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3eb68b00: 00 00 07 fa[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x3eb68b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eb68b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eb68b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eb68b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eb68b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==962==ABORTING
Component: Video/Audio → WebRTC: Audio/Video
Keywords: csectype-bounds

Comment 1

5 years ago
Thanks for the information. 
Checked it with latest openh264 codec (master), no heap-buffer-overflow found.
It should have been fixed already by early pull requests.
Could you please check if it is OK with latest codec? Thanks.
If OK, we can schedule and update new codec.

Updated

5 years ago
Depends on: 1113777
Component: WebRTC: Audio/Video → OpenH264
Product: Core → Plugins
Version: Trunk → unspecified
Nils, can you recheck based on comment 1?
Flags: needinfo?(nils)
Reporter

Comment 3

5 years ago
I can confirm that the 1.3 branch of openh264 doesn't crash on the testcase anymore. I also haven't seen any similar crashes while fuzzing several different builds of the 1.3 branch.
Flags: needinfo?(nils)
Calling this "worksforme" because we don't know exactly what fixed it and it's likely a dupe. If we weren't already planning on taking bug 1113777 "fixed" might be better.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
Keywords: sec-high
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty-

Updated

4 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.