Closed Bug 1109371 Opened 8 years ago Closed 8 years ago

invalid memcpy in openh264p

Categories

(Core :: Audio/Video: GMP, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
firefox34 --- wontfix
firefox35 --- fixed
firefox36 --- fixed
firefox37 --- fixed
firefox38 --- fixed
firefox39 --- fixed
firefox-esr31 --- unaffected

People

(Reporter: abillings, Unassigned)

References

Details

(Keywords: csectype-bounds, sec-critical, Whiteboard: [reporter-external])

Attachments

(3 files)

Attached file ASAN log
security@mozilla.org received the following report:

Attached file will expose an invalid memcpy in openh264. I haven't done
a thorough analysis (and I feel I'm probably not skilled enough to
judge exploitability).

I've attached address sanitizer output and a gdb backtrace for
further analysis.

This was found with american fuzzy lop.

cu,
-- Hanno Böck http://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: BBB51E42
Attached file gdb-backtrace.log
Flags: sec-bounty?
Ethan: the symptoms seem like they might be exploitable. Can you tell?
Flags: needinfo?(ethanhugg)
Whiteboard: [reporter-external]
I will have the team analyze it tonight.  The crash looks like it's in CabacContextInit which is not in the v1.1-Firefox34 branch that we are shipping, but is in the master branch which I'm hoping to branch from soon for our next FF build.  We will make sure it's fixed before we call our next build.
Flags: needinfo?(ethanhugg)
Depends on: 1113777
Component: WebRTC: Audio/Video → OpenH264
Product: Core → Plugins
Randell, when are we going to take OpenH264 1.3 on Firefox?
The bug to get OpenH264 1.3 into Firefox is here - Bug 1113777
From bug 1113777: "My assumption is that we'll put this version in for 36+ and let it ride the train from there."
Flags: needinfo?(rjesup)
Group: media-core-security
OpenH264 1.3 has this fix and is now downloaded for Firefox 34+ so marking this as fixed.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Flags: sec-bounty? → sec-bounty+
Group: media-core-security
Group: core-security → core-security-release
Group: core-security-release
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in before you can comment on or make changes to this bug.