invalid memcpy in openh264p

RESOLVED FIXED

Status

RESOLVED FIXED
4 years ago
a year ago

People

(Reporter: abillings, Unassigned)

Tracking

({csectype-bounds, sec-critical})

unspecified
x86
Mac OS X
csectype-bounds, sec-critical
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox34 wontfix, firefox35 fixed, firefox36 fixed, firefox37 fixed, firefox38 fixed, firefox39 fixed, firefox-esr31 unaffected)

Details

(Whiteboard: [reporter-external])

Attachments

(3 attachments)

(Reporter)

Description

4 years ago
Created attachment 8534041 [details]
ASAN log

security@mozilla.org received the following report:

Attached file will expose an invalid memcpy in openh264. I haven't done
a thorough analysis (and I feel I'm probably not skilled enough to
judge exploitability).

I've attached address sanitizer output and a gdb backtrace for
further analysis.

This was found with american fuzzy lop.

cu,
-- Hanno Böck http://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: BBB51E42
(Reporter)

Comment 1

4 years ago
Created attachment 8534042 [details]
gdb-backtrace.log
(Reporter)

Comment 2

4 years ago
Created attachment 8534043 [details]
openh264-crash-minimal case
(Reporter)

Updated

4 years ago
Flags: sec-bounty?
Ethan: the symptoms seem like they might be exploitable. Can you tell?
Flags: needinfo?(ethanhugg)
Whiteboard: [reporter-external]

Comment 4

4 years ago
I will have the team analyze it tonight.  The crash looks like it's in CabacContextInit which is not in the v1.1-Firefox34 branch that we are shipping, but is in the master branch which I'm hoping to branch from soon for our next FF build.  We will make sure it's fixed before we call our next build.
Flags: needinfo?(ethanhugg)

Updated

4 years ago
Depends on: 1113777
Keywords: csectype-bounds, sec-critical

Updated

4 years ago
Component: WebRTC: Audio/Video → OpenH264
Product: Core → Plugins
(Reporter)

Comment 6

4 years ago
Randell, when are we going to take OpenH264 1.3 on Firefox?
status-firefox34: --- → wontfix
status-firefox35: --- → affected
status-firefox36: --- → affected
status-firefox37: --- → affected
status-firefox-esr31: --- → unaffected
tracking-firefox37: --- → +
Flags: needinfo?(rjesup)

Comment 7

4 years ago
The bug to get OpenH264 1.3 into Firefox is here - Bug 1113777
From bug 1113777: "My assumption is that we'll put this version in for 36+ and let it ride the train from there."
Flags: needinfo?(rjesup)
(Reporter)

Updated

4 years ago
status-firefox38: --- → affected
tracking-firefox37: + → ---
Group: media-core-security

Comment 9

4 years ago
OpenH264 1.3 has this fix and is now downloaded for Firefox 34+ so marking this as fixed.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
(Reporter)

Updated

4 years ago
Flags: sec-bounty? → sec-bounty+
Group: media-core-security
status-firefox35: affected → fixed
status-firefox36: affected → fixed
status-firefox37: affected → fixed
status-firefox38: affected → fixed
status-firefox39: --- → fixed

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.