Closed Bug 1114992 Opened 9 years ago Closed 9 years ago

[openh264] ASAN heap-buffer-overflow in memcpy in ExpandPictureChroma_c

Categories

(Core :: Audio/Video: GMP, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
firefox34 --- wontfix
firefox35 --- fixed
firefox36 --- fixed
firefox37 --- fixed
firefox38 --- fixed
firefox39 --- fixed
firefox-esr31 --- unaffected

People

(Reporter: nils, Unassigned)

References

Details

(Keywords: csectype-bounds, sec-critical)

Attachments

(1 file)

1.11 KB, application/octet-stream
Details
Attached file repro.264
The attached testcase crashes the ASAN build of h264dec of the upcoming openh264 firefox branch (https://github.com/cisco/openh264/tree/v1.3-Firefox36).

The ASAN build has been compiled with USE_ASM=No.

The testcases crashes both the 32-bit and 64-bit build.

ASAN output:

=================================================================
==28781==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f22e6b7a820 at pc 0x0000004aee26 bp 0x7fff36fd52d0 sp 0x7fff36fd4a80
WRITE of size 176 at 0x7f22e6b7a820 thread T0
    #0 0x4aee25 in __asan_memcpy /home/nils/build/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:430:3
    #1 0x604e0d in ExpandPictureChroma_c(unsigned char*, int, int, int) (/home/nils/264/h264dec-ff-1.3-64+0x604e0d)
    #2 0x60542f in ExpandReferencingPicture (/home/nils/264/h264dec-ff-1.3-64+0x60542f)
    #3 0x521eb5 in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (/home/nils/264/h264dec-ff-1.3-64+0x521eb5)
    #4 0x51a86a in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (/home/nils/264/h264dec-ff-1.3-64+0x51a86a)
    #5 0x4fb580 in WelsDecodeBs (/home/nils/264/h264dec-ff-1.3-64+0x4fb580)
    #6 0x4ef44b in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) (/home/nils/264/h264dec-ff-1.3-64+0x4ef44b)
    #7 0x4e7bf6 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*) (/home/nils/264/h264dec-ff-1.3-64+0x4e7bf6)
    #8 0x4ead40 in main (/home/nils/264/h264dec-ff-1.3-64+0x4ead40)
    #9 0x7f22e90e4ec4  (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #10 0x43e596 in _start (/home/nils/264/h264dec-ff-1.3-64+0x43e596)

0x7f22e6b7a820 is located 5 bytes to the right of 184347-byte region [0x7f22e6b4d800,0x7f22e6b7a81b)
allocated by thread T0 here:
    #0 0x4c58b2 in malloc /home/nils/build/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
    #1 0x56ad61 in WelsMalloc (/home/nils/264/h264dec-ff-1.3-64+0x56ad61)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/nils/build/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:430 __asan_memcpy
Shadow bytes around the buggy address:
  0x0fe4dcd674b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4dcd674c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4dcd674d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4dcd674e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4dcd674f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe4dcd67500: 00 00 00 03[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4dcd67510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4dcd67520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4dcd67530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4dcd67540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4dcd67550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28781==ABORTING
Depends on: 1113777
Ethan: same questions as bug 1114996 comment 1
Flags: needinfo?(ethanhugg)
Keywords: sec-critical
Flags: needinfo?(ethanhugg)
Component: WebRTC: Audio/Video → OpenH264
Product: Core → Plugins
Version: Trunk → unspecified
Thanks for the information. 
The problem is fixed in openh264 codec master (https://github.com/cisco/openh264/pull/1673), 
and v1.3 (https://github.com/cisco/openh264/commit/917d683bb25906ea7506cc531e56d241a558a5d0)
Could you please check if it is OK with either? Thanks.
Group: media-core-security
OpenH264 1.3 has this fix and is now downloaded for Firefox 34+ so marking this as fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: media-core-security
Group: core-security → core-security-release
Group: core-security-release
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: