[openh264] ASAN heap-buffer-overflow in memcpy in ExpandPictureChroma_c

RESOLVED FIXED

Status

External Software Affecting Firefox
OpenH264
RESOLVED FIXED
3 years ago
a year ago

People

(Reporter: Nils, Unassigned)

Tracking

({csectype-bounds, sec-critical})

unspecified
x86_64
Linux
csectype-bounds, sec-critical
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox34 wontfix, firefox35 fixed, firefox36 fixed, firefox37 fixed, firefox38 fixed, firefox39 fixed, firefox-esr31 unaffected)

Details

Attachments

(1 attachment)

1.11 KB, application/octet-stream
Details
(Reporter)

Description

3 years ago
Created attachment 8540720 [details]
repro.264

The attached testcase crashes the ASAN build of h264dec of the upcoming openh264 firefox branch (https://github.com/cisco/openh264/tree/v1.3-Firefox36).

The ASAN build has been compiled with USE_ASM=No.

The testcases crashes both the 32-bit and 64-bit build.

ASAN output:

=================================================================
==28781==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f22e6b7a820 at pc 0x0000004aee26 bp 0x7fff36fd52d0 sp 0x7fff36fd4a80
WRITE of size 176 at 0x7f22e6b7a820 thread T0
    #0 0x4aee25 in __asan_memcpy /home/nils/build/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:430:3
    #1 0x604e0d in ExpandPictureChroma_c(unsigned char*, int, int, int) (/home/nils/264/h264dec-ff-1.3-64+0x604e0d)
    #2 0x60542f in ExpandReferencingPicture (/home/nils/264/h264dec-ff-1.3-64+0x60542f)
    #3 0x521eb5 in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (/home/nils/264/h264dec-ff-1.3-64+0x521eb5)
    #4 0x51a86a in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (/home/nils/264/h264dec-ff-1.3-64+0x51a86a)
    #5 0x4fb580 in WelsDecodeBs (/home/nils/264/h264dec-ff-1.3-64+0x4fb580)
    #6 0x4ef44b in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) (/home/nils/264/h264dec-ff-1.3-64+0x4ef44b)
    #7 0x4e7bf6 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*) (/home/nils/264/h264dec-ff-1.3-64+0x4e7bf6)
    #8 0x4ead40 in main (/home/nils/264/h264dec-ff-1.3-64+0x4ead40)
    #9 0x7f22e90e4ec4  (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #10 0x43e596 in _start (/home/nils/264/h264dec-ff-1.3-64+0x43e596)

0x7f22e6b7a820 is located 5 bytes to the right of 184347-byte region [0x7f22e6b4d800,0x7f22e6b7a81b)
allocated by thread T0 here:
    #0 0x4c58b2 in malloc /home/nils/build/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
    #1 0x56ad61 in WelsMalloc (/home/nils/264/h264dec-ff-1.3-64+0x56ad61)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/nils/build/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:430 __asan_memcpy
Shadow bytes around the buggy address:
  0x0fe4dcd674b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4dcd674c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4dcd674d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4dcd674e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4dcd674f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe4dcd67500: 00 00 00 03[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4dcd67510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4dcd67520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4dcd67530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4dcd67540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4dcd67550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28781==ABORTING
Keywords: csectype-bounds

Updated

3 years ago
Depends on: 1113777
Ethan: same questions as bug 1114996 comment 1
Flags: needinfo?(ethanhugg)
Keywords: sec-critical

Updated

3 years ago
Flags: needinfo?(ethanhugg)

Updated

3 years ago
Component: WebRTC: Audio/Video → OpenH264
Product: Core → Plugins
Version: Trunk → unspecified

Comment 2

3 years ago
Thanks for the information. 
The problem is fixed in openh264 codec master (https://github.com/cisco/openh264/pull/1673), 
and v1.3 (https://github.com/cisco/openh264/commit/917d683bb25906ea7506cc531e56d241a558a5d0)
Could you please check if it is OK with either? Thanks.
status-firefox34: --- → wontfix
status-firefox35: --- → affected
status-firefox36: --- → affected
status-firefox37: --- → affected
status-firefox-esr31: --- → unaffected
tracking-firefox37: --- → +
status-firefox38: --- → affected
tracking-firefox37: + → ---
Group: media-core-security

Comment 3

3 years ago
OpenH264 1.3 has this fix and is now downloaded for Firefox 34+ so marking this as fixed.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: media-core-security
status-firefox35: affected → fixed
status-firefox36: affected → fixed
status-firefox37: affected → fixed
status-firefox38: affected → fixed
status-firefox39: --- → fixed

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.