Closed
Bug 1114993
Opened 10 years ago
Closed 10 years ago
[openh264] ASAN heap-buffer-overflow in WelsDec::WelsInitRefList
Categories
(Core :: Audio/Video: GMP, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: nils, Unassigned)
References
Details
(Keywords: csectype-bounds, reporter-external, sec-critical)
Attachments
(1 file)
|
1.43 KB,
application/octet-stream
|
Details |
The attached testcase crashes the ASAN build of h264dec of the upcoming openh264 firefox branch (https://github.com/cisco/openh264/tree/v1.3-Firefox36).
This affects the ASM optimised 32-bit build. The non-asm 32 and 64bit builds crash on a read violation, probably because ASAN is bailing early on the read.
ASAN output:
=================================================================
==28876==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf485d817 at pc 0x080d7410 bp 0xffd4d5c8 sp 0xffd4d1ac
WRITE of size 81920 at 0xf485d817 thread T0
#0 0x80d740f in __asan_memset /home/bobthebuilder/llvm/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:383:5
#1 0x816b19e in WelsDec::WelsInitRefList(WelsDec::TagWelsDecoderContext*, int) (/home/nils/264/h264dec-ff-1.3+0x816b19e)
#2 0x8150c8c in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (/home/nils/264/h264dec-ff-1.3+0x8150c8c)
#3 0x814bd9c in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (/home/nils/264/h264dec-ff-1.3+0x814bd9c)
#4 0x812b3cb in WelsDecodeBs (/home/nils/264/h264dec-ff-1.3+0x812b3cb)
#5 0x811f593 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) (/home/nils/264/h264dec-ff-1.3+0x811f593)
#6 0x81170a9 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*) (/home/nils/264/h264dec-ff-1.3+0x81170a9)
#7 0x811a074 in main (/home/nils/264/h264dec-ff-1.3+0x811a074)
#8 0xf7494a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
#9 0x807e69b in _start (/home/nils/264/h264dec-ff-1.3+0x807e69b)
0xf485d817 is located 0 bytes to the right of 86039-byte region [0xf4848800,0xf485d817)
allocated by thread T0 here:
#0 0x80f25eb in malloc /home/bobthebuilder/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
#1 0x819525f in WelsMalloc (/home/nils/264/h264dec-ff-1.3+0x819525f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bobthebuilder/llvm/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:383 __asan_memset
Shadow bytes around the buggy address:
0x3e90bab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e90bac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e90bad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e90bae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e90baf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e90bb00: 00 00[07]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e90bb10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e90bb20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e90bb30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e90bb40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e90bb50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==28876==ABORTING
|
||
Comment 1•10 years ago
|
||
Ethan: same questions as bug 1114996 comment 1
Flags: needinfo?(ethanhugg)
Keywords: sec-critical
|
||
Updated•10 years ago
|
Flags: needinfo?(ethanhugg)
|
||
Updated•10 years ago
|
Component: WebRTC: Audio/Video → OpenH264
Product: Core → Plugins
Version: Trunk → unspecified
|
||
Updated•10 years ago
|
status-firefox34:
--- → wontfix
status-firefox35:
--- → affected
status-firefox36:
--- → affected
status-firefox37:
--- → affected
status-firefox-esr31:
--- → unaffected
tracking-firefox37:
--- → +
|
|
||
Comment 2•10 years ago
|
||
According to my testing, this one is fixed by this commit which has now been merged into the v1.3-Firefox36 branch:
https://github.com/cisco/openh264/commit/5c114c3ebb6d6477e5cbf1c52b9f08a7cb4d18c0
|
|
||
Updated•10 years ago
|
status-firefox38:
--- → affected
tracking-firefox37:
+ → ---
|
|
||
Updated•10 years ago
|
Group: media-core-security
|
|
||
Comment 4•10 years ago
|
||
OpenH264 1.3 has this fix and is now downloaded for Firefox 34+ so marking this as fixed.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
|
||
Updated•10 years ago
|
Flags: sec-bounty?
|
|
||
Updated•10 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•10 years ago
|
Group: media-core-security
|
||
Updated•10 years ago
|
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
|
|
||
Updated•8 years ago
|
Keywords: csectype-bounds
|
Assignee | |
Updated•2 years ago
|
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
|
||
Updated•8 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•