1115349 - [openh264] ASAN heap-buffer-overflow in WelsDec::DecodeCurrentAccessUnit

Status: RESOLVED FIXED

(Core :: Audio/Video: GMP, defect)

Description

[Nils]

Attachment: repro.264

The attached testcase crashes the ASAN build of h264dec of the upcoming openh264 firefox branch (https://github.com/cisco/openh264/tree/v1.3-Firefox36).

The testcases crashes both the 32-bit and 64-bit build.

ASAN output:


=================================================================
==54156==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf37029fa at pc 0x080d6730 bp 0xfff8f718 sp 0xfff8f2fc
WRITE of size 600 at 0xf37029fa thread T0
    #0 0x80d672f in __asan_memset _asan_rtl_ (discriminator 6)
    #1 0x814ec68 in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) ??:?
    #2 0x814afdc in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) ??:?
    #3 0x812bca8 in WelsDecodeBs ??:?
    #4 0x811e8b3 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) ??:?
    #5 0x8115661 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*) ??:?
    #6 0x8119394 in main ??:?
    #7 0xf7481672 in
    #8 0x807d9bb in _start ??:?

0xf37029fa is located 0 bytes to the right of 122-byte region [0xf3702980,0xf37029fa)
allocated by thread T0 here:
    #0 0x80f190b in __interceptor_malloc _asan_rtl_ (discriminator 2)
    #1 0x818d3ff in WelsMalloc ??:?

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x3e6e04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e6e04f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e6e0500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02
  0x3e6e0510: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x3e6e0520: 00 00 00 00 00 00 00 02 fa fa fa fa fa fa fa fa
=>0x3e6e0530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[02]
  0x3e6e0540: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x3e6e0550: 00 00 00 00 00 00 00 02 fa fa fa fa fa fa fa fa
  0x3e6e0560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02
  0x3e6e0570: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x3e6e0580: 00 00 00 00 00 00 00 02 fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==54156==ABORTING

Comment 1

[sijchen]

same as in https://bugzilla.mozilla.org/show_bug.cgi?id=1114996

Comment 2

[Ethan Hugg [:ehugg]]

According to my testing, this one is fixed by this commit which has now been merged into the v1.3-Firefox36 branch:
https://github.com/cisco/openh264/commit/f08d73553fb78d4c1de261cfc21b83ae80c81d6a

Comment 3

[Ethan Hugg [:ehugg]]

OpenH264 1.3 has this fix and is now downloaded for Firefox 34+ so marking this as fixed.