Closed Bug 1115349 Opened 10 years ago Closed 10 years ago

[openh264] ASAN heap-buffer-overflow in WelsDec::DecodeCurrentAccessUnit

Categories

(Core :: Audio/Video: GMP, defect)

Product:
Core
Component:
Audio/Video: GMP
Platform:
x86_64
Windows 8.1
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr31 --- unaffected

People

(Reporter: nils, Unassigned)

References

Details

(Keywords: csectype-bounds, reporter-external, sec-high)

Attachments

(1 file)

repro.264
311 bytes, application/octet-stream
Details
Attached file repro.264
The attached testcase crashes the ASAN build of h264dec of the upcoming openh264 firefox branch (https://github.com/cisco/openh264/tree/v1.3-Firefox36). The testcases crashes both the 32-bit and 64-bit build. ASAN output: ================================================================= ==54156==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf37029fa at pc 0x080d6730 bp 0xfff8f718 sp 0xfff8f2fc WRITE of size 600 at 0xf37029fa thread T0 #0 0x80d672f in __asan_memset _asan_rtl_ (discriminator 6) #1 0x814ec68 in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) ??:? #2 0x814afdc in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) ??:? #3 0x812bca8 in WelsDecodeBs ??:? #4 0x811e8b3 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) ??:? #5 0x8115661 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*) ??:? #6 0x8119394 in main ??:? #7 0xf7481672 in #8 0x807d9bb in _start ??:? 0xf37029fa is located 0 bytes to the right of 122-byte region [0xf3702980,0xf37029fa) allocated by thread T0 here: #0 0x80f190b in __interceptor_malloc _asan_rtl_ (discriminator 2) #1 0x818d3ff in WelsMalloc ??:? SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x3e6e04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e6e04f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e6e0500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 0x3e6e0510: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x3e6e0520: 00 00 00 00 00 00 00 02 fa fa fa fa fa fa fa fa =>0x3e6e0530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[02] 0x3e6e0540: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x3e6e0550: 00 00 00 00 00 00 00 02 fa fa fa fa fa fa fa fa 0x3e6e0560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 0x3e6e0570: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x3e6e0580: 00 00 00 00 00 00 00 02 fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==54156==ABORTING
Depends on: 1113777
Component: WebRTC: Audio/Video → OpenH264
Product: Core → Plugins
According to my testing, this one is fixed by this commit which has now been merged into the v1.3-Firefox36 branch: https://github.com/cisco/openh264/commit/f08d73553fb78d4c1de261cfc21b83ae80c81d6a
Keywords: sec-high
Group: media-core-security
OpenH264 1.3 has this fix and is now downloaded for Firefox 34+ so marking this as fixed.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: media-core-security
Group: core-security → core-security-release
Group: core-security-release
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: