Closed Bug 1115381 Opened 10 years ago Closed 10 years ago

[openh264] ASAN heap-buffer-overflow in memcpy in ExpandPictureLuma_c

Categories

(Core :: Audio/Video: GMP, defect)

Product:
Core
Component:
Audio/Video: GMP
Platform:
x86_64
Windows 8.1
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr31 --- unaffected

People

(Reporter: nils, Unassigned)

References

Details

(Keywords: csectype-bounds, reporter-external, sec-high)

Attachments

(1 file)

repro.264
288 bytes, application/octet-stream
Details
Attached file repro.264
The attached testcase crashes the ASAN build of h264dec of the upcoming openh264 firefox branch (https://github.com/cisco/openh264/tree/v1.3-Firefox36). The testcases crashes both the 32-bit and 64-bit build without assembler optimisations. ASAN output: ================================================================= ==26685==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf2f75830 at pc 0x080d623d bp 0xffe0a618 sp 0xffe0a1f8 WRITE of size 64 at 0xf2f75830 thread T0 #0 0x80d623c in __asan_memcpy _asan_rtl_ (discriminator 6) #1 0x8226ead in ExpandPictureLuma_c(unsigned char*, int, int, int) codec/common/src/expand_pic.cpp:? #2 0x8227544 in ExpandReferencingPicture ??:? #3 0x8151c20 in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) ??:? #4 0x814afdc in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) ??:? #5 0x812bca8 in WelsDecodeBs ??:? #6 0x811e8b3 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) ??:? #7 0x8115661 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*) ??:? #8 0x8119394 in main ??:? #9 0xf74c9672 in #10 0x807d9bb in _start ??:? 0xf2f75830 is located 25 bytes to the right of 86039-byte region [0xf2f60800,0xf2f75817) allocated by thread T0 here: #0 0x80f190b in __interceptor_malloc _asan_rtl_ (discriminator 2) #1 0x818d3ff in WelsMalloc ??:? SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x3e5eeab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e5eeac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e5eead0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e5eeae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e5eeaf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x3e5eeb00: 00 00 07 fa fa fa[fa]fa fa fa fa fa fa fa fa fa 0x3e5eeb10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e5eeb20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e5eeb30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e5eeb40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e5eeb50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==26685==ABORTING
Depends on: 1113777
Component: WebRTC: Audio/Video → OpenH264
Product: Core → Plugins
Provisionally rating this as sec-high. We'd like developer input on this rating though.
Keywords: sec-high
Group: media-core-security
OpenH264 1.3 has this fix and is now downloaded for Firefox 34+ so marking this as fixed.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: media-core-security
Group: core-security → core-security-release
Group: core-security-release
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: