Closed
Bug 1130224
Opened 10 years ago
Closed 10 years ago
invalid memory access on malformed input in function WelsDec::SetScalingListValue
Categories
(Core :: Audio/Video: GMP, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox38 | --- | unaffected |
People
(Reporter: hanno, Unassigned)
References
Details
(Keywords: reporter-external, sec-other, Whiteboard: bug in features not used by Firefox (yet?))
Attachments
(2 files)
The attached file will cause an invalid memory read access in openh264. This can be reproduced by compiling open264 with address sanitizer and passing the file to h264dec.
Found with american fuzzy lop.
|
Reporter | |
Comment 1•10 years ago
|
||
|
|
Reporter | |
Updated•10 years ago
|
Summary: invalid memory access on malformed input → invalid memory access on malformed input in function WelsDec::SetScalingListValue
|
||
Comment 2•10 years ago
|
||
Which version of OpenH264 did you use? We updated the release version to 1.3 yesterday though I'm not sure if that affected what is available in nightly.
|
|
Reporter | |
Comment 3•10 years ago
|
||
I used the latest code from github:
https://github.com/cisco/openh264
Isn't this the latest code?
|
|
||
Updated•10 years ago
|
status-firefox38:
--- → affected
Flags: sec-bounty?
|
|
||
Comment 4•10 years ago
|
||
(In reply to Hanno Boeck from comment #3)
> I used the latest code from github:
> https://github.com/cisco/openh264
>
> Isn't this the latest code?
It is but it isn't what we've shipped to the public so we like to know what you're testing against.
In the past, some folks have reported issues that were only present in unshipped versions of the Cisco OpenH264 code but not present in anything Firefox normally has. Cisco will often find and fix issues without them showing up in Firefox. This leads to us having a discussion, when it comes to bounties, of whether unfixed Cisco bugs not present in Firefox get a Cisco bounty. So far, we have generally said "yes" but this is the reason why I ask (along with being able to reproduce the problem you described).
|
|
Reporter | |
Comment 5•10 years ago
|
||
I've checked with the v1.3-Firefox36 branch and it seems this branch is not affected, only git head.
|
||
Updated•10 years ago
|
Flags: needinfo?(huili2)
Openh264 master branch is now developing Main&High profile, and features are ongoing. This bug is one defect related to that.
We'll update following features related to 8x8 transform to make it work, and fix similar defects as well.
Flags: needinfo?(huili2)
|
|
||
Comment 7•10 years ago
|
||
We're going to give a small bounty for this. This is mostly because you pointed out a need to clarify our processes.
In the future, you should be fuzzing against our nightly (mozilla-central) firefox and the version of OpenH264 that's there. We will be changing our process so specific versions of OpenH264 will go through our release branches but we're still clarifying the process there.
Fuzzing against the tip of the Cisco github branch is not ideal because the Cisco team is doing specific feature work there and we may or may not ship the resulting code, especially before it is run through tests and stabilized. This introduces a level of instability that we don't want to include in the bounty program right now.
We will be clarifying this further.
|
|
||
Updated•10 years ago
|
Flags: sec-bounty? → sec-bounty+
|
||
Comment 8•10 years ago
|
||
This is not in v1.4 so marking as fixed by the rollout of OpenH264 v1.4 - bug 1133784.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
|
Assignee | |
Updated•2 years ago
|
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
|
||
Updated•8 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•