OpenH264: global-buffer-overflow crash [@WelsDec::ParseScalingList]

RESOLVED FIXED

Status

External Software Affecting Firefox
OpenH264
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: posidron, Unassigned)

Tracking

(Blocks: 2 bugs, 4 keywords)

unspecified
x86_64
Mac OS X
crash, csectype-bounds, sec-critical, testcase
Dependency tree / graph

Firefox Tracking Flags

(firefox37 unaffected, firefox38 unaffected, firefox38.0.5 unaffected, firefox39 unaffected, firefox40 unaffected, firefox41 unaffected, firefox42 unaffected, firefox-esr31 unaffected, firefox-esr38 unaffected)

Details

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
Created attachment 8594827 [details]
testcase.264

Tested with https://github.com/cisco/openh264/commit/864ff21021
(Reporter)

Comment 1

3 years ago
Created attachment 8594828 [details]
callstack

Comment 2

3 years ago
I just replicated this crash with the master branch, but I cannot replicate it with the v1.4-Firefox38 branch (gives a 'Feature not supported' message).   So we need to fix this before the next version, but this shouldn't hold up the v1.4 rollout.

Comment 3

3 years ago
This problem has been fixed in commit dac1363

Comment 4

3 years ago
please kindly check if it works. thanks
Flags: needinfo?(cdiehl)
Tracking for 38+ since this is sec-critical. 
Christoph, which platforms and versions are affected?  Do you need extra QA help?
status-firefox40: --- → affected
tracking-firefox38: --- → +
tracking-firefox39: --- → +
tracking-firefox40: --- → +

Comment 6

3 years ago
No Firefox versions are affected.  This is a bug in code that was added since v1.4 of OpenH264 was made.
unmarking tracking as this applies to an unreleased version of the plugin.
status-firefox40: affected → unaffected
tracking-firefox38: + → ---
tracking-firefox39: + → ---
tracking-firefox40: + → ---
status-firefox37: --- → unaffected
status-firefox38: --- → unaffected
status-firefox38.0.5: --- → unaffected
status-firefox39: --- → unaffected
status-firefox-esr31: --- → unaffected
status-firefox-esr38: --- → unaffected
Group: core-security
Component: WebRTC: Audio/Video → OpenH264
Product: Core → Plugins
status-firefox41: --- → unaffected

Comment 8

3 years ago
This should now be fixed by the rollout of OpenH264 v1.4 - bug 1133784.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Depends on: 1133784
Resolution: --- → FIXED

Comment 9

3 years ago
Closed this by mistake, this bug was found in post-1.4 code.
Status: RESOLVED → REOPENED
No longer depends on: 1133784
Resolution: FIXED → ---
(Reporter)

Comment 10

3 years ago
Fixed. Tested with https://github.com/cisco/openh264/commit/7d7a5c28bc
Flags: needinfo?(cdiehl)

Updated

3 years ago
Blocks: 1170319

Updated

3 years ago
No longer blocks: 1170319
Depends on: 1170319
status-firefox42: --- → unaffected
Marking as fixed per comment 10.
Status: REOPENED → RESOLVED
Last Resolved: 3 years ago3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.