Closed Bug 1182717 Opened 10 years ago Closed 9 years ago

OpenH264: ASan heap-buffer-overflow WRITE in WelsDec::DoErrorConSliceMVCopy

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-bounds, sec-high, testcase)

Attachments

(3 files, 2 obsolete files)

test_case.264 10 years ago Tyson Smith [:tsmith] 3.52 KB, application/octet-stream		Details
callstack.txt 10 years ago Tyson Smith [:tsmith] 4.19 KB, text/plain		Details
callstack_2.txt 10 years ago Tyson Smith [:tsmith] 5.09 KB, text/plain		Details
call_stack.txt 9 years ago Tyson Smith [:tsmith] 5.60 KB, text/plain		Details
test_case_2.264 9 years ago Tyson Smith [:tsmith] 114 bytes, application/octet-stream		Details

Tyson Smith [:tsmith]

Reporter

Description

•

10 years ago

Attached file test_case.264 — Details

Tested with https://github.com/cisco/openh264/commit/a8ae1346101be6ec1b5f72a861932fbda0cffcde

Tyson Smith [:tsmith]

Reporter

Comment 1

•

10 years ago

Attached file callstack.txt (obsolete) — Details

Ethan Hugg [:ehugg]

Updated

•

10 years ago

Depends on: 1170319

Tyson Smith [:tsmith]

Reporter

Comment 2

•

10 years ago

Attached file callstack_2.txt (obsolete) — Details

Tyson Smith [:tsmith]

Reporter

Updated

•

10 years ago

Severity: major → critical

karina

Comment 3

•

10 years ago

tested openh264 branch v1.4-Firefox38, the bug is also in this branch.

Haibo Zhu

Comment 4

•

10 years ago

This bug has been fixed in the latest version of openh264 master branch.

Tyson Smith [:tsmith]

Reporter

Comment 5

•

10 years ago

Fixed. Verified with https://github.com/cisco/openh264/commit/f30ad4e512e84a1376f5223f9a450c075e0b0df9

Andrew McCreight [:mccr8]

Updated

•

9 years ago

Keywords: sec-high

BMO Automation

Updated

•

9 years ago

Group: core-security → media-core-security

Tyson Smith [:tsmith]

Reporter

Updated

•

9 years ago

Status: NEW → RESOLVED

Closed: 9 years ago

Resolution: --- → FIXED

Daniel Veditz [:dveditz]

Updated

•

9 years ago

Group: media-core-security → core-security-release

Tyson Smith [:tsmith]

Reporter

Comment 6

•

9 years ago

Found while fuzzing: https://github.com/cisco/openh264/commit/f9f2bbf805ebb82d0cc46dd79aade2dfb264f046

Group: core-security-release → media-core-security

Status: RESOLVED → REOPENED

Resolution: FIXED → ---

Tyson Smith [:tsmith]

Reporter

Comment 7

•

9 years ago

Attached file call_stack.txt — Details

Attachment #8632375 - Attachment is obsolete: true

Attachment #8633097 - Attachment is obsolete: true

Tyson Smith [:tsmith]

Reporter

Comment 8

•

9 years ago

Attached file test_case_2.264 — Details

Haibo Zhu

Comment 9

•

9 years ago

We have fixed this bug in the master branch commit b37cda2 and openh264v1.5 branch commit d6b1680, please help to verify it.

Tyson Smith [:tsmith]

Reporter

Comment 10

•

9 years ago

Verified with commit b37cda2482.

Rui Zhang

Comment 11

•

9 years ago

Thanks, Tyson, for the verification. I'm marking this as "resolved now"

Status: REOPENED → RESOLVED

Closed: 9 years ago → 9 years ago

Resolution: --- → FIXED

Daniel Veditz [:dveditz]

Updated

•

9 years ago

Group: media-core-security → core-security-release

Daniel Veditz [:dveditz]

Updated

•

9 years ago

Group: core-security-release

Nobody; OK to take it and work on it

Assignee

Updated

•

2 years ago

Component: OpenH264 → Audio/Video: GMP

Product: External Software Affecting Firefox → Core

You need to log in before you can comment on or make changes to this bug.