Closed
Bug 1194481
Opened 9 years ago
Closed 9 years ago
OpenH264: stack-buffer-overflow [@CReadConfig::ReadLine]
Categories
(Core :: Audio/Video: GMP, defect)
Core
Audio/Video: GMP
Tracking
()
RESOLVED
FIXED
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-bounds, sec-other, testcase)
Attachments
(3 files)
This is in h264enc which the code for is included in openh264. This is NOT in the plugin code itself.
Fixing this issue will aid testing.
|
Reporter | |
Comment 1•9 years ago
|
||
|
|
Reporter | |
Comment 2•9 years ago
|
||
|
|
Reporter | |
Comment 3•9 years ago
|
||
|
|
Reporter | |
Comment 4•9 years ago
|
||
To reproduce run the following command:
./h264enc test_case.cfg -bf /dev/null -org dummy.yuv
this is fixed with PR https://github.com/cisco/openh264/pull/2072/files
|
|
Reporter | |
Comment 6•9 years ago
|
||
(In reply to sijchen from comment #5)
> this is fixed with PR https://github.com/cisco/openh264/pull/2072/files
I just looked at the diff:
- if (nTagNum >= kiValSize)
+ if (nTagNum >= kiValSize-1)
Why not?
- if (nTagNum >= kiValSize)
+ if (nTagNum > kiValSize)
??
the current logic is.
when nTagNum== kiValSize-1, we want it to be true and go to break.
|
|
Reporter | |
Comment 8•9 years ago
|
||
(In reply to sijchen from comment #7)
> ??
> the current logic is.
> when nTagNum== kiValSize-1, we want it to be true and go to break.
Doh! Code is hard :) Ignore me.
|
||
Updated•9 years ago
|
Group: core-security → media-core-security
|
|
Reporter | |
Comment 9•9 years ago
|
||
Verified fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
||
Updated•9 years ago
|
Group: media-core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
|
Assignee | |
Updated•2 years ago
|
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•