Closed Bug 1194481 Opened 6 years ago Closed 6 years ago

OpenH264: stack-buffer-overflow [@CReadConfig::ReadLine]

Categories

(External Software Affecting Firefox :: OpenH264, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-bounds, sec-other, testcase)

Attachments

(3 files)

This is in h264enc which the code for is included in openh264. This is NOT in the plugin code itself.

Fixing this issue will aid testing.
Attached file call_stack.txt
Attached file test_case.cfg
Attached video dummy.yuv
To reproduce run the following command:
./h264enc test_case.cfg -bf /dev/null -org dummy.yuv
(In reply to sijchen from comment #5)
> this is fixed with PR https://github.com/cisco/openh264/pull/2072/files

I just looked at the diff:
-        if (nTagNum >= kiValSize)
+        if (nTagNum >= kiValSize-1)

Why not?
-        if (nTagNum >= kiValSize)
+        if (nTagNum > kiValSize)
??
the current logic is.
when nTagNum== kiValSize-1, we want it to be true and go to break.
(In reply to sijchen from comment #7)
> ??
> the current logic is.
> when nTagNum== kiValSize-1, we want it to be true and go to break.

Doh! Code is hard :) Ignore me.
Group: core-security → media-core-security
Verified fixed.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Group: media-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.