Closed
Bug 1199437
Opened 9 years ago
Closed 9 years ago
OpenH264: NULL function pointer [@WelsDec::DoMbECMvCopy]
Categories
(Core :: Audio/Video: GMP, defect)
Core
Audio/Video: GMP
Tracking
()
RESOLVED
FIXED
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-bounds, testcase)
Attachments
(3 files)
This was found in openh264 master and does not affect the branch shipped with Firefox.
This appears to be stack corruption. eip is 0x0 and the top stack frame is also 0x0.
|
Reporter | |
Comment 1•9 years ago
|
||
|
||
Updated•9 years ago
|
Group: core-security → media-core-security
|
|
Reporter | |
Comment 2•9 years ago
|
||
I had a closer look and from what I can tell this is not stack corruption but a function pointer is set to zero. I was worried when I saw this crash was in a "copy" function.
|
|
Reporter | |
Updated•9 years ago
|
Summary: OpenH264: potential stack corruption [@WelsDec::DoMbECMvCopy] → OpenH264: NULL function pointer [@WelsDec::DoMbECMvCopy]
|
||
Comment 3•9 years ago
|
||
If it's a consistent nullptr deref (i.e. not just luck it's null), then this would likely not be a sec issue.
|
|
Reporter | |
Comment 4•9 years ago
|
||
> If it's a consistent nullptr deref (i.e. not just luck it's null), then this
> would likely not be a sec issue.
Looks safe because of a call to WelsMallocz.
It looks like pCtx->sCopyFunc.pCopyLumaFunc is set in InitErrorCon at codec/decoder/core/src/error_concealment.cpp:44
> pCtx->sCopyFunc.pCopyLumaFunc = WelsCopy16x16_c;
but it is then later overwritten by a call to WelsMallocz
#0 0xf7dccc3a in ?? () from /lib/i386-linux-gnu/libc.so.6 <= memset call
#1 0x08084ab8 in WelsCommon::WelsMallocz (kuiSize=562540,
kpTag=0x808578b "m_pDecContext") at codec/common/src/memory_align.cpp:163
#2 0x0804a2dc in WelsDec::CWelsDecoder::InitDecoder (this=0x8097008, bParseOnly=false)
at codec/decoder/plus/src/welsDecoderExt.cpp:252
#3 0x0804a3ff in WelsDec::CWelsDecoder::ResetDecoder (this=0x8097008)
at codec/decoder/plus/src/welsDecoderExt.cpp:267
#4 0x0804abf4 in WelsDec::CWelsDecoder::DecodeFrame2 (this=0x8097008, kpSrc=0x0,
kiSrcLen=0, ppDst=0xffffcfc8, pDstInfo=0xffffcff0)
at codec/decoder/plus/src/welsDecoderExt.cpp:503
#5 0x0804a9e7 in WelsDec::CWelsDecoder::DecodeFrameNoDelay (this=0x8097008,
kpSrc=0x80b5dd8 "", kiSrcLen=9, ppDst=0xffffcfc8, pDstInfo=0xffffcff0)
at codec/decoder/plus/src/welsDecoderExt.cpp:434
#6 0x08049928 in H264DecodeInstance (pDecoder=0x8097008,
kpH264FileName=0xffffd33e "/home/user/Desktop/h264_tests/1199437.264",
kpOuputFileName=0xffffd368 "/dev/null", iWidth=@0xffffd068: 16,
iHeight=@0xffffd06c: 16, pOptionFileName=0x0, pLengthFileName=0x0)
at codec/console/dec/src/h264dec.cpp:230
#7 0x08049d96 in main (iArgC=3, pArgV=0xffffd134)
at codec/console/dec/src/h264dec.cpp:367(In reply to Randell Jesup [:jesup] from comment #3)
|
|
Reporter | |
Updated•9 years ago
|
Group: media-core-security
|
|
Reporter | |
Comment 5•9 years ago
|
||
Verified fixed with https://github.com/cisco/openh264/commit/5373b8a3aad243245c56e964efa8380ab1fcc44d
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
Assignee | |
Updated•2 years ago
|
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•