Closed Bug 1199437 Opened 6 years ago Closed 6 years ago

OpenH264: NULL function pointer [@WelsDec::DoMbECMvCopy]

Categories

(External Software Affecting Firefox :: OpenH264, defect)

defect
Not set
critical

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-bounds, testcase)

Attachments

(3 files)

Attached file call_stack.txt
This was found in openh264 master and does not affect the branch shipped with Firefox.

This appears to be stack corruption. eip is 0x0 and the top stack frame is also 0x0.
Attached file test_case.264
Depends on: 1170319
Group: core-security → media-core-security
Attached file gdb_out.txt
I had a closer look and from what I can tell this is not stack corruption but a function pointer is set to zero. I was worried when I saw this crash was in a "copy" function.
Summary: OpenH264: potential stack corruption [@WelsDec::DoMbECMvCopy] → OpenH264: NULL function pointer [@WelsDec::DoMbECMvCopy]
If it's a consistent nullptr deref (i.e. not just luck it's null), then this would likely not be a sec issue.
> If it's a consistent nullptr deref (i.e. not just luck it's null), then this
> would likely not be a sec issue.

Looks safe because of a call to WelsMallocz.

It looks like pCtx->sCopyFunc.pCopyLumaFunc is set in InitErrorCon at codec/decoder/core/src/error_concealment.cpp:44

> pCtx->sCopyFunc.pCopyLumaFunc = WelsCopy16x16_c;

but it is then later overwritten by a call to WelsMallocz

#0  0xf7dccc3a in ?? () from /lib/i386-linux-gnu/libc.so.6 <= memset call
#1  0x08084ab8 in WelsCommon::WelsMallocz (kuiSize=562540, 
    kpTag=0x808578b "m_pDecContext") at codec/common/src/memory_align.cpp:163
#2  0x0804a2dc in WelsDec::CWelsDecoder::InitDecoder (this=0x8097008, bParseOnly=false)
    at codec/decoder/plus/src/welsDecoderExt.cpp:252
#3  0x0804a3ff in WelsDec::CWelsDecoder::ResetDecoder (this=0x8097008)
    at codec/decoder/plus/src/welsDecoderExt.cpp:267
#4  0x0804abf4 in WelsDec::CWelsDecoder::DecodeFrame2 (this=0x8097008, kpSrc=0x0, 
    kiSrcLen=0, ppDst=0xffffcfc8, pDstInfo=0xffffcff0)
    at codec/decoder/plus/src/welsDecoderExt.cpp:503
#5  0x0804a9e7 in WelsDec::CWelsDecoder::DecodeFrameNoDelay (this=0x8097008, 
    kpSrc=0x80b5dd8 "", kiSrcLen=9, ppDst=0xffffcfc8, pDstInfo=0xffffcff0)
    at codec/decoder/plus/src/welsDecoderExt.cpp:434
#6  0x08049928 in H264DecodeInstance (pDecoder=0x8097008, 
    kpH264FileName=0xffffd33e "/home/user/Desktop/h264_tests/1199437.264", 
    kpOuputFileName=0xffffd368 "/dev/null", iWidth=@0xffffd068: 16, 
    iHeight=@0xffffd06c: 16, pOptionFileName=0x0, pLengthFileName=0x0)
    at codec/console/dec/src/h264dec.cpp:230
#7  0x08049d96 in main (iArgC=3, pArgV=0xffffd134)
    at codec/console/dec/src/h264dec.cpp:367(In reply to Randell Jesup [:jesup] from comment #3)
Group: media-core-security
Verified fixed with https://github.com/cisco/openh264/commit/5373b8a3aad243245c56e964efa8380ab1fcc44d
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.