Closed Bug 1199437 Opened 9 years ago Closed 9 years ago

OpenH264: NULL function pointer [@WelsDec::DoMbECMvCopy]

Categories

(Core :: Audio/Video: GMP, defect)

Product:
Core
Component:
Audio/Video: GMP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-bounds, testcase)

Attachments

(3 files)

call_stack.txt
2.88 KB, text/plain
Details
test_case.264
119 bytes, application/octet-stream
Details
gdb_out.txt
3.76 KB, text/plain
Details
Attached file call_stack.txt 
This was found in openh264 master and does not affect the branch shipped with Firefox.

This appears to be stack corruption. eip is 0x0 and the top stack frame is also 0x0.
Attached file test_case.264 

    
  
Depends on: 1170319

    
  
Group: core-security → media-core-security

    
    

    
  

      
      
      
      

        Attached file
          
        gdb_out.txt
      

    


  
I had a closer look and from what I can tell this is not stack corruption but a function pointer is set to zero. I was worried when I saw this crash was in a "copy" function.

    
  
Summary: OpenH264: potential stack corruption [@WelsDec::DoMbECMvCopy] → OpenH264: NULL function pointer [@WelsDec::DoMbECMvCopy]

    
    

    
  
If it's a consistent nullptr deref (i.e. not just luck it's null), then this would likely not be a sec issue.

    
    

    
  
> If it's a consistent nullptr deref (i.e. not just luck it's null), then this
> would likely not be a sec issue.

Looks safe because of a call to WelsMallocz.

It looks like pCtx->sCopyFunc.pCopyLumaFunc is set in InitErrorCon at codec/decoder/core/src/error_concealment.cpp:44

> pCtx->sCopyFunc.pCopyLumaFunc = WelsCopy16x16_c;

but it is then later overwritten by a call to WelsMallocz

#0  0xf7dccc3a in ?? () from /lib/i386-linux-gnu/libc.so.6 <= memset call
#1  0x08084ab8 in WelsCommon::WelsMallocz (kuiSize=562540, 
    kpTag=0x808578b "m_pDecContext") at codec/common/src/memory_align.cpp:163
#2  0x0804a2dc in WelsDec::CWelsDecoder::InitDecoder (this=0x8097008, bParseOnly=false)
    at codec/decoder/plus/src/welsDecoderExt.cpp:252
#3  0x0804a3ff in WelsDec::CWelsDecoder::ResetDecoder (this=0x8097008)
    at codec/decoder/plus/src/welsDecoderExt.cpp:267
#4  0x0804abf4 in WelsDec::CWelsDecoder::DecodeFrame2 (this=0x8097008, kpSrc=0x0, 
    kiSrcLen=0, ppDst=0xffffcfc8, pDstInfo=0xffffcff0)
    at codec/decoder/plus/src/welsDecoderExt.cpp:503
#5  0x0804a9e7 in WelsDec::CWelsDecoder::DecodeFrameNoDelay (this=0x8097008, 
    kpSrc=0x80b5dd8 "", kiSrcLen=9, ppDst=0xffffcfc8, pDstInfo=0xffffcff0)
    at codec/decoder/plus/src/welsDecoderExt.cpp:434
#6  0x08049928 in H264DecodeInstance (pDecoder=0x8097008, 
    kpH264FileName=0xffffd33e "/home/user/Desktop/h264_tests/1199437.264", 
    kpOuputFileName=0xffffd368 "/dev/null", iWidth=@0xffffd068: 16, 
    iHeight=@0xffffd06c: 16, pOptionFileName=0x0, pLengthFileName=0x0)
    at codec/console/dec/src/h264dec.cpp:230
#7  0x08049d96 in main (iArgC=3, pArgV=0xffffd134)
    at codec/console/dec/src/h264dec.cpp:367(In reply to Randell Jesup [:jesup] from comment #3)

    
  
Group: media-core-security

    
    

    
  
Verified fixed with https://github.com/cisco/openh264/commit/5373b8a3aad243245c56e964efa8380ab1fcc44d
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: