Closed Bug 1207773 Opened 9 years ago Closed 9 years ago

UBSan: index out of bounds in parse_mb_syn_cavlc.cpp:915:60

Categories

(Core :: Audio/Video: GMP, defect)

Product:
Core
Component:
Audio/Video: GMP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-audit, testcase)

Attachments

(2 files)

test_case.264
43 bytes, application/octet-stream
Details
call_stack.txt
2.22 KB, text/plain
Details
Attached file test_case.264 
This was found with fuzzing+UBSan build.

Output from UBSan:
codec/decoder/core/src/parse_mb_syn_cavlc.cpp:915:60: runtime error: index -6 out of bounds for type 'uint16_t (*[6])[64]'

Which is referring to:
const uint16_t* kpDequantCoeff = pCtx->bUseScalingList ? pCtx->pDequant_coeff8x8[iMbResProperty - 6][uiQp] :
                                   g_kuiDequantCoeff8x8[uiQp];
Depends on: 1170319
Flags: needinfo?(haibozhu)
I believe we checked this before and we believed it is a false alarm? @Haibo
Attached file call_stack.txt 

    
    

    
  
I am sorry that this is not a false alarm. We have fixed this bug in the master branch commit b37cda2 and openh264v1.5 branch commit d6b1680, please help to verify it.
Flags: needinfo?(haibozhu)

    
    

    
  
This bug appears to be fixed. Tested with commit b37cda2. Thanks!

    
  
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: media-core-security → core-security-release
Group: core-security-release
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: