Closed Bug 1224369 Opened 7 years ago Closed 7 years ago

UBSan: index out of bounds [@vp8_loop_filter_row_normal]


(Core :: Audio/Video: Playback, defect, P1)




Tracking Status
firefox45 --- fixed
b2g-master --- fixed


(Reporter: tsmith, Assigned: mozbugz)



(Keywords: csectype-bounds, sec-moderate, testcase, Whiteboard: [adv-main45+][post-critsmash-triage])


(3 files)

Attached file test_case.vp8
This was found by fuzzing libvpx (commit c6641709a707ccb98cbdf785428659e44d4f2c8b) and it appears to be in our branch.

vp8/common/vp8_loopfilter.c:222:35: runtime error: index 225 out of bounds for type 'unsigned char [64]'
    #0 0x77cca4 in vp8_loop_filter_row_normal (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x77cca4)
    #1 0x83f283 in decode_mb_rows (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x83f283)
    #2 0x837e2d in vp8_decode_frame (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x837e2d)
    #3 0x5d052d in vp8dx_receive_compressed_data (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x5d052d)
    #4 0x5ca52c in vp8_decode (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x5ca52c)
    #5 0x4ecdde in vpx_codec_decode (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x4ecdde)
    #6 0x4eb189 in main /home/user/code/libvpx/examples/simple_decoder.c:135:11
    #7 0x7f121a2a5ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #8 0x41dad5 in _start (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x41dad5)
Keywords: sec-moderate
Flags: needinfo?(gsquelart)
Priority: -- → P1
Part 1: Test cases given as list.

No actual test changes from before. This will help with this bug and future
ones, to easily add more test cases.
Assignee: nobody → gsquelart
Attachment #8690624 - Flags: review?(giles)
Part 2: Added vp8/ivf test case.
Attachment #8690626 - Flags: review?(giles)
This issue has the same cause as bug 1224363 (filter_level not clamped to 0-63), though the effect appears elsewhere, so there is no more need for a fix.
Depends on: 1224363
Flags: needinfo?(gsquelart)
Comment on attachment 8690624 [details] [diff] [review]

Review of attachment 8690624 [details] [diff] [review]:

Attachment #8690624 - Flags: review?(giles) → review+
Attachment #8690626 - Flags: review?(giles) → review+

I might have been to eager to check-in, as I believe this bug should be sec-low or even no-sec. Also this bug is actually fixed by the patch in bug 1224363 (which is sec-low or could be no-sec, as confirmed by an libvpx expert in bug 1224363 comment 15).
The patches here are just a gtest test case.

But sorry if I should have asked for official approval first.
Could you please lower the sec rating?
Flags: needinfo?(dveditz)
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
sec-moderate was low enough for landing.
Flags: needinfo?(dveditz)
Group: media-core-security → core-security-release
Whiteboard: [adv-main45+]
Whiteboard: [adv-main45+] → [adv-main45+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.