Closed
Bug 1224369
Opened 9 years ago
Closed 9 years ago
UBSan: index out of bounds [@vp8_loop_filter_row_normal]
Categories
(Core :: Audio/Video: Playback, defect, P1)
Core
Audio/Video: Playback
Tracking
()
RESOLVED
FIXED
mozilla45
People
(Reporter: tsmith, Assigned: mozbugz)
References
Details
(Keywords: csectype-bounds, sec-moderate, testcase, Whiteboard: [adv-main45+][post-critsmash-triage])
Attachments
(3 files)
204 bytes,
application/octet-stream
|
Details | |
2.26 KB,
patch
|
rillian
:
review+
|
Details | Diff | Splinter Review |
1.84 KB,
patch
|
rillian
:
review+
|
Details | Diff | Splinter Review |
This was found by fuzzing libvpx (commit c6641709a707ccb98cbdf785428659e44d4f2c8b) and it appears to be in our branch. https://dxr.mozilla.org/mozilla-central/source/media/libvpx/vp8/common/loopfilter.c#222 vp8/common/vp8_loopfilter.c:222:35: runtime error: index 225 out of bounds for type 'unsigned char [64]' #0 0x77cca4 in vp8_loop_filter_row_normal (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x77cca4) #1 0x83f283 in decode_mb_rows (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x83f283) #2 0x837e2d in vp8_decode_frame (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x837e2d) #3 0x5d052d in vp8dx_receive_compressed_data (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x5d052d) #4 0x5ca52c in vp8_decode (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x5ca52c) #5 0x4ecdde in vpx_codec_decode (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x4ecdde) #6 0x4eb189 in main /home/user/code/libvpx/examples/simple_decoder.c:135:11 #7 0x7f121a2a5ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287 #8 0x41dad5 in _start (/home/user/Desktop/libvpx/simple_decoder_ub_asan+0x41dad5)
Reporter | ||
Updated•9 years ago
|
Keywords: sec-moderate
Updated•9 years ago
|
Flags: needinfo?(gsquelart)
Priority: -- → P1
Assignee | ||
Comment 1•9 years ago
|
||
Part 1: Test cases given as list. No actual test changes from before. This will help with this bug and future ones, to easily add more test cases.
Assignee: nobody → gsquelart
Attachment #8690624 -
Flags: review?(giles)
Assignee | ||
Comment 2•9 years ago
|
||
Part 2: Added vp8/ivf test case.
Attachment #8690626 -
Flags: review?(giles)
Assignee | ||
Comment 3•9 years ago
|
||
This issue has the same cause as bug 1224363 (filter_level not clamped to 0-63), though the effect appears elsewhere, so there is no more need for a fix.
Depends on: 1224363
Flags: needinfo?(gsquelart)
Comment 4•9 years ago
|
||
Comment on attachment 8690624 [details] [diff] [review] 1224369-p1-gtest-list-of-test-cases.patch Review of attachment 8690624 [details] [diff] [review]: ----------------------------------------------------------------- Nice.
Attachment #8690624 -
Flags: review?(giles) → review+
Updated•9 years ago
|
Attachment #8690626 -
Flags: review?(giles) → review+
Assignee | ||
Comment 5•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/06c9e401ee3c https://hg.mozilla.org/integration/mozilla-inbound/rev/6b7901d50318 I might have been to eager to check-in, as I believe this bug should be sec-low or even no-sec. Also this bug is actually fixed by the patch in bug 1224363 (which is sec-low or could be no-sec, as confirmed by an libvpx expert in bug 1224363 comment 15). The patches here are just a gtest test case. But sorry if I should have asked for official approval first. Could you please lower the sec rating?
Flags: needinfo?(dveditz)
Comment 6•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/06c9e401ee3c https://hg.mozilla.org/mozilla-central/rev/6b7901d50318
Status: NEW → RESOLVED
Closed: 9 years ago
status-b2g-master:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
Updated•9 years ago
|
Group: media-core-security → core-security-release
Updated•8 years ago
|
Whiteboard: [adv-main45+]
Updated•8 years ago
|
Whiteboard: [adv-main45+] → [adv-main45+][post-critsmash-triage]
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•