Closed
Bug 1257707
Opened 9 years ago
Closed 8 years ago
Crash [@ avpriv_flac_parse_block_header] with MP4/H264
Categories
(Core :: Audio/Video: Playback, defect, P3)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | affected |
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, sec-vector, testcase)
Crash Data
Attachments
(2 files)
The attached testcase crashes on mozilla-inbound revision f30fc906416f (build with --enable-optimize --disable-debug --enable-address-sanitizer).
For detailed crash information, see attachment.
To reproduce the issue, you can run the testcase through the "MediaDataDecoder.H264" gtest. Example STR:
1. Change into objdir/dist/bin of your Firefox build
2. Place attached testcase into objdir, keep the name "gizmo.mp4"
3. Run: GTEST_FILTER=MediaDataDecoder.H264 MOZ_RUN_GTEST=1 ./firefox -unittest
This crash seems to happen inside the libavcodec library (tested on Ubuntu 14.04), but I don't get it with avplay so it could be that the bug is in our code instead.
I'm also marking this s-s (for now) because the 0x470 seems quite far away from the 0x0 already. If the offset can be controlled arbitrarily, it might lead to a security problem.
|
Reporter | |
Comment 1•9 years ago
|
||
|
|
Reporter | |
Comment 2•9 years ago
|
||
|
||
Updated•9 years ago
|
Group: core-security → media-core-security
Jean-Yves - do we need to upstream this?
Flags: needinfo?(jyavenard)
|
||
Comment 4•9 years ago
|
||
Sure. I don't see how we could ever end up in the flac decoder seeing that we don't support flac and never configure the ffmpeg decoder to decode flac.
Flags: needinfo?(jyavenard)
|
|
||
Comment 5•9 years ago
|
||
Having said that. :decoder has an ancient LibAV version, one that likely don't exist in ffmpeg.
|
|
Reporter | |
Comment 6•9 years ago
|
||
It should be noted that this is the default on Ubuntu 14.04 LTS and ffmpeg does not exist there. So this is a default configuration, not some obscure one.
|
||
Updated•9 years ago
|
Keywords: sec-vector
Christian - we either need to get the issue fixed upstream or drop support for libavcodec on Ubuntu 14.04. Can you file a bug with Ubuntu?
Flags: needinfo?(jyavenard)
Flags: needinfo?(choller)
|
|
||
Comment 8•9 years ago
|
||
What about trying to fix this bug first and submitting that upstream.
I can't reproduce the issue with the sample provided however, so it's likely the same as with bug 1268718.
Please provide the actual file to reproduce the problem first. thanks
Flags: needinfo?(jyavenard)
|
|
Reporter | |
Comment 9•9 years ago
|
||
Discussed this with :jya on IRC, he'll look into the issue again tomorrow (restoring needinfo for that).
When I filed this bug, I confirmed that it reproduces, I also gave :jya access to the libav upstream bug that might be the same issue.
Flags: needinfo?(choller) → needinfo?(jyavenard)
|
||
Updated•9 years ago
|
Priority: -- → P2
|
|
||
Comment 10•9 years ago
|
||
the fix has been submitted upstream; I see no way on how we could get around it from our side.
Most of the discussion about the actual progress was made in bug 1263665
Flags: needinfo?(jyavenard)
See Also: → 1263665
|
|
||
Comment 11•9 years ago
|
||
BTW, there's very little movement from the LibAV team; they did find a bug in my fix which I fixed very quickly. but nothing since.
I have the gutfeel that there will be no more movement from there. Maybe we should submit the patch to debian/ubuntu instead.
Mass change P2 -> P3
Priority: P2 → P3
|
|
||
Comment 13•8 years ago
|
||
This was fixed upstream. and now libavcodec with the vulnerabilities have been blacklisted
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
|
||
Updated•8 years ago
|
Group: media-core-security → core-security-release
|
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•