Closed Bug 1258737 Opened 9 years ago Closed 9 years ago

OpenH264: SEGV on unknown address in [@WelsDec::WelsDecodeSlice]

Categories

(Core :: Audio/Video: GMP, defect)

Product:
Core
Component:
Audio/Video: GMP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox48 --- fixed
firefox49 --- fixed
firefox-esr45 48+ fixed
firefox50 --- fixed

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(1 file)

test_case.264
1.10 KB, application/octet-stream
Details
Attached file test_case.264
Found while fuzzing openh264 revision 8103988cde08ab26b74985862f419d79d96ae317 To reproduce run h264dec with the attached test case. ==29954==ERROR: AddressSanitizer: SEGV on unknown address 0x7f5b8f59b810 (pc 0x000000655314 bp 0x7fffb4d65670 sp 0x7fffb4d654e0 T0) #0 0x655313 in WelsDec::WelsDecodeSlice(WelsDec::TagWelsDecoderContext*, bool, WelsDec::TagNalUnit*) /home/user/code/openh264/codec/decoder/core/src/decode_slice.cpp:1227:42 #1 0x55d4eb in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) /home/user/code/openh264/codec/decoder/core/src/decoder_core.cpp:2278:16 #2 0x558596 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) /home/user/code/openh264/codec/decoder/core/src/decoder_core.cpp:2003:10 #3 0x525481 in WelsDecodeBs /home/user/code/openh264/codec/decoder/core/src/decoder.cpp:788:7 #4 0x508445 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) /home/user/code/openh264/codec/decoder/plus/src/welsDecoderExt.cpp:503:3 #5 0x506845 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) /home/user/code/openh264/codec/decoder/plus/src/welsDecoderExt.cpp:432:11 #6 0x4f9b5f in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*) /home/user/code/openh264/codec/console/dec/src/h264dec.cpp:208:5 #7 0x4fb36c in main /home/user/code/openh264/codec/console/dec/src/h264dec.cpp:347:5 #8 0x7f5b91abcec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #9 0x42e405 in _start (/home/ubuntu/build/build/h264dec_ub_asan+0x42e405) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/user/code/openh264/codec/decoder/core/src/decode_slice.cpp:1227:42 in WelsDec::WelsDecodeSlice(WelsDec::TagWelsDecoderContext*, bool, WelsDec::TagNalUnit*) ==29954==ABORTING
Depends on: 1233495
Blocks: 1258783
Output from valgrind: Process terminating with default action of signal 11 (SIGSEGV) Bad permissions for mapped region at address 0x5631670 at 0x44C30E: ??? (in /home/user/Desktop/afl/afl-openh264/h264dec_clean) by 0x418D20: WelsDec::BaseMC(WelsDec::TagMCRefMember*, int, int, TagMcFunc*, int, int, short*) (rec_mb.cpp:257) by 0x419D27: WelsDec::GetInterPred(unsigned char*, unsigned char*, unsigned char*, WelsDec::TagWelsDecoderContext*) (rec_mb.cpp:370) by 0x424806: WelsDec::WelsMbInterPrediction(WelsDec::TagWelsDecoderContext*, WelsDec::TagDqLayer*) (decode_slice.cpp:286) by 0x424BC3: WelsDec::WelsTargetMbConstruction(WelsDec::TagWelsDecoderContext*) (decode_slice.cpp:300) by 0x424E57: WelsDec::WelsTargetSliceConstruction(WelsDec::TagWelsDecoderContext*) (decode_slice.cpp:94) by 0x40C0A0: WelsDecodeConstructSlice (decoder_core.cpp:238) by 0x40C0A0: WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (decoder_core.cpp:2295) by 0x40CF18: WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (decoder_core.cpp:2003) by 0x404114: WelsDecodeBs (decoder.cpp:788) by 0x402CFE: WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) (welsDecoderExt.cpp:504) by 0x401F3E: WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) (welsDecoderExt.cpp:432) by 0x401C47: H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*) (h264dec.cpp:208) Segmentation fault
It has been fixed on the master branch, commit e52c6eacb06fadf98b9163640d4da0cc1c37997f Please help to check it. Thanks.
Verified with openh264 revision c0641f40d91b8cb47f287bf26dc48d51a476c325.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: media-core-security → core-security-release
Group: core-security-release
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: