OpenH264: SEGV on unknown address in [@WelsDec::WelsDecodeSlice]

RESOLVED FIXED

Status

External Software Affecting Firefox
OpenH264
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: tsmith, Unassigned)

Tracking

(Blocks: 2 bugs, 4 keywords)

unspecified
crash, csectype-intoverflow, sec-high, testcase
Dependency tree / graph

Firefox Tracking Flags

(firefox48 fixed, firefox49 fixed, firefox-esr4548+ fixed, firefox50 fixed)

Details

Attachments

(1 attachment)

1.10 KB, application/octet-stream
Details
(Reporter)

Description

2 years ago
Created attachment 8733412 [details]
test_case.264

Found while fuzzing openh264 revision 8103988cde08ab26b74985862f419d79d96ae317

To reproduce run h264dec with the attached test case.

==29954==ERROR: AddressSanitizer: SEGV on unknown address 0x7f5b8f59b810 (pc 0x000000655314 bp 0x7fffb4d65670 sp 0x7fffb4d654e0 T0)
    #0 0x655313 in WelsDec::WelsDecodeSlice(WelsDec::TagWelsDecoderContext*, bool, WelsDec::TagNalUnit*) /home/user/code/openh264/codec/decoder/core/src/decode_slice.cpp:1227:42
    #1 0x55d4eb in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) /home/user/code/openh264/codec/decoder/core/src/decoder_core.cpp:2278:16
    #2 0x558596 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) /home/user/code/openh264/codec/decoder/core/src/decoder_core.cpp:2003:10
    #3 0x525481 in WelsDecodeBs /home/user/code/openh264/codec/decoder/core/src/decoder.cpp:788:7
    #4 0x508445 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) /home/user/code/openh264/codec/decoder/plus/src/welsDecoderExt.cpp:503:3
    #5 0x506845 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) /home/user/code/openh264/codec/decoder/plus/src/welsDecoderExt.cpp:432:11
    #6 0x4f9b5f in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*) /home/user/code/openh264/codec/console/dec/src/h264dec.cpp:208:5
    #7 0x4fb36c in main /home/user/code/openh264/codec/console/dec/src/h264dec.cpp:347:5
    #8 0x7f5b91abcec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #9 0x42e405 in _start (/home/ubuntu/build/build/h264dec_ub_asan+0x42e405)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/code/openh264/codec/decoder/core/src/decode_slice.cpp:1227:42 in WelsDec::WelsDecodeSlice(WelsDec::TagWelsDecoderContext*, bool, WelsDec::TagNalUnit*)
==29954==ABORTING

Updated

2 years ago
Depends on: 1233495
(Reporter)

Updated

2 years ago
Blocks: 1258783
(Reporter)

Comment 1

2 years ago
Output from valgrind:

Process terminating with default action of signal 11 (SIGSEGV)
 Bad permissions for mapped region at address 0x5631670
   at 0x44C30E: ??? (in /home/user/Desktop/afl/afl-openh264/h264dec_clean)
   by 0x418D20: WelsDec::BaseMC(WelsDec::TagMCRefMember*, int, int, TagMcFunc*, int, int, short*) (rec_mb.cpp:257)
   by 0x419D27: WelsDec::GetInterPred(unsigned char*, unsigned char*, unsigned char*, WelsDec::TagWelsDecoderContext*) (rec_mb.cpp:370)
   by 0x424806: WelsDec::WelsMbInterPrediction(WelsDec::TagWelsDecoderContext*, WelsDec::TagDqLayer*) (decode_slice.cpp:286)
   by 0x424BC3: WelsDec::WelsTargetMbConstruction(WelsDec::TagWelsDecoderContext*) (decode_slice.cpp:300)
   by 0x424E57: WelsDec::WelsTargetSliceConstruction(WelsDec::TagWelsDecoderContext*) (decode_slice.cpp:94)
   by 0x40C0A0: WelsDecodeConstructSlice (decoder_core.cpp:238)
   by 0x40C0A0: WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (decoder_core.cpp:2295)
   by 0x40CF18: WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (decoder_core.cpp:2003)
   by 0x404114: WelsDecodeBs (decoder.cpp:788)
   by 0x402CFE: WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) (welsDecoderExt.cpp:504)
   by 0x401F3E: WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) (welsDecoderExt.cpp:432)
   by 0x401C47: H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*) (h264dec.cpp:208)
Segmentation fault

Comment 2

2 years ago
It has been fixed on the master branch, commit e52c6eacb06fadf98b9163640d4da0cc1c37997f
Please help to check it. Thanks.
(Reporter)

Comment 3

2 years ago
Verified with openh264 revision c0641f40d91b8cb47f287bf26dc48d51a476c325.

Updated

2 years ago
Keywords: sec-high
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Group: media-core-security → core-security-release
Keywords: csectype-intoverflow
status-firefox-esr45: --- → affected
(Reporter)

Updated

2 years ago
Duplicate of this bug: 1275137
status-firefox48: --- → fixed
status-firefox49: --- → fixed
status-firefox50: --- → fixed
status-firefox-esr45: affected → fixed
tracking-firefox-esr45: --- → 48+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.