Closed Bug 1258783 Opened 6 years ago Closed 6 years ago

OpenH264: Invalid write in [@WelsDec::WelsDecodeMbCavlcPSlice]

Categories

(External Software Affecting Firefox :: OpenH264, defect)

defect
Not set
critical

Tracking

(firefox48 fixed, firefox49 fixed, firefox-esr4548+ fixed, firefox50 fixed)

RESOLVED FIXED
Tracking Status
firefox48 --- fixed
firefox49 --- fixed
firefox-esr45 48+ fixed
firefox50 --- fixed

People

(Reporter: tsmith, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

(Keywords: crash, sec-high, testcase)

Attachments

(1 file)

3.00 KB, application/octet-stream
Details
Attached file test_case.264
+++ This bug was initially created as a clone of Bug #1258737 +++

Found while fuzzing openh264 revision 8103988cde08ab26b74985862f419d79d96ae317

To reproduce run h264dec under valgrind with the attached test case.


Invalid write of size 1
   at 0x42B89A: WelsDec::WelsDecodeMbCavlcPSlice(WelsDec::TagWelsDecoderContext*, WelsDec::TagNalUnit*, unsigned int&) (decode_slice.cpp:1917)
   by 0x4288AE: WelsDec::WelsDecodeSlice(WelsDec::TagWelsDecoderContext*, bool, WelsDec::TagNalUnit*) (decode_slice.cpp:1229)
   by 0x40BF1F: WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (decoder_core.cpp:2278)
   by 0x40CF18: WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (decoder_core.cpp:2003)
   by 0x404114: WelsDecodeBs (decoder.cpp:788)
   by 0x402CFE: WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) (welsDecoderExt.cpp:504)
   by 0x401F3E: WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) (welsDecoderExt.cpp:432)
   by 0x401C47: H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*) (h264dec.cpp:208)
   by 0x401363: main (h264dec.cpp:347)
 Address 0x5df7eb0 is 19,216 bytes inside a block of size 43,035 free'd
   at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x40A04A: WelsDec::UninitialDqLayersContext(WelsDec::TagWelsDecoderContext*) (decoder_core.cpp:1427)
   by 0x40A2BC: WelsDec::InitialDqLayersContext(WelsDec::TagWelsDecoderContext*, int, int) (decoder_core.cpp:1242)
   by 0x404637: SyncPictureResolutionExt (decoder.cpp:828)
   by 0x40CEFF: WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (decoder_core.cpp:1995)
   by 0x4045C6: WelsDecodeBs (decoder.cpp:755)
   by 0x402CFE: WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) (welsDecoderExt.cpp:504)
   by 0x401F28: WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) (welsDecoderExt.cpp:427)
   by 0x401C47: H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*) (h264dec.cpp:208)
   by 0x401363: main (h264dec.cpp:347)
It has been fixed at the master branch, commit e52c6eacb06fadf98b9163640d4da0cc1c37997f
Please help to check it. Thanks.
Verified with openh264 revision c0641f40d91b8cb47f287bf26dc48d51a476c325.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Group: media-core-security → core-security-release
(In reply to Haibo Zhu from comment #1)
> It has been fixed at the master branch, commit e52c6eacb06fadf98b9163640d4da0cc1c37997f

This is the same commit as the one that fixes bug 1258737 -- are they the same underlying problem or is one of these commits the wrong one?
Flags: needinfo?(haibozhu)
(In reply to Daniel Veditz [:dveditz] from comment #3)
> (In reply to Haibo Zhu from comment #1)
> > It has been fixed at the master branch, commit e52c6eacb06fadf98b9163640d4da0cc1c37997f
> 
> This is the same commit as the one that fixes bug 1258737 -- are they the
> same underlying problem or is one of these commits the wrong one?

Yes, they are the same underlying problem. Not the wrong commit.
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.