Closed
Bug 1258783
Opened 9 years ago
Closed 9 years ago
OpenH264: Invalid write in [@WelsDec::WelsDecodeMbCavlcPSlice]
Categories
(Core :: Audio/Video: GMP, defect)
Core
Audio/Video: GMP
Tracking
()
People
(Reporter: tsmith, Unassigned, NeedInfo)
References
(Blocks 1 open bug)
Details
(Keywords: crash, sec-high, testcase)
Attachments
(1 file)
3.00 KB,
application/octet-stream
|
Details |
+++ This bug was initially created as a clone of Bug #1258737 +++
Found while fuzzing openh264 revision 8103988cde08ab26b74985862f419d79d96ae317
To reproduce run h264dec under valgrind with the attached test case.
Invalid write of size 1
at 0x42B89A: WelsDec::WelsDecodeMbCavlcPSlice(WelsDec::TagWelsDecoderContext*, WelsDec::TagNalUnit*, unsigned int&) (decode_slice.cpp:1917)
by 0x4288AE: WelsDec::WelsDecodeSlice(WelsDec::TagWelsDecoderContext*, bool, WelsDec::TagNalUnit*) (decode_slice.cpp:1229)
by 0x40BF1F: WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (decoder_core.cpp:2278)
by 0x40CF18: WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (decoder_core.cpp:2003)
by 0x404114: WelsDecodeBs (decoder.cpp:788)
by 0x402CFE: WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) (welsDecoderExt.cpp:504)
by 0x401F3E: WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) (welsDecoderExt.cpp:432)
by 0x401C47: H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*) (h264dec.cpp:208)
by 0x401363: main (h264dec.cpp:347)
Address 0x5df7eb0 is 19,216 bytes inside a block of size 43,035 free'd
at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x40A04A: WelsDec::UninitialDqLayersContext(WelsDec::TagWelsDecoderContext*) (decoder_core.cpp:1427)
by 0x40A2BC: WelsDec::InitialDqLayersContext(WelsDec::TagWelsDecoderContext*, int, int) (decoder_core.cpp:1242)
by 0x404637: SyncPictureResolutionExt (decoder.cpp:828)
by 0x40CEFF: WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (decoder_core.cpp:1995)
by 0x4045C6: WelsDecodeBs (decoder.cpp:755)
by 0x402CFE: WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) (welsDecoderExt.cpp:504)
by 0x401F28: WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) (welsDecoderExt.cpp:427)
by 0x401C47: H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*) (h264dec.cpp:208)
by 0x401363: main (h264dec.cpp:347)
It has been fixed at the master branch, commit e52c6eacb06fadf98b9163640d4da0cc1c37997f
Please help to check it. Thanks.
Reporter | ||
Comment 2•9 years ago
|
||
Verified with openh264 revision c0641f40d91b8cb47f287bf26dc48d51a476c325.
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Group: media-core-security → core-security-release
Comment 3•9 years ago
|
||
(In reply to Haibo Zhu from comment #1)
> It has been fixed at the master branch, commit e52c6eacb06fadf98b9163640d4da0cc1c37997f
This is the same commit as the one that fixes bug 1258737 -- are they the same underlying problem or is one of these commits the wrong one?
Flags: needinfo?(haibozhu)
Updated•9 years ago
|
status-firefox-esr45:
--- → affected
(In reply to Daniel Veditz [:dveditz] from comment #3)
> (In reply to Haibo Zhu from comment #1)
> > It has been fixed at the master branch, commit e52c6eacb06fadf98b9163640d4da0cc1c37997f
>
> This is the same commit as the one that fixes bug 1258737 -- are they the
> same underlying problem or is one of these commits the wrong one?
Yes, they are the same underlying problem. Not the wrong commit.
Updated•8 years ago
|
status-firefox48:
--- → fixed
status-firefox49:
--- → fixed
status-firefox50:
--- → fixed
tracking-firefox-esr45:
--- → 48+
Updated•8 years ago
|
Group: core-security-release
Assignee | ||
Updated•2 years ago
|
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•