Closed Bug 1258783 Opened 9 years ago Closed 9 years ago

OpenH264: Invalid write in [@WelsDec::WelsDecodeMbCavlcPSlice]

Categories

(Core :: Audio/Video: GMP, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox48 --- fixed
firefox49 --- fixed
firefox-esr45 48+ fixed
firefox50 --- fixed

People

(Reporter: tsmith, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

(Keywords: crash, sec-high, testcase)

Attachments

(1 file)

Attached file test_case.264
+++ This bug was initially created as a clone of Bug #1258737 +++ Found while fuzzing openh264 revision 8103988cde08ab26b74985862f419d79d96ae317 To reproduce run h264dec under valgrind with the attached test case. Invalid write of size 1 at 0x42B89A: WelsDec::WelsDecodeMbCavlcPSlice(WelsDec::TagWelsDecoderContext*, WelsDec::TagNalUnit*, unsigned int&) (decode_slice.cpp:1917) by 0x4288AE: WelsDec::WelsDecodeSlice(WelsDec::TagWelsDecoderContext*, bool, WelsDec::TagNalUnit*) (decode_slice.cpp:1229) by 0x40BF1F: WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (decoder_core.cpp:2278) by 0x40CF18: WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (decoder_core.cpp:2003) by 0x404114: WelsDecodeBs (decoder.cpp:788) by 0x402CFE: WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) (welsDecoderExt.cpp:504) by 0x401F3E: WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) (welsDecoderExt.cpp:432) by 0x401C47: H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*) (h264dec.cpp:208) by 0x401363: main (h264dec.cpp:347) Address 0x5df7eb0 is 19,216 bytes inside a block of size 43,035 free'd at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x40A04A: WelsDec::UninitialDqLayersContext(WelsDec::TagWelsDecoderContext*) (decoder_core.cpp:1427) by 0x40A2BC: WelsDec::InitialDqLayersContext(WelsDec::TagWelsDecoderContext*, int, int) (decoder_core.cpp:1242) by 0x404637: SyncPictureResolutionExt (decoder.cpp:828) by 0x40CEFF: WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (decoder_core.cpp:1995) by 0x4045C6: WelsDecodeBs (decoder.cpp:755) by 0x402CFE: WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) (welsDecoderExt.cpp:504) by 0x401F28: WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) (welsDecoderExt.cpp:427) by 0x401C47: H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*) (h264dec.cpp:208) by 0x401363: main (h264dec.cpp:347)
It has been fixed at the master branch, commit e52c6eacb06fadf98b9163640d4da0cc1c37997f Please help to check it. Thanks.
Verified with openh264 revision c0641f40d91b8cb47f287bf26dc48d51a476c325.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: media-core-security → core-security-release
(In reply to Haibo Zhu from comment #1) > It has been fixed at the master branch, commit e52c6eacb06fadf98b9163640d4da0cc1c37997f This is the same commit as the one that fixes bug 1258737 -- are they the same underlying problem or is one of these commits the wrong one?
Flags: needinfo?(haibozhu)
(In reply to Daniel Veditz [:dveditz] from comment #3) > (In reply to Haibo Zhu from comment #1) > > It has been fixed at the master branch, commit e52c6eacb06fadf98b9163640d4da0cc1c37997f > > This is the same commit as the one that fixes bug 1258737 -- are they the > same underlying problem or is one of these commits the wrong one? Yes, they are the same underlying problem. Not the wrong commit.
Group: core-security-release
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: