Closed
Bug 1266129
Opened 9 years ago
Closed 9 years ago
FFMPEG: heap-buffer-overflow read in [@av_packet_split_side_data]
Categories
(Core :: Audio/Video: Playback, defect)
Tracking
()
RESOLVED
FIXED
mozilla49
Tracking | Status | |
---|---|---|
firefox46 | --- | unaffected |
firefox47 | --- | fixed |
firefox48 | --- | fixed |
firefox49 | + | fixed |
firefox-esr45 | --- | unaffected |
People
(Reporter: tsmith, Assigned: jya)
References
Details
(4 keywords, Whiteboard: [post-critsmash-triage])
Attachments
(6 files)
15.24 KB,
text/plain
|
Details | |
221.80 KB,
text/html
|
Details | |
165.25 KB,
video/webm
|
Details | |
91.90 KB,
text/plain
|
Details | |
1.51 KB,
patch
|
Details | Diff | Splinter Review | |
6.14 KB,
patch
|
ajones
:
review+
ritu
:
approval-mozilla-aurora+
ritu
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
I found this while fuzzing a nightly build of the browser not a standalone ffmpeg build.
==12364==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x617000002375 at pc 0x7f830c50a645 bp 0x7f82ee11ebc0 sp 0x7f82ee11ebb8
READ of size 8 at 0x617000002375 thread T110 (MediaPD~oder #2)
#0 0x7f830c50a644 in av_packet_split_side_data /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/ffvpx/libavcodec/avpacket.c:396:51
#1 0x7f830c5c253d in avcodec_decode_video2 /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/ffvpx/libavcodec/utils.c:2115
#2 0x7f8345fa91a7 in mozilla::FFmpegVideoDecoder<46465650>::DoDecodeFrame(mozilla::MediaRawData*, unsigned char*, int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/platforms/ffmpeg/FFmpegVideoDecoder.cpp:242
#3 0x7f8345fa8a61 in mozilla::FFmpegVideoDecoder<46465650>::DoDecodeFrame(mozilla::MediaRawData*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/platforms/ffmpeg/FFmpegVideoDecoder.cpp:191
#4 0x7f8345faa5bd in mozilla::FFmpegVideoDecoder<46465650>::DecodeFrame(mozilla::MediaRawData*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/platforms/ffmpeg/FFmpegVideoDecoder.cpp:326
#5 0x7f8345fab077 in apply<mozilla::FFmpegVideoDecoder<LIBAV_VER>, void (mozilla::FFmpegVideoDecoder<LIBAV_VER>::*)(mozilla::MediaRawData *)> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:676
#6 0x7f8345fab077 in nsRunnableMethodImpl<void (mozilla::FFmpegVideoDecoder<46465650>::*)(mozilla::MediaRawData*), true, RefPtr<mozilla::MediaRawData> >::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:870
#7 0x7f8340bb97d0 in mozilla::TaskQueue::Runner::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/TaskQueue.cpp:171
#8 0x7f8340bced83 in nsThreadPool::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:228
#9 0x7f8340bcf3bc in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:242
#10 0x7f8340bc8340 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:994
#11 0x7f8340c41eca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
#12 0x7f8341935df1 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:340
#13 0x7f83418accfc in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:230
#14 0x7f83418accfc in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:223
#15 0x7f83418accfc in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:203
#16 0x7f8340bc3d8e in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:396
#17 0x7f8356f8d3ef in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:216
#18 0x7f835a4be181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
#19 0x7f83595b047c (/lib/x86_64-linux-gnu/libc.so.6+0xfa47c)
Comment 1•9 years ago
|
||
Which revission / checkout is this from ffmpeg ?
is there some input file that one could try to reproduce with ?
Reporter | ||
Comment 2•9 years ago
|
||
(In reply to Michael Niedermayer [:mn] from comment #1)
> is there some input file that one could try to reproduce with ?
I working on collecting a valid test case at the moment. I'll post it asap.
Keywords: testcase-wanted
Reporter | ||
Comment 3•9 years ago
|
||
This is the test case that reproduces the issue. I will include the .webm as well for reference but it does not trigger the issue on it's own. The key to this seems to be 'v.playbackRate=100.00;'
Reporter | ||
Updated•9 years ago
|
Keywords: testcase-wanted → testcase
Reporter | ||
Comment 4•9 years ago
|
||
Reporter | ||
Comment 5•9 years ago
|
||
Comment 6•9 years ago
|
||
Can you try the attached patch?
It might fix this but as i havnt reproduced the issue so i cant say for sure
If it fixes it then ill apply it to ffmpeg master and backport to the release branches
Assignee | ||
Comment 7•9 years ago
|
||
(In reply to Michael Niedermayer [:mn] from comment #6)
> Created attachment 8743530 [details] [diff] [review]
> potential fix
>
> Can you try the attached patch?
> It might fix this but as i havnt reproduced the issue so i cant say for sure
> If it fixes it then ill apply it to ffmpeg master and backport to the
> release branches
This is version n3.0-1-g0aa2fbd
Reporter | ||
Comment 8•9 years ago
|
||
(In reply to Michael Niedermayer [:mn] from comment #6)
> Created attachment 8743530 [details] [diff] [review]
> potential fix
>
> Can you try the attached patch?
> It might fix this but as i havnt reproduced the issue so i cant say for sure
> If it fixes it then ill apply it to ffmpeg master and backport to the
> release branches
I cannot reproduce the issue with the patch applied.
Comment 9•9 years ago
|
||
patch applied to ffmpeg master, locally backported to releases, should be in the next release from each branch
Assignee | ||
Comment 10•9 years ago
|
||
FWIW, I can't reproduce it with my local asan build, which doesn't have the new ffmpeg patch applied
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → jyavenard
Assignee | ||
Comment 11•9 years ago
|
||
[Security approval request comment]
How easily could an exploit be constructed based on the patch? Doubtful how it could be exploited.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? no, generic upgrade version.
Which older supported branches are affected by this flaw? 47
If not all supported branches, which bug introduced the flaw? since likely a long time as the bug is also in stock system FFmpeg that we use to rely on.
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? very simple to backport.
How likely is this patch to cause regressions; how much testing does it need? changes are minor. so very low
Upgrade ffvpx to 3.0.2, which includes the fix.
Attachment #8746493 -
Flags: sec-approval?
Attachment #8746493 -
Flags: review?(ajones)
Updated•9 years ago
|
Attachment #8746493 -
Flags: review?(ajones) → review+
Comment 12•9 years ago
|
||
sec-approval+ for trunk. We'll want this on Aurora and Beta (48 and 47) since those are the only other branches affected.
status-firefox46:
--- → unaffected
status-firefox47:
--- → affected
status-firefox49:
--- → affected
status-firefox-esr45:
--- → unaffected
tracking-firefox49:
--- → +
Updated•9 years ago
|
Attachment #8746493 -
Flags: sec-approval? → sec-approval+
Assignee | ||
Updated•9 years ago
|
Keywords: checkin-needed
Comment 13•9 years ago
|
||
Keywords: checkin-needed
Comment 14•9 years ago
|
||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
Hi Jean-Yves, could you please nominate patches for uplift to Beta47 and Aurora48? Thanks!
Flags: needinfo?(jyavenard)
Assignee | ||
Comment 16•9 years ago
|
||
Comment on attachment 8746493 [details] [diff] [review]
0001-Bug-1266129-ffmpeg-Upgrade-ffvpx-to-3.0.2.-r-kentuck.patch
Approval Request Comment
[Feature/regressing bug #]: 1266129
[User impact if declined]: heap overflow, potential security issue
[Describe test coverage new/current, TreeHerder]: in central,
[Risks and why]: low, rejecting data that could potentially cause the overflow
[String/UUID change made/needed]: none
Flags: needinfo?(jyavenard)
Attachment #8746493 -
Flags: approval-mozilla-beta?
Attachment #8746493 -
Flags: approval-mozilla-aurora?
Comment on attachment 8746493 [details] [diff] [review]
0001-Bug-1266129-ffmpeg-Upgrade-ffvpx-to-3.0.2.-r-kentuck.patch
Sec-high, Aurora48+, Beta47+
Attachment #8746493 -
Flags: approval-mozilla-beta?
Attachment #8746493 -
Flags: approval-mozilla-beta+
Attachment #8746493 -
Flags: approval-mozilla-aurora?
Attachment #8746493 -
Flags: approval-mozilla-aurora+
Updated•9 years ago
|
Group: media-core-security → core-security-release
Updated•9 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•