Closed Bug 1275137 Opened 8 years ago Closed 8 years ago

Multiple crashes in openh264

Categories

(Core :: Audio/Video: GMP, defect, P1)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1258737

People

(Reporter: bperry.volatile, Unassigned)

References

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

Steps to reproduce:

Hi, I am not sure if these bugs are potentially under the Mozilla Bug Bounty since FF ships with this codec by default. If you guys feel these aren't your problem though, I can talk to Cisco. 

I have been fuzzing openh264 and have found a handful of potentially sensitive crashes. I have used AFL to minimize and ASan to verify, but I am afraid there are likely still some functional duplicates in regards to the root cause.

I used the h264dec sample utility shipped with openh264 to perform the actual fuzzing, but the crashes happen in the library itself, which is also used by Firefox. I used the latest codec available from Cisco's Github repository (https://github.com/cisco/openh264).

To build openh264 with ASan I used the following command:

CFLAGS="-fsanitize=address -fno-omit-frame-pointer" CXXFLAGS=$CFLAGS LDFLAGS="-fsanitize=address" CC=clang CXX=clang++ make


Once compiled, the h264dec binary at the root of the project should be ASan ready and you can begin sending the inputs to the binary and seeing the results.


Actual results:

The attached zip file contains 118 h264 streams and the stack traces for openh264 for each input, showing the the ASan information as well.

Example stack trace, hopefully formatting sticks a bit:

==24112==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000070410 at pc 0x000000516adf bp 0x7fff31f0e4e0 sp 0x7fff31f0e4d8
READ of size 1 at 0x62d000070410 thread T0
    #0 0x516ade in WelsDec::FmoNextMb(WelsDec::TagFmo*, short) (/root/openh264_asan/h264dec+0x516ade)
    #1 0x574314 in WelsDec::WelsDecodeSlice(WelsDec::TagWelsDecoderContext*, bool, WelsDec::TagNalUnit*) (/root/openh264_asan/h264dec+0x574314)
    #2 0x50ae6c in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (/root/openh264_asan/h264dec+0x50ae6c)
    #3 0x50851f in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) (/root/openh264_asan/h264dec+0x50851f)
    #4 0x4f35f6 in WelsDecodeBs (/root/openh264_asan/h264dec+0x4f35f6)
    #5 0x4ec64f in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) (/root/openh264_asan/h264dec+0x4ec64f)
    #6 0x4ec0b9 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) (/root/openh264_asan/h264dec+0x4ec0b9)
    #7 0x4e84f0 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*) (/root/openh264_asan/h264dec+0x4e84f0)
    #8 0x4ea184 in main (/root/openh264_asan/h264dec+0x4ea184)
    #9 0x7f59a09dba3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #10 0x4401a8 in _start (/root/openh264_asan/h264dec+0x4401a8)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 WelsDec::FmoNextMb(WelsDec::TagFmo*, short)
Shadow bytes around the buggy address:
  0x0c5a80006030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a80006040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a80006050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a80006060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a80006070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c5a80006080: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a80006090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a800060a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a800060b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a800060c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a800060d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24112==ABORTING



Expected results:

I don't think it should crash with these h264 streams.

In all seriousness, because I have so many, I am not sure how to provide the best information for you guys in this bug report. Please reach out for more information if the stack traces.
Benjamin, can you ping the right people here?
Group: firefox-core-security → core-security
Component: Untriaged → OpenH264
Flags: needinfo?(benjamin)
Product: Firefox → External Software Affecting Firefox
Flags: sec-bounty?
Flags: needinfo?(benjamin) → needinfo?(mreavy)
Thanks for cc'ing me. I didn't see this because OpenH264 sec bugs aren't part of Media.  If we can get OpenH264 bugs included under Media, jesup and I will see these immediately.
Flags: needinfo?(mreavy)
This is very helpful, thanks.  I won't speak to bounty; I'll let the sec team and Cisco speak to that, and will focus on the bugs.

One thing that will help will be to provide the hash/etc for the code you're testing, since you're using the unstable upstream repo, and not the OpenH264 release branches (which *should* be clean, but obviously might not be).  Some of these crashes might be due to updates since the last release branch, or code under development.  

It would be helpful (where possible) to repeat the inputs to a build done off the latest release branch, since that tells us if it affects installations in the field.

Also in some cases bugs found with h264dec/enc might not apply to the plugin, or to the code as released (due to build options) - but please report anything you find, so we can figure out what's going on.  We do run all the OpenH264 code in a sandbox, as an extra layer of security.

Please file bugs for each distinct stacktrace-crash; if they happen to be instances of the same underlying bug we can dup them.
Flags: needinfo?(bperry.volatile)
The latest commit for openh264 that I used when reproing the issues is:

commit 316f740630f6a9cff3ce0c32e66cc419ae4a5507
Merge: ac6cf87 d4f09d9
Author: sijchen <sijchen@cisco.com>
Date:   Thu Mar 3 09:47:20 2016 -0800

    Merge pull request #2390 from sijchen/th012
    
    [Common] put CWelsThreadPool to singleTon for future usage
I've now tested against openh264v1.5.1 branch on the github repo. Many/most of the samples are still viable.

Wall of text:

./id:000000,sig:11,src:001298+002499,op:splice,rep:32.asan:==23499==ERROR: AddressSanitizer: SEGV on unknown address 0x7f5fd5a37810 (pc 0x000000574f17 bp 0x7ffe896244b0 sp 0x7ffe89624360 T0)
./id:000001,sig:11,src:003120,op:havoc,rep:16.asan:==26899==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000088410 at pc 0x000000517b8f bp 0x7ffd049bcaa0 sp 0x7ffd049bca98
./id:000005,sig:11,src:003084,op:havoc,rep:2.asan:==1537==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000088410 at pc 0x000000517b8f bp 0x7fff95a1f6a0 sp 0x7fff95a1f698
./id:000017,sig:11,src:003110,op:havoc,rep:128.asan:==14025==ERROR: AddressSanitizer: SEGV on unknown address 0x7fb74b47d810 (pc 0x000000574f17 bp 0x7ffc8c03c890 sp 0x7ffc8c03c740 T0)
./id:000021,sig:11,src:003097,op:havoc,rep:128.asan:==6272==ERROR: AddressSanitizer: SEGV on unknown address 0x7f3cd3361810 (pc 0x000000574f17 bp 0x7ffd23f45270 sp 0x7ffd23f45120 T0)
./id:000023,sig:11,src:003143+001148,op:splice,rep:128.asan:==10323==ERROR: AddressSanitizer: SEGV on unknown address 0x7f300f35a810 (pc 0x000000574f17 bp 0x7ffc7e557030 sp 0x7ffc7e556ee0 T0)
./id:000024,sig:11,src:003143+000851,op:splice,rep:64.asan:==14570==ERROR: AddressSanitizer: SEGV on unknown address 0x7f14e0b12810 (pc 0x000000574f17 bp 0x7ffc6633a3d0 sp 0x7ffc6633a280 T0)
./id:000025,sig:11,src:003143+000851,op:splice,rep:32.asan:==27550==ERROR: AddressSanitizer: SEGV on unknown address 0x7f7fa1914810 (pc 0x000000574f17 bp 0x7fffe57a29f0 sp 0x7fffe57a28a0 T0)
./id:000026,sig:11,src:003143+000851,op:splice,rep:64.asan:==31252==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc17f30e810 (pc 0x000000574f17 bp 0x7ffd20467470 sp 0x7ffd20467320 T0)
./id:000027,sig:11,src:003143+000851,op:splice,rep:32.asan:==1592==ERROR: AddressSanitizer: SEGV on unknown address 0x7f7383879810 (pc 0x000000574f17 bp 0x7ffde3b567b0 sp 0x7ffde3b56660 T0)
./id:000028,sig:11,src:003110,op:havoc,rep:8.asan:==4540==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc2ff7d7810 (pc 0x000000574f17 bp 0x7fff68793930 sp 0x7fff687937e0 T0)
./id:000028,sig:11,src:003143+000851,op:splice,rep:64.asan:==8545==ERROR: AddressSanitizer: SEGV on unknown address 0x7fb4e6b03810 (pc 0x000000574f17 bp 0x7ffc1bd47ef0 sp 0x7ffc1bd47da0 T0)
./id:000029,sig:11,src:003143+000851,op:splice,rep:128.asan:==24105==ERROR: AddressSanitizer: SEGV on unknown address 0x7fed5630f810 (pc 0x000000574f17 bp 0x7ffd63bbd270 sp 0x7ffd63bbd120 T0)
./id:000032,sig:11,src:003120,op:havoc,rep:128.asan:==29329==ERROR: AddressSanitizer: SEGV on unknown address 0x7f3e50e40810 (pc 0x000000574f17 bp 0x7ffe18536b50 sp 0x7ffe18536a00 T0)
./id:000039,sig:11,src:003097,op:havoc,rep:128.asan:==13002==ERROR: AddressSanitizer: SEGV on unknown address 0x7fca3b774810 (pc 0x000000574f17 bp 0x7ffd4d40d270 sp 0x7ffd4d40d120 T0)
./id:000039,sig:11,src:003113,op:havoc,rep:32.asan:==18505==ERROR: AddressSanitizer: SEGV on unknown address 0x7f5cb13ea810 (pc 0x000000574f17 bp 0x7ffe08194130 sp 0x7ffe08193fe0 T0)
./id:000042,sig:11,src:003110,op:havoc,rep:128.asan:==23687==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000148410 at pc 0x000000517b8f bp 0x7ffeed7d4f40 sp 0x7ffeed7d4f38
./id:000043,sig:11,src:003144,op:havoc,rep:128.asan:==29257==ERROR: AddressSanitizer: SEGV on unknown address 0x7f7f9f253810 (pc 0x000000574f17 bp 0x7ffc237ad510 sp 0x7ffc237ad3c0 T0)
./id:000047,sig:11,src:003097,op:havoc,rep:128.asan:==2132==ERROR: AddressSanitizer: SEGV on unknown address 0x7fe16e59b810 (pc 0x000000574f17 bp 0x7fff92840970 sp 0x7fff92840820 T0)
./id:000071,sig:11,src:003110,op:havoc,rep:64.asan:==7825==ERROR: AddressSanitizer: SEGV on unknown address 0x7f10255bc810 (pc 0x000000574f17 bp 0x7ffe405ba210 sp 0x7ffe405ba0c0 T0)
./id:000074,sig:11,src:003144,op:havoc,rep:128.asan:==13254==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6c7229d810 (pc 0x000000574f17 bp 0x7ffeaab72d30 sp 0x7ffeaab72be0 T0)
./id:000078,sig:11,src:003144,op:havoc,rep:128.asan:==18146==ERROR: AddressSanitizer: SEGV on unknown address 0x7f7d0b89b810 (pc 0x000000574f17 bp 0x7ffee6afbb10 sp 0x7ffee6afb9c0 T0)
./id:000079,sig:11,src:003097+002954,op:splice,rep:64.asan:==23249==ERROR: AddressSanitizer: SEGV on unknown address 0x7fb20b226810 (pc 0x000000574f17 bp 0x7fff050638d0 sp 0x7fff05063780 T0)
./id:000080,sig:11,src:003097+002954,op:splice,rep:32.asan:==28101==ERROR: AddressSanitizer: SEGV on unknown address 0x7ff6710d8810 (pc 0x000000574f17 bp 0x7ffc75fa4c70 sp 0x7ffc75fa4b20 T0)
./id:000081,sig:11,src:003097+002954,op:splice,rep:32.asan:==1222==ERROR: AddressSanitizer: SEGV on unknown address 0x7f2a55385810 (pc 0x000000574f17 bp 0x7ffca7f14170 sp 0x7ffca7f14020 T0)
./id:000083,sig:11,src:003085,op:havoc,rep:128.asan:==6431==ERROR: AddressSanitizer: SEGV on unknown address 0x7f0bb7c4e810 (pc 0x000000574f17 bp 0x7ffe5033ebd0 sp 0x7ffe5033ea80 T0)
./id:000083,sig:11,src:003098,op:havoc,rep:32.asan:==10488==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000088410 at pc 0x000000517b8f bp 0x7ffd8a877580 sp 0x7ffd8a877578
./id:000087,sig:11,src:003120,op:havoc,rep:128.asan:==14277==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000088410 at pc 0x000000517b8f bp 0x7ffeb7dff7c0 sp 0x7ffeb7dff7b8
./id:000090,sig:11,src:003120,op:havoc,rep:128.asan:==18218==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000088410 at pc 0x000000517b8f bp 0x7ffe5f3dc720 sp 0x7ffe5f3dc718
./id:000090,sig:11,src:003144+002726,op:splice,rep:128.asan:==22068==ERROR: AddressSanitizer: SEGV on unknown address 0x7f88c97ec810 (pc 0x000000574f17 bp 0x7ffd41427190 sp 0x7ffd41427040 T0)
./id:000092,sig:11,src:003144+002798,op:splice,rep:2.asan:==26443==ERROR: AddressSanitizer: SEGV on unknown address 0x7f22cd32c810 (pc 0x000000574f17 bp 0x7ffca51ea9d0 sp 0x7ffca51ea880 T0)
./id:000093,sig:11,src:003085+001662,op:splice,rep:64.asan:==30225==ERROR: AddressSanitizer: SEGV on unknown address 0x7f3dcaa67810 (pc 0x000000574f17 bp 0x7ffe9f703f70 sp 0x7ffe9f703e20 T0)
./id:000094,sig:11,src:003085+001133,op:splice,rep:2.asan:==2324==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffa11841810 (pc 0x000000574f17 bp 0x7fffd7054010 sp 0x7fffd7053ec0 T0)
./id:000095,sig:11,src:003085+001133,op:splice,rep:128.asan:==6495==ERROR: AddressSanitizer: SEGV on unknown address 0x7f557f257810 (pc 0x000000574f17 bp 0x7fff22ee89f0 sp 0x7fff22ee88a0 T0)
./id:000096,sig:11,src:003085+001133,op:splice,rep:128.asan:==10475==ERROR: AddressSanitizer: SEGV on unknown address 0x7fd1a6613810 (pc 0x000000574f17 bp 0x7ffd24a9edb0 sp 0x7ffd24a9ec60 T0)
./id:000097,sig:11,src:003085+001133,op:splice,rep:64.asan:==14711==ERROR: AddressSanitizer: SEGV on unknown address 0x7f0f030c1810 (pc 0x000000574f17 bp 0x7ffd56abbf10 sp 0x7ffd56abbdc0 T0)
./id:000097,sig:11,src:003113,op:havoc,rep:64.asan:==18959==ERROR: AddressSanitizer: SEGV on unknown address 0x7f961a385810 (pc 0x000000574f17 bp 0x7ffc6a9e2710 sp 0x7ffc6a9e25c0 T0)
./id:000098,sig:11,src:003085+001133,op:splice,rep:64.asan:==23246==ERROR: AddressSanitizer: SEGV on unknown address 0x7fb88fbba810 (pc 0x000000574f17 bp 0x7ffc9f9bec30 sp 0x7ffc9f9beae0 T0)
./id:000107,sig:11,src:003113,op:havoc,rep:128.asan:==27807==ERROR: AddressSanitizer: SEGV on unknown address 0x7f8be1fea810 (pc 0x000000574f17 bp 0x7fff7eba4310 sp 0x7fff7eba41c0 T0)
./id:000108,sig:11,src:003085+001998,op:splice,rep:16.asan:==32516==ERROR: AddressSanitizer: SEGV on unknown address 0x7feb26d90810 (pc 0x000000574f17 bp 0x7fffdc2bdbf0 sp 0x7fffdc2bdaa0 T0)
./id:000109,sig:11,src:003085+001998,op:splice,rep:16.asan:==4074==ERROR: AddressSanitizer: SEGV on unknown address 0x7fdfc130d810 (pc 0x000000574f17 bp 0x7ffff5413bb0 sp 0x7ffff5413a60 T0)
./id:000110,sig:11,src:003085+001998,op:splice,rep:32.asan:==8155==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6833bbc810 (pc 0x000000574f17 bp 0x7ffccd263690 sp 0x7ffccd263540 T0)
./id:000111,sig:11,src:003137+003022,op:splice,rep:64.asan:==12830==ERROR: AddressSanitizer: SEGV on unknown address 0x7fa08146d810 (pc 0x000000574f17 bp 0x7ffc40c1c170 sp 0x7ffc40c1c020 T0)
./id:000112,sig:11,src:003085+001998,op:splice,rep:64.asan:==17328==ERROR: AddressSanitizer: SEGV on unknown address 0x7fd66ee80810 (pc 0x000000574f17 bp 0x7ffe7c747eb0 sp 0x7ffe7c747d60 T0)
./id:000112,sig:11,src:003113,op:havoc,rep:64.asan:==21931==ERROR: AddressSanitizer: SEGV on unknown address 0x7f109bfcc810 (pc 0x000000574f17 bp 0x7ffdf5891a90 sp 0x7ffdf5891940 T0)
./id:000113,sig:11,src:003085+002659,op:splice,rep:128.asan:==26222==ERROR: AddressSanitizer: SEGV on unknown address 0x7f19602d8810 (pc 0x000000574f17 bp 0x7fff76f219d0 sp 0x7fff76f21880 T0)
./id:000114,sig:11,src:003085+001407,op:splice,rep:64.asan:==30847==ERROR: AddressSanitizer: SEGV on unknown address 0x7fee2b405810 (pc 0x000000574f17 bp 0x7fff594ee390 sp 0x7fff594ee240 T0)
./id:000117,sig:11,src:003110,op:havoc,rep:64.asan:==3121==ERROR: AddressSanitizer: SEGV on unknown address 0x7f0e5957f810 (pc 0x000000574f17 bp 0x7fff33a40950 sp 0x7fff33a40800 T0)
./id:000120,sig:11,src:003113,op:havoc,rep:64.asan:==7540==ERROR: AddressSanitizer: SEGV on unknown address 0x7fa194a09810 (pc 0x000000574f17 bp 0x7ffe50e87650 sp 0x7ffe50e87500 T0)
./id:000127,sig:11,src:003092+002805,op:splice,rep:8.asan:==12195==ERROR: AddressSanitizer: SEGV on unknown address 0x7f0068bae810 (pc 0x000000574f17 bp 0x7ffcbbcb1330 sp 0x7ffcbbcb11e0 T0)
./id:000128,sig:11,src:003092+002805,op:splice,rep:128.asan:==16737==ERROR: AddressSanitizer: SEGV on unknown address 0x7f2a767fc810 (pc 0x000000574f17 bp 0x7ffcf2d264b0 sp 0x7ffcf2d26360 T0)
./id:000130,sig:11,src:003092+002148,op:splice,rep:64.asan:==21384==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc827e55810 (pc 0x000000574f17 bp 0x7ffde5ec9f50 sp 0x7ffde5ec9e00 T0)
./id:000130,sig:11,src:003098,op:havoc,rep:64.asan:==25669==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000088410 at pc 0x000000517b8f bp 0x7fff41b5b000 sp 0x7fff41b5aff8
./id:000130,sig:11,src:003113,op:havoc,rep:128.asan:==30223==ERROR: AddressSanitizer: SEGV on unknown address 0x7f07db67b810 (pc 0x000000574f17 bp 0x7ffe0a2e4c30 sp 0x7ffe0a2e4ae0 T0)
./id:000132,sig:11,src:003113+002730,op:splice,rep:64.asan:==4992==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc3a12e5810 (pc 0x000000574f17 bp 0x7ffe8c225110 sp 0x7ffe8c224fc0 T0)
./id:000137,sig:11,src:003092+002276,op:splice,rep:64.asan:==8864==ERROR: AddressSanitizer: SEGV on unknown address 0x7f69b58f0810 (pc 0x000000574f17 bp 0x7ffe13555290 sp 0x7ffe13555140 T0)
./id:000140,sig:11,src:003092+002854,op:splice,rep:128.asan:==12427==ERROR: AddressSanitizer: SEGV on unknown address 0x7f432ceb1810 (pc 0x000000574f17 bp 0x7ffdb38f28f0 sp 0x7ffdb38f27a0 T0)
./id:000140,sig:11,src:003137+002931,op:splice,rep:128.asan:==15326==ERROR: AddressSanitizer: SEGV on unknown address 0x7fa524b95810 (pc 0x000000574f17 bp 0x7fff930ad930 sp 0x7fff930ad7e0 T0)
./id:000141,sig:11,src:003137+002033,op:splice,rep:64.asan:==18312==ERROR: AddressSanitizer: SEGV on unknown address 0x7fec47a19810 (pc 0x000000574f17 bp 0x7fffb75c4a30 sp 0x7fffb75c48e0 T0)
./id:000148,sig:11,src:003098,op:havoc,rep:128.asan:==21573==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000088410 at pc 0x000000517b8f bp 0x7ffee31abe00 sp 0x7ffee31abdf8
./id:000155,sig:11,src:003110,op:havoc,rep:128.asan:==24671==ERROR: AddressSanitizer: SEGV on unknown address 0x7f0f06255810 (pc 0x000000574f17 bp 0x7ffeee586a50 sp 0x7ffeee586900 T0)
./id:000155,sig:11,src:003139,op:havoc,rep:128.asan:==28012==ERROR: AddressSanitizer: SEGV on unknown address 0x7f8b2dcf7810 (pc 0x000000574f17 bp 0x7ffe185f0e70 sp 0x7ffe185f0d20 T0)
./id:000157,sig:11,src:003112+001276,op:splice,rep:64.asan:==31250==ERROR: AddressSanitizer: SEGV on unknown address 0x7f1bce0b1810 (pc 0x000000574f17 bp 0x7ffee0b09970 sp 0x7ffee0b09820 T0)
./id:000158,sig:11,src:003113,op:havoc,rep:16.asan:==2193==ERROR: AddressSanitizer: SEGV on unknown address 0x7f0707578810 (pc 0x000000574f17 bp 0x7ffdcb730c30 sp 0x7ffdcb730ae0 T0)
./id:000160,sig:11,src:001072+002894,op:splice,rep:64.asan:==5170==ERROR: AddressSanitizer: SEGV on unknown address 0x7fb4c5f93810 (pc 0x000000574f17 bp 0x7ffe6f803b90 sp 0x7ffe6f803a40 T0)
./id:000162,sig:11,src:003139,op:havoc,rep:128.asan:==9021==ERROR: AddressSanitizer: SEGV on unknown address 0x7fd7ca3f1810 (pc 0x000000574f17 bp 0x7ffceab06bb0 sp 0x7ffceab06a60 T0)
./id:000169,sig:11,src:003139,op:havoc,rep:128.asan:==12037==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000070410 at pc 0x000000517b8f bp 0x7ffd418552a0 sp 0x7ffd41855298
./id:000174,sig:11,src:003139,op:havoc,rep:64.asan:==14620==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc70762a810 (pc 0x000000574f17 bp 0x7ffd4e4d8f30 sp 0x7ffd4e4d8de0 T0)
./id:000175,sig:11,src:003120,op:havoc,rep:128.asan:==18993==ERROR: AddressSanitizer: SEGV on unknown address 0x7f44beed3810 (pc 0x000000574f17 bp 0x7ffe2c60dcd0 sp 0x7ffe2c60db80 T0)
./id:000182,sig:11,src:003139+003009,op:splice,rep:32.asan:==23142==ERROR: AddressSanitizer: SEGV on unknown address 0x7fd773b84810 (pc 0x000000574f17 bp 0x7fff3a1cb3f0 sp 0x7fff3a1cb2a0 T0)
./id:000183,sig:11,src:003098,op:havoc,rep:128.asan:==26910==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000088410 at pc 0x000000517b8f bp 0x7ffd6c861420 sp 0x7ffd6c861418
./id:000183,sig:11,src:003120,op:havoc,rep:128.asan:==31563==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000088410 at pc 0x000000517b8f bp 0x7ffd6382a720 sp 0x7ffd6382a718
./id:000184,sig:11,src:003139+001894,op:splice,rep:128.asan:==3716==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc9ed8bd810 (pc 0x000000574f17 bp 0x7ffef4382d70 sp 0x7ffef4382c20 T0)
./id:000187,sig:11,src:003113,op:havoc,rep:128.asan:==7893==ERROR: AddressSanitizer: SEGV on unknown address 0x7f9557811810 (pc 0x000000574f17 bp 0x7ffee70d8270 sp 0x7ffee70d8120 T0)
./id:000188,sig:11,src:003139+000256,op:splice,rep:128.asan:==12163==ERROR: AddressSanitizer: SEGV on unknown address 0x7f2659571810 (pc 0x000000574f17 bp 0x7ffe8e00b5f0 sp 0x7ffe8e00b4a0 T0)
./id:000192,sig:11,src:003147,op:havoc,rep:128.asan:==16767==ERROR: AddressSanitizer: SEGV on unknown address 0x7fddc1eab810 (pc 0x000000574f17 bp 0x7fffe90a93b0 sp 0x7fffe90a9260 T0)
./id:000193,sig:11,src:003098+003000,op:splice,rep:64.asan:==21257==ERROR: AddressSanitizer: SEGV on unknown address 0x7f2f8681c810 (pc 0x000000574f17 bp 0x7ffc4e510e10 sp 0x7ffc4e510cc0 T0)
./id:000193,sig:11,src:003120+002467,op:splice,rep:64.asan:==25843==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6dfd710810 (pc 0x000000574f17 bp 0x7ffc77f5e350 sp 0x7ffc77f5e200 T0)
./id:000194,sig:11,src:003098+003000,op:splice,rep:128.asan:==30309==ERROR: AddressSanitizer: SEGV on unknown address 0x7f18e989e810 (pc 0x000000574f17 bp 0x7fff4c0a15f0 sp 0x7fff4c0a14a0 T0)
./id:000195,sig:11,src:003098+003000,op:splice,rep:128.asan:==2215==ERROR: AddressSanitizer: SEGV on unknown address 0x7f3361366810 (pc 0x000000574f17 bp 0x7fff28e43230 sp 0x7fff28e430e0 T0)
./id:000197,sig:11,src:003110,op:havoc,rep:64.asan:==6132==ERROR: AddressSanitizer: SEGV on unknown address 0x7f4ff1394810 (pc 0x000000574f17 bp 0x7ffc1bbb9f70 sp 0x7ffc1bbb9e20 T0)
./id:000198,sig:11,src:003113,op:havoc,rep:128.asan:==9841==ERROR: AddressSanitizer: SEGV on unknown address 0x7fdfb9b16810 (pc 0x000000574f17 bp 0x7ffc5c28d8f0 sp 0x7ffc5c28d7a0 T0)
./id:000199,sig:11,src:003147+001939,op:splice,rep:64.asan:==13152==ERROR: AddressSanitizer: SEGV on unknown address 0x7f8cf653b810 (pc 0x000000574f17 bp 0x7ffda8d05ab0 sp 0x7ffda8d05960 T0)
./id:000202,sig:11,src:003147+001939,op:splice,rep:128.asan:==17436==ERROR: AddressSanitizer: SEGV on unknown address 0x7f1ae395f810 (pc 0x000000574f17 bp 0x7ffd566a30b0 sp 0x7ffd566a2f60 T0)
./id:000204,sig:11,src:003113,op:havoc,rep:128.asan:==19249==ERROR: AddressSanitizer: SEGV on unknown address 0x7f05da407810 (pc 0x000000574f17 bp 0x7ffcdd129d90 sp 0x7ffcdd129c40 T0)
./id:000205,sig:11,src:003110,op:havoc,rep:64.asan:==22586==ERROR: AddressSanitizer: SEGV on unknown address 0x7f5c38946810 (pc 0x000000574f17 bp 0x7ffe3eece1f0 sp 0x7ffe3eece0a0 T0)
./id:000207,sig:11,src:003113,op:havoc,rep:64.asan:==25875==ERROR: AddressSanitizer: SEGV on unknown address 0x7f4a79898810 (pc 0x000000574f17 bp 0x7ffcc60a6270 sp 0x7ffcc60a6120 T0)
./id:000208,sig:11,src:003147+002739,op:splice,rep:16.asan:==29571==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6aeb1a2810 (pc 0x000000574f17 bp 0x7fff540b8c50 sp 0x7fff540b8b00 T0)
./id:000209,sig:11,src:003099,op:havoc,rep:128.asan:==777==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000088410 at pc 0x000000517b8f bp 0x7fff5e2c6640 sp 0x7fff5e2c6638
./id:000212,sig:11,src:003146,op:havoc,rep:128.asan:==4254==ERROR: AddressSanitizer: SEGV on unknown address 0x7fce1dbd7810 (pc 0x000000574f17 bp 0x7fff74f08710 sp 0x7fff74f085c0 T0)
./id:000215,sig:11,src:003099,op:havoc,rep:64.asan:==8027==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000088410 at pc 0x000000517b8f bp 0x7ffd229ef8e0 sp 0x7ffd229ef8d8
./id:000215,sig:11,src:003146+001346,op:splice,rep:8.asan:==12145==ERROR: AddressSanitizer: SEGV on unknown address 0x7f52b25a5810 (pc 0x000000574f17 bp 0x7ffd9b199590 sp 0x7ffd9b199440 T0)
./id:000216,sig:11,src:003146+001346,op:splice,rep:4.asan:==15659==ERROR: AddressSanitizer: SEGV on unknown address 0x7f5d63bee810 (pc 0x000000574f17 bp 0x7ffde1651d50 sp 0x7ffde1651c00 T0)
./id:000221,sig:11,src:003099,op:havoc,rep:128.asan:==19452==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000088410 at pc 0x000000517b8f bp 0x7ffeb984b4a0 sp 0x7ffeb984b498
./id:000223,sig:11,src:003137+001920,op:splice,rep:128.asan:==23159==ERROR: AddressSanitizer: SEGV on unknown address 0x7fb54e687810 (pc 0x000000574f17 bp 0x7ffd419cc050 sp 0x7ffd419cbf00 T0)
./id:000226,sig:11,src:003137+002668,op:splice,rep:128.asan:==26771==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000088410 at pc 0x000000517b8f bp 0x7ffdac2da480 sp 0x7ffdac2da478
./id:000229,sig:11,src:003099+002854,op:splice,rep:32.asan:==30352==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000088410 at pc 0x000000517b8f bp 0x7fff1e3e9cc0 sp 0x7fff1e3e9cb8
./id:000231,sig:11,src:003099+000743,op:splice,rep:16.asan:==2358==ERROR: AddressSanitizer: SEGV on unknown address 0x7f494e284810 (pc 0x000000574f17 bp 0x7fff8d81d7b0 sp 0x7fff8d81d660 T0)
./id:000231,sig:11,src:003124+002838,op:splice,rep:16.asan:==6476==ERROR: AddressSanitizer: SEGV on unknown address 0x7fcb244c0810 (pc 0x000000574f17 bp 0x7ffff21774f0 sp 0x7ffff21773a0 T0)
./id:000232,sig:11,src:003099+000743,op:splice,rep:128.asan:==10084==ERROR: AddressSanitizer: SEGV on unknown address 0x7f187afc8810 (pc 0x000000574f17 bp 0x7ffd23717650 sp 0x7ffd23717500 T0)
./id:000233,sig:11,src:003099+000743,op:splice,rep:64.asan:==13657==ERROR: AddressSanitizer: SEGV on unknown address 0x7f393cc59810 (pc 0x000000574f17 bp 0x7fff1ffc2470 sp 0x7fff1ffc2320 T0)
./id:000233,sig:11,src:003110,op:havoc,rep:128.asan:==17250==ERROR: AddressSanitizer: SEGV on unknown address 0x7ff768bcf810 (pc 0x000000574f17 bp 0x7ffe85b88790 sp 0x7ffe85b88640 T0)
./id:000234,sig:11,src:003099+000743,op:splice,rep:64.asan:==20709==ERROR: AddressSanitizer: SEGV on unknown address 0x7f51fb27c810 (pc 0x000000574f17 bp 0x7fff0aa1fc30 sp 0x7fff0aa1fae0 T0)
./id:000255,sig:11,src:003098+002507,op:splice,rep:128.asan:==24590==ERROR: AddressSanitizer: SEGV on unknown address 0x7f2de8130810 (pc 0x000000574f17 bp 0x7ffce8173990 sp 0x7ffce8173840 T0)
./id:000275,sig:11,src:003110+002070,op:splice,rep:64.asan:==28394==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000088410 at pc 0x000000517b8f bp 0x7ffcece78000 sp 0x7ffcece77ff8
./id:000278,sig:11,src:003110+002063,op:splice,rep:32.asan:==32141==ERROR: AddressSanitizer: SEGV on unknown address 0x7f04ca304810 (pc 0x000000574f17 bp 0x7ffd5e8bd8d0 sp 0x7ffd5e8bd780 T0)
./id:000280,sig:11,src:003110+002063,op:splice,rep:128.asan:==3395==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc313fdb810 (pc 0x000000574f17 bp 0x7ffe68cff310 sp 0x7ffe68cff1c0 T0)
./id:000294,sig:11,src:003111+001510,op:splice,rep:128.asan:==6905==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e0000b8410 at pc 0x000000517b8f bp 0x7ffc217bd260 sp 0x7ffc217bd258
./id:000296,sig:11,src:003112,op:havoc,rep:64.asan:==10836==ERROR: AddressSanitizer: SEGV on unknown address 0x7fcde77b5810 (pc 0x000000574f17 bp 0x7ffc93466070 sp 0x7ffc93465f20 T0)
./id:000304,sig:11,src:003112,op:havoc,rep:32.asan:==15255==ERROR: AddressSanitizer: SEGV on unknown address 0x7f47ebb27810 (pc 0x000000574f17 bp 0x7ffc65ba2c70 sp 0x7ffc65ba2b20 T0)
./id:000308,sig:11,src:003112,op:havoc,rep:64.asan:==18403==ERROR: AddressSanitizer: SEGV on unknown address 0x7fd885411810 (pc 0x000000574f17 bp 0x7ffd6c3b78d0 sp 0x7ffd6c3b7780 T0)
./id:000317,sig:11,src:003112+002735,op:splice,rep:128.asan:==21124==ERROR: AddressSanitizer: SEGV on unknown address 0x7f9873c4b810 (pc 0x000000574f17 bp 0x7ffd9d503dd0 sp 0x7ffd9d503c80 T0)
./id:000318,sig:11,src:003112+002735,op:splice,rep:32.asan:==24025==ERROR: AddressSanitizer: SEGV on unknown address 0x7ff02bfb0810 (pc 0x000000574f17 bp 0x7fff99fd9ed0 sp 0x7fff99fd9d80 T0)
./id:000319,sig:11,src:003111,op:havoc,rep:128.asan:==27045==ERROR: AddressSanitizer: SEGV on unknown address 0x7fea9493e810 (pc 0x000000574f17 bp 0x7ffd33b56610 sp 0x7ffd33b564c0 T0)
./id:000330,sig:11,src:003111,op:havoc,rep:8.asan:==29617==ERROR: AddressSanitizer: SEGV on unknown address 0x7f72ba67f810 (pc 0x000000574f17 bp 0x7ffce0204d30 sp 0x7ffce0204be0 T0)
./id:000331,sig:11,src:003111,op:havoc,rep:128.asan:==32653==ERROR: AddressSanitizer: SEGV on unknown address 0x7f580c307810 (pc 0x000000574f17 bp 0x7ffe45f1bbf0 sp 0x7ffe45f1baa0 T0)
./id:000334,sig:11,src:003111,op:havoc,rep:128.asan:==3678==ERROR: AddressSanitizer: SEGV on unknown address 0x7fbebcf91810 (pc 0x000000574f17 bp 0x7ffdc0b0d5f0 sp 0x7ffdc0b0d4a0 T0)
Group: media-core-security
Can you test against branch v1.5.3-Firefox39?  That's what we're shipping now.  Likely it will be similar, though.  Thanks!
Yes, there are only 117, out of the 118 used previously, that are causing an issue on that branch for AddressSanitizer. I do believe, however, there are only a small handful of root cause bugs here.
Group: core-security
Flags: needinfo?(hankpeng)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
Is this a dupe of bug 1258737?
Flags: needinfo?(rjesup)
Thanks Brandon and all, we OpenH264 team will look into these issues as soon as possible.
Flags: needinfo?(hankpeng)
Hi Haibo, please double check if these issues are new.
Depends on: 1233495
Flags: needinfo?(haibozhu)
I could not reproduce this issue with the latest commit c17a58efdfa8c03e3a1ae8e7f78483d48700499c from openh264 or with commit 1eb735299a4606c01b7abbb2f561e7a904e08c1c from May 16th. As Al also pointed out I believe this is a duplicate of bug 1258737.
There are multiple root causes, are you saying all of them are a duplicate of the other bug?
Getting absolute latest (which I should have done before opening this ticket), I see that ASan is no longer reporting my results.

Sorry for the time drain.
I plan on releasing the corpus (crashes and other inputs) I generated to the public. Since these are fixed in openh264 now, but potentially not Firefox yet, how long should I wait?
(In reply to Brandon Perry from comment #14)
> I plan on releasing the corpus (crashes and other inputs) I generated to the
> public. Since these are fixed in openh264 now, but potentially not Firefox
> yet, how long should I wait?

Thanks Brandon for verifying the lasted OpenH264 code. We're planning to make a OpenH264 v1.6.0 release after taking another 2 to 3 weeks of testing. After that Firefox may need weeks to ship the new plugin out, I guess.
(In reply to Brandon Perry from comment #12)
> There are multiple root causes, are you saying all of them are a duplicate
> of the other bug?

I see many crashes that take different code paths that trigger the same issue. There are some different stack traces.

In the future please log separate bugs for each issue. You can automate most of this by doing a scan of the stack trace provided by ASan. This will boil things doing to a reasonable number of issues. AFL is not really meant to bucket crashes effectively (maybe try afl-cmin with -e but even then...). I see 2 issues in the zip file you attached. I cannot reproduce either and I tested with both 32bit and 64bit builds.
Agree, primary crashes here appear to be a duplicate.

Brandon: can you coordinate your data dump with release of the plugin to Firefox?  Typical update pings are once per day for OpenH264, so it should deploy quickly once we put it on the servers.
Flags: needinfo?(rjesup)
I will coordinate with whatever timeframe you guys deem acceptable. If you have agreed to something with the previous discoverer, we can follow that. 

Whatever works best for you.
Previous discoverer is Tyson here as he's been fuzzing this for a while.
Hi, all, I tested the provided bit-stream from Brandon Perry. For latest master branch, no error found. For previous v1.5.3-Firefox39, it reported many errors. I think it is OK for next release such as v1.6
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty?
Flags: sec-bounty-
Flags: needinfo?(haibozhu)
Flags: needinfo?(bperry.volatile)
Group: media-core-security
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: