Closed
Bug 1479668
Opened 7 years ago
Closed 7 years ago
OpenH264: heap-buffer-overflow in [@ WelsDec::BiPrediction]
Categories
(Core :: Audio/Video: GMP, defect)
Core
Audio/Video: GMP
Tracking
()
RESOLVED
FIXED
People
(Reporter: tsmith, Unassigned)
References
Details
(4 keywords)
Attachments
(1 file)
|
6.53 KB,
application/octet-stream
|
Details |
Found while fuzzing openh264 revision f92a006bb05dce89f312df8a641a65abf09076c8
Build with "-fsanitize=address"
To reproduce:
./h264dec testcase.264 /dev/null
==24963==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x627000019d30 at pc 0x00000062fe79 bp 0x7ffd50a9d4d0 sp 0x7ffd50a9d4c8
READ of size 1 at 0x627000019d30 thread T0
#0 0x62fe78 in WelsDec::BiPrediction(WelsDec::TagDqLayer*, WelsDec::TagMCRefMember*, WelsDec::TagMCRefMember*, int, int) codec/decoder/core/src/rec_mb.cpp:408:47
#1 0x627d22 in WelsDec::GetInterBPred(unsigned char**, unsigned char**, WelsDec::TagWelsDecoderContext*) codec/decoder/core/src/rec_mb.cpp:740:15
#2 0x6a23ed in WelsDec::WelsMbInterConstruction(WelsDec::TagWelsDecoderContext*, WelsDec::TagDqLayer*) codec/decoder/core/src/decode_slice.cpp:219:5
#3 0x69fe29 in WelsDec::WelsTargetMbConstruction(WelsDec::TagWelsDecoderContext*) codec/decoder/core/src/decode_slice.cpp:327:7
#4 0x69da17 in WelsDec::WelsTargetSliceConstruction(WelsDec::TagWelsDecoderContext*) codec/decoder/core/src/decode_slice.cpp:102:11
#5 0x59af9e in WelsDec::WelsDecodeConstructSlice(WelsDec::TagWelsDecoderContext*, WelsDec::TagNalUnit*) codec/decoder/core/src/decoder_core.cpp:290:19
#6 0x59af9e in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2566
#7 0x595d93 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2252:10
#8 0x55a69e in WelsDecodeBs codec/decoder/core/src/decoder.cpp:798:7
#9 0x52e365 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:570:3
#10 0x52c4f4 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:495:11
#11 0x516b49 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:226:17
#12 0x51c34f in main codec/console/dec/src/h264dec.cpp:510:3
#13 0x7fddede0e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#14 0x41d638 in _start (h264dec+0x41d638)
|
||
Comment 1•7 years ago
|
||
Tyson: have you reported this upstream? If so add a reference number or link if you've got one.
Guessing at sec-moderate because it'll be running in a separate GMP process and not have access to any sensitive user data, and no scripting to manage memory to attempt a sandbox escape.
Flags: needinfo?(twsmith)
Keywords: sec-moderate
|
Reporter | |
Comment 2•7 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #1)
> Tyson: have you reported this upstream?
The Cisco folks are CC'd.
Flags: needinfo?(twsmith)
|
||
Comment 3•7 years ago
|
||
The issue has been addressed by openh264 #PR 3011
|
|
Reporter | |
Comment 4•7 years ago
|
||
Verified with commit 1b3980b3437e83f30001e9b7dfdf4a98e69b87bc
Group: media-core-security
|
|
Reporter | |
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
|
Assignee | |
Updated•3 years ago
|
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•