Closed Bug 1479670 Opened 6 years ago Closed 6 years ago

OpenH264: member access within null pointer of type 'struct TagSliceHeaders' in codec/decoder/core/src/decoder_core.cpp

Categories

(Core :: Audio/Video: GMP, defect)

Product:
Core
Component:
Audio/Video: GMP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: tsmith, Unassigned)

References

Details

(Keywords: crash, csectype-nullptr, testcase)

Attachments

(1 file)

testcase.264
49 bytes, application/octet-stream
Details
Attached file testcase.264
Found while fuzzing openh264 revision f92a006bb05dce89f312df8a641a65abf09076c8 Build with "-fsanitize=undefined" To reproduce: ./h264dec testcase.264 /dev/null codec/decoder/core/src/decoder_core.cpp:529:31: runtime error: member access within null pointer of type 'struct TagSliceHeaders' #0 0x56be40 in WelsDec::ParseDecRefPicMarking(WelsDec::TagWelsDecoderContext*, WelsCommon::TagBitStringAux*, WelsDec::TagSliceHeaders*, WelsDec::TagSps*, bool) codec/decoder/core/src/decoder_core.cpp:529:31 #1 0x578709 in WelsDec::ParseSliceHeaderSyntaxs(WelsDec::TagWelsDecoderContext*, WelsCommon::TagBitStringAux*, bool) codec/decoder/core/src/decoder_core.cpp:1148:14 #2 0x6350c5 in WelsDec::ParseNalHeader(WelsDec::TagWelsDecoderContext*, WelsCommon::TagNalUnitHeader*, unsigned char*, int, unsigned char*, int, int*) codec/decoder/core/src/au_parser.cpp:394:12 #3 0x55af28 in WelsDecodeBs codec/decoder/core/src/decoder.cpp:758:19 #4 0x52e365 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:570:3 #5 0x52c447 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:490:15 #6 0x516b49 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:226:17 #7 0x51c34f in main codec/console/dec/src/h264dec.cpp:510:3 #8 0x7f75005b282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #9 0x41d638 in _start (h264dec+0x41d638)
Blocks: 1481142
The issue has been addressed by openh264 #PR 3011
Verified with commit 1b3980b3437e83f30001e9b7dfdf4a98e69b87bc
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
No longer blocks: 1481142
Blocks: 1486988
Blocks: 1512756
No longer blocks: 1486988
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: