Closed Bug 1479831 Opened 6 years ago Closed 6 years ago

OpenH264: shift exponent is negative in codec/decoder/core/src/cabac_decoder.cpp

Categories

(Core :: Audio/Video: GMP, defect)

Product:
Core
Component:
Audio/Video: GMP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: tsmith, Unassigned)

References

Details

(Keywords: csectype-undefined, testcase)

Attachments

(1 file)

testcase.264
3.78 KB, application/octet-stream
Details
Attached file testcase.264
Found while fuzzing openh264 revision f92a006bb05dce89f312df8a641a65abf09076c8 Build with "-fsanitize=undefined" To reproduce: ./h264dec testcase.264 /dev/null codec/decoder/core/src/cabac_decoder.cpp:148:28: runtime error: shift exponent -1 is negative #0 0x775427 in WelsDec::DecodeBinCabac(WelsDec::SWelsCabacDecEngine*, WelsDec::SWels_Cabac_Element*, unsigned int&) codec/decoder/core/src/cabac_decoder.cpp:148:28 #1 0x71856e in WelsDec::DecodeCabacIntraMbType(WelsDec::TagWelsDecoderContext*, WelsDec::TagNeighborAvail*, int) codec/decoder/core/src/parse_mb_syn_cabac.cpp:88:3 #2 0x71856e in WelsDec::ParseMBTypeBSliceCabac(WelsDec::TagWelsDecoderContext*, WelsDec::TagNeighborAvail*, unsigned int&) codec/decoder/core/src/parse_mb_syn_cabac.cpp:370 #3 0x6c5741 in WelsDec::WelsDecodeMbCabacBSliceBaseMode0(WelsDec::TagWelsDecoderContext*, WelsDec::TagNeighborAvail*, unsigned int&) codec/decoder/core/src/decode_slice.cpp:1091:3 #4 0x6d341f in WelsDec::WelsDecodeMbCabacBSlice(WelsDec::TagWelsDecoderContext*, WelsDec::TagNalUnit*, unsigned int&) codec/decoder/core/src/decode_slice.cpp:1443:3 #5 0x6d8425 in WelsDec::WelsDecodeSlice(WelsDec::TagWelsDecoderContext*, bool, WelsDec::TagNalUnit*) codec/decoder/core/src/decode_slice.cpp:1555:12 #6 0x59adc4 in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2549:16 #7 0x595d93 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2252:10 #8 0x55a69e in WelsDecodeBs codec/decoder/core/src/decoder.cpp:798:7 #9 0x52e365 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:570:3 #10 0x52c4f4 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:495:11 #11 0x516b49 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:226:17 #12 0x51c34f in main codec/console/dec/src/h264dec.cpp:510:3 #13 0x7f26f58ec82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #14 0x41d638 in _start (h264dec+0x41d638)
Blocks: 1481142
The issue has been addressed by openh264 #PR 3011
Verified with commit 1b3980b3437e83f30001e9b7dfdf4a98e69b87bc
No longer blocks: 1481142
Blocks: 1486988
Blocks: 1512756
No longer blocks: 1486988
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: