Closed Bug 1485134 Opened 6 years ago Closed 6 years ago

OpenH264: crash in McHorVer20_avx2.width16_yloop()

Categories

(Core :: Audio/Video: GMP, defect)

Product:
Core
Component:
Audio/Video: GMP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1485232
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- unaffected

People

(Reporter: tsmith, Unassigned)

References

Details

(Keywords: crash, testcase)

Attachments

(1 file)

testcase.264
1.78 KB, application/octet-stream
Details
Attached file testcase.264
Found while fuzzing openh264 revision 3c93d6bedfb712109899755b6d9626772cee3847 To reproduce: ./h264dec testcase.264 /dev/null #0 0x00000000004be16c in McHorVer20_avx2.width16_yloop () #1 0x00000000004b398a in (anonymous namespace)::McHorVer13_avx2 ( pSrc=0x800000000000 <error: Cannot access memory at address 0x800000000000>, iSrcStride=<optimized out>, pDst=0x7137e0 '\200' <repeats 200 times>..., iDstStride=256, iWidth=16, iHeight=16) at codec/common/src/mc.cpp:977 #2 0x000000000043feac in WelsDec::BaseMC (iXOffset=<optimized out>, iYOffset=<optimized out>, iBlkWidth=16, iBlkHeight=16, pMCRefMem=<optimized out>, pMCFunc=<optimized out>, iMVs=<optimized out>) at codec/decoder/core/src/rec_mb.cpp:262 #3 WelsDec::GetInterBPred (pPredYCbCr=<optimized out>, pTempPredYCbCr=<optimized out>, pCtx=<optimized out>) at codec/decoder/core/src/rec_mb.cpp:702 #4 0x0000000000469918 in WelsDec::WelsMbInterConstruction (pCtx=<optimized out>, pCurLayer=<optimized out>) at codec/decoder/core/src/decode_slice.cpp:227 #5 0x000000000046919e in WelsDec::WelsTargetMbConstruction (pCtx=0x7ffff7f42020) at codec/decoder/core/src/decode_slice.cpp:335 #6 0x0000000000468af1 in WelsDec::WelsTargetSliceConstruction (pCtx=0x7ffff7f42020) at codec/decoder/core/src/decode_slice.cpp:104 #7 0x000000000042288b in WelsDec::WelsDecodeConstructSlice (pCtx=0x7ffff7f42020, pCurNal=<optimized out>) at codec/decoder/core/src/decoder_core.cpp:290 #8 WelsDec::DecodeCurrentAccessUnit (pCtx=<optimized out>, ppDst=<optimized out>, pDstInfo=<optimized out>) at codec/decoder/core/src/decoder_core.cpp:2568 #9 0x00000000004214c4 in WelsDec::ConstructAccessUnit (pCtx=<optimized out>, ppDst=<optimized out>, pDstInfo=<optimized out>) at codec/decoder/core/src/decoder_core.cpp:2254 #10 0x000000000041072b in WelsDec::WelsDecodeBs (pCtx=0x7ffff7f42020, kpBsBuf=<optimized out>, kiBsLen=<optimized out>, ppDst=0x7fffffffda10, pDstBufInfo=0x7fffffffda30, pDstBsInfo=<optimized out>) at codec/decoder/core/src/decoder.cpp:798 #11 0x000000000040afdb in WelsDec::CWelsDecoder::DecodeFrame2 (this=0x6f5c70, kpSrc=<optimized out>, kiSrcLen=<optimized out>, ppDst=<optimized out>, pDstInfo=<optimized out>) at codec/decoder/plus/src/welsDecoderExt.cpp:570 #12 0x000000000040aa31 in WelsDec::CWelsDecoder::DecodeFrameNoDelay (this=0x6f5c70, kpSrc=<optimized out>, kiSrcLen=<optimized out>, ppDst=0x7fffffffda10, pDstInfo=0x7fffffffda30) at codec/decoder/plus/src/welsDecoderExt.cpp:495 #13 0x0000000000405a15 in H264DecodeInstance (pDecoder=<optimized out>, kpH264FileName=<optimized out>, kpOuputFileName=<optimized out>, iWidth=<optimized out>, iHeight=<optimized out>, pOptionFileName=<optimized out>, pLengthFileName=<optimized out>, iErrorConMethod=<optimized out>, bLegacyCalling=<optimized out>) at codec/console/dec/src/h264dec.cpp:226 #14 0x00000000004086a8 in main (iArgC=<optimized out>, pArgV=<optimized out>) at codec/console/dec/src/h264dec.cpp:510
Could we get a bit more info on the crash conditions?
status-firefox63: --- → unaffected
status-firefox-esr60: --- → unaffected
Flags: needinfo?(twsmith)
After rerunning this with an ASan build I believe this is a dup of bug 1485232
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(twsmith)
Resolution: --- → DUPLICATE
The issue has been addressed by openh264 #PR 3014
No longer blocks: 1481142
Blocks: 1486988
Blocks: 1512756
No longer blocks: 1486988
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: