Closed
Bug 1485232
Opened 6 years ago
Closed 5 years ago
OpenH264: crash in [@ FilterInput8bitWithStride_c]
Categories
(Core :: Audio/Video: GMP, defect, P2)
Core
Audio/Video: GMP
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox63 | --- | unaffected |
People
(Reporter: tsmith, Unassigned)
References
Details
(Keywords: crash, sec-moderate, testcase)
Attachments
(1 file)
1.77 KB,
application/octet-stream
|
Details |
Found while fuzzing openh264 revision 3c93d6bedfb712109899755b6d9626772cee3847 To reproduce: ./h264dec testcase.264 /dev/null ==23303==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffd (pc 0x082f0ccd bp 0xfff48408 sp 0xfff48160 T0) ==23303==The signal is caused by a READ memory access. #0 0x82f0ccc in (anonymous namespace)::FilterInput8bitWithStride_c(unsigned char const*, int) codec/common/src/mc.cpp:154:54 #1 0x82f0ccc in (anonymous namespace)::McHorVer20_c(unsigned char const*, int, unsigned char*, int, int, int) codec/common/src/mc.cpp:192 #2 0x82f0ccc in (anonymous namespace)::McHorVer30_c(unsigned char const*, int, unsigned char*, int, int, int) codec/common/src/mc.cpp:303 #3 0x82e48cb in (anonymous namespace)::McLuma_c(unsigned char const*, int, unsigned char*, int, short, short, int, int) codec/common/src/mc.cpp:345:3 #4 0x81f3907 in WelsDec::BaseMC(WelsDec::TagMCRefMember*, int, int, TagMcFunc*, int, int, short*) codec/decoder/core/src/rec_mb.cpp:262:3 #5 0x81f3907 in WelsDec::GetInterBPred(unsigned char**, unsigned char**, WelsDec::TagWelsDecoderContext*) codec/decoder/core/src/rec_mb.cpp:702 #6 0x824fe4c in WelsDec::WelsMbInterConstruction(WelsDec::TagWelsDecoderContext*, WelsDec::TagDqLayer*) codec/decoder/core/src/decode_slice.cpp:227:5 #7 0x824eefb in WelsDec::WelsTargetMbConstruction(WelsDec::TagWelsDecoderContext*) codec/decoder/core/src/decode_slice.cpp:335:7 #8 0x824e088 in WelsDec::WelsTargetSliceConstruction(WelsDec::TagWelsDecoderContext*) codec/decoder/core/src/decode_slice.cpp:104:11 #9 0x81a3526 in WelsDec::WelsDecodeConstructSlice(WelsDec::TagWelsDecoderContext*, WelsDec::TagNalUnit*) codec/decoder/core/src/decoder_core.cpp:290:19 #10 0x81a3526 in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2568 #11 0x819fc69 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2254:10 #12 0x817d1c7 in WelsDecodeBs codec/decoder/core/src/decoder.cpp:798:7 #13 0x816ef75 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:570:3 #14 0x816e4da in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:495:11 #15 0x8163dd8 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:226:17 #16 0x81697aa in main codec/console/dec/src/h264dec.cpp:510:3 #17 0xf73d2636 in __libc_start_main (/lib32/libc.so.6+0x18636) #18 0x806a907 in _start (h264dec+0x806a907)
Updated•6 years ago
|
Comment 2•6 years ago
|
||
Hank, is there anyone on your side who could look into this?
Flags: needinfo?(hankpeng)
Priority: -- → P2
Wayne, please take a look at this.
Flags: needinfo?(hankpeng) → needinfo?(huili2)
We're also looking forwarding to the completion of the issue, which blocks our next release. We are expecting code owner to fix it as a best choice. We'll keep trace on it.
Flags: needinfo?(huili2)
Reporter | ||
Comment 5•5 years ago
|
||
It looks like this is no longer reproducible. I will reopen if a new test case become available.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
Updated•4 years ago
|
Group: media-core-security
Assignee | ||
Updated•2 years ago
|
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•