1485232 - OpenH264: crash in [@ FilterInput8bitWithStride_c]

Status: RESOLVED WORKSFORME

(Core :: Audio/Video: GMP, defect, P2)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.264

Found while fuzzing openh264 revision 3c93d6bedfb712109899755b6d9626772cee3847

To reproduce:
./h264dec testcase.264 /dev/null

==23303==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffd (pc 0x082f0ccd bp 0xfff48408 sp 0xfff48160 T0)
==23303==The signal is caused by a READ memory access.
    #0 0x82f0ccc in (anonymous namespace)::FilterInput8bitWithStride_c(unsigned char const*, int) codec/common/src/mc.cpp:154:54
    #1 0x82f0ccc in (anonymous namespace)::McHorVer20_c(unsigned char const*, int, unsigned char*, int, int, int) codec/common/src/mc.cpp:192
    #2 0x82f0ccc in (anonymous namespace)::McHorVer30_c(unsigned char const*, int, unsigned char*, int, int, int) codec/common/src/mc.cpp:303
    #3 0x82e48cb in (anonymous namespace)::McLuma_c(unsigned char const*, int, unsigned char*, int, short, short, int, int) codec/common/src/mc.cpp:345:3
    #4 0x81f3907 in WelsDec::BaseMC(WelsDec::TagMCRefMember*, int, int, TagMcFunc*, int, int, short*) codec/decoder/core/src/rec_mb.cpp:262:3
    #5 0x81f3907 in WelsDec::GetInterBPred(unsigned char**, unsigned char**, WelsDec::TagWelsDecoderContext*) codec/decoder/core/src/rec_mb.cpp:702
    #6 0x824fe4c in WelsDec::WelsMbInterConstruction(WelsDec::TagWelsDecoderContext*, WelsDec::TagDqLayer*) codec/decoder/core/src/decode_slice.cpp:227:5
    #7 0x824eefb in WelsDec::WelsTargetMbConstruction(WelsDec::TagWelsDecoderContext*) codec/decoder/core/src/decode_slice.cpp:335:7
    #8 0x824e088 in WelsDec::WelsTargetSliceConstruction(WelsDec::TagWelsDecoderContext*) codec/decoder/core/src/decode_slice.cpp:104:11
    #9 0x81a3526 in WelsDec::WelsDecodeConstructSlice(WelsDec::TagWelsDecoderContext*, WelsDec::TagNalUnit*) codec/decoder/core/src/decoder_core.cpp:290:19
    #10 0x81a3526 in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2568
    #11 0x819fc69 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2254:10
    #12 0x817d1c7 in WelsDecodeBs codec/decoder/core/src/decoder.cpp:798:7
    #13 0x816ef75 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:570:3
    #14 0x816e4da in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:495:11
    #15 0x8163dd8 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:226:17
    #16 0x81697aa in main codec/console/dec/src/h264dec.cpp:510:3
    #17 0xf73d2636 in __libc_start_main (/lib32/libc.so.6+0x18636)
    #18 0x806a907 in _start (h264dec+0x806a907)

Comment 2

[Nils Ohlmeier [:drno]]

Hank, is there anyone on your side who could look into this?

Comment 3

[Hank Peng]

Wayne, please take a look at this.

Comment 4

[wayne]

We're also looking forwarding to the completion of the issue, which blocks our next release. We are expecting code owner to fix it as a best choice. We'll keep trace on it.

Comment 5

[Tyson Smith [:tsmith]]

It looks like this is no longer reproducible. I will reopen if a new test case become available.