Closed
Bug 1486223
Opened 7 years ago
Closed 7 years ago
OpenH264: index out of bound [@ WelsDec::FilteringEdgeLumaV]
Categories
(Core :: Audio/Video: GMP, defect, P2)
Core
Audio/Video: GMP
Tracking
()
RESOLVED
FIXED
People
(Reporter: tsmith, Assigned: xiaotianshimail, NeedInfo)
References
Details
(4 keywords)
Attachments
(1 file)
|
1.77 KB,
application/octet-stream
|
Details |
Found while fuzzing openh264 revision 1b3980b3437e83f30001e9b7dfdf4a98e69b87bc
Build with "-fsanitize=undefined"
To reproduce:
./h264dec testcase.264 /dev/null
codec/decoder/core/src/deblocking.cpp:759:5: runtime error: index 18 out of bounds for type 'const int8_t [4]'
#0 0x6683ca in WelsDec::FilteringEdgeLumaV(WelsDec::tagDeblockingFilter*, unsigned char*, int, unsigned char*) codec/decoder/core/src/deblocking.cpp:759:5
#1 0x67014f in WelsDec::DeblockingInterMb(WelsDec::TagDqLayer*, WelsDec::tagDeblockingFilter*, unsigned char (*) [4][4], int) codec/decoder/core/src/deblocking.cpp:973:5
#2 0x679f52 in WelsDec::WelsDeblockingMb(WelsDec::TagDqLayer*, WelsDec::tagDeblockingFilter*, int) codec/decoder/core/src/deblocking.cpp:1242:5
#3 0x6950e5 in WelsDec::WelsDeblockingFilterSlice(WelsDec::TagWelsDecoderContext*, void (*)(WelsDec::TagDqLayer*, WelsDec::tagDeblockingFilter*, int)) codec/decoder/core/src/deblocking.cpp:1294:7
#4 0x69ec90 in WelsDec::WelsTargetSliceConstruction(WelsDec::TagWelsDecoderContext*) codec/decoder/core/src/decode_slice.cpp:156:5
#5 0x59b09e in WelsDec::WelsDecodeConstructSlice(WelsDec::TagWelsDecoderContext*, WelsDec::TagNalUnit*) codec/decoder/core/src/decoder_core.cpp:290:19
#6 0x59b09e in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2568
#7 0x595e93 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2254:10
#8 0x55a70e in WelsDecodeBs codec/decoder/core/src/decoder.cpp:798:7
#9 0x52e3f2 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:570:3
#10 0x52c584 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:495:11
#11 0x516be9 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:226:17
#12 0x51c3df in main codec/console/dec/src/h264dec.cpp:510:3
#13 0x7efc5555182f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#14 0x41d6d8 in _start (h264dec+0x41d6d8)
|
Assignee | |
Comment 1•7 years ago
|
||
confirmed the problem and is being fixed.
|
||
Updated•7 years ago
|
Keywords: csectype-bounds,
sec-moderate
|
||
Updated•7 years ago
|
Assignee: nobody → xiaotianshimail
Priority: -- → P2
|
|
||
Comment 2•7 years ago
|
||
Xiaotian is this still being worked on upstream?
Flags: needinfo?(xiaotianshimail)
This bug has been fixed in latest openh265 master branch. Please kindly have a look. Thanks.
|
Reporter | |
Comment 4•7 years ago
|
||
Verified with openh264 commit 70eeb783515dbfee3e0c781d6667838caba5113b
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
|
|
||
Updated•7 years ago
|
Group: media-core-security → core-security-release
|
|
||
Updated•5 years ago
|
Group: core-security-release
|
||
Updated•3 years ago
|
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•