Closed Bug 1521684 Opened 7 years ago Closed 7 years ago

OpenH264: heap-buffer-overflow in [@ WelsDec::CWelsDecoder::FlushFrame]

Categories

(Core :: Audio/Video: GMP, defect, P2)

Product:
Core
Component:
Audio/Video: GMP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox65 --- wontfix
firefox66 --- wontfix

People

(Reporter: tsmith, Unassigned)

References

Details

(4 keywords)

Attachments

(1 file)

testcase.264
3.68 KB, application/octet-stream
Details
Attached file testcase.264

Found while fuzzing openh264 revision 70eeb783515dbfee3e0c781d6667838caba5113b

Build with "-fsanitize=address"

To reproduce:
./h264dec testcase.264 /dev/null

==8934==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000000118 at pc 0x000000546840 bp 0x7ffeb4fe4000 sp 0x7ffeb4fe3ff8
READ of size 8 at 0x606000000118 thread T0
    #0 0x54683f in WelsDec::CWelsDecoder::FlushFrame(unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:693:5
    #1 0x517fef in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:300:15
    #2 0x51c3cf in main codec/console/dec/src/h264dec.cpp:510:3

0x606000000118 is located 5 bytes to the right of 51-byte region [0x6060000000e0,0x606000000113)
allocated by thread T0 here:
    #0 0x4d5d38 in __interceptor_malloc (/home/ubuntu/build/build/h264dec+0x4d5d38)
    #1 0x7bdeb4 in WelsCommon::WelsMalloc(unsigned int, char const*, unsigned int) codec/common/src/memory_align.cpp:72:30
    #2 0x7bdeb4 in WelsCommon::CMemoryAlign::WelsMalloc(unsigned int, char const*) codec/common/src/memory_align.cpp:129
Keywords: sec-moderate

P2 based on sec-moderate rating.

Priority: -- → P2
Blocks: 1486988

Tyson are you saying the 1.8.1 release is going to fix this issue, or was this issue found in code after the 1.8.1?

Flags: needinfo?(twsmith)

1.8 is the latest release and this issue affects > 1.8. This issue should be fixed before 1.8.1.

Flags: needinfo?(twsmith)

Has anyone retested it with the commit e98c4eb

Verified fixed with openh264 commit a943bad3bddc7bf8a76852ddc92a88d168c4ec57

Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED

Thanks Tyson for verifying. Could you also check if as per comment https://bugzilla.mozilla.org/show_bug.cgi?id=1522172#c7 if https://github.com/cisco/openh264/commit/2e1774ab6dc6c43debb0b5b628bdf122a391d521 is fixed or not?

Flags: needinfo?(twsmith)

I cannot reproduce this issue with the attached testcase with openh264 commit 2e1774ab6dc6c43debb0b5b628bdf122a391d521

Flags: needinfo?(twsmith)
Group: media-core-security → core-security-release
Group: core-security-release
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: