Closed Bug 1522183 Opened 5 years ago Closed 5 years ago

OpenH264: crash near null in [@ WelsDec::ParseInterBMotionInfoCabac]

Categories

(Core :: Audio/Video: GMP, defect)

Product:
Core
Component:
Audio/Video: GMP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: tsmith, Unassigned)

References

Details

(Keywords: crash, testcase)

Attachments

(1 file)

testcase.h264
1.01 KB, application/octet-stream
Details
Attached file testcase.h264

Found while fuzzing openh264 revision 70eeb783515dbfee3e0c781d6667838caba5113b

Build with "-fsanitize=undefined"

To reproduce:
./h264dec testcase.264 /dev/null

codec/decoder/core/src/parse_mb_syn_cabac.cpp:885:58: runtime error: member access within null pointer of type 'struct SPicture'
    #0 0x74b647 in WelsDec::ParseInterBMotionInfoCabac(WelsDec::TagWelsDecoderContext*, WelsDec::TagNeighborAvail*, unsigned char*, short (*) [30][2], short (*) [30][2], signed char (*) [30], signed char*) codec/decoder/core/src/parse_mb_syn_cabac.cpp:885:58
    #1 0x6c64ab in WelsDec::WelsDecodeMbCabacBSliceBaseMode0(WelsDec::TagWelsDecoderContext*, WelsDec::TagNeighborAvail*, unsigned int&) codec/decoder/core/src/decode_slice.cpp:1097:5
    #2 0x6d3e9f in WelsDec::WelsDecodeMbCabacBSlice(WelsDec::TagWelsDecoderContext*, WelsDec::TagNalUnit*, unsigned int&) codec/decoder/core/src/decode_slice.cpp:1446:3
    #3 0x6d87d5 in WelsDec::WelsDecodeSlice(WelsDec::TagWelsDecoderContext*, bool, WelsDec::TagNalUnit*) codec/decoder/core/src/decode_slice.cpp:1560:12
    #4 0x59c4ae in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2557:16
    #5 0x5973c3 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2257:10
    #6 0x55b8ee in WelsDecodeBs codec/decoder/core/src/decoder.cpp:798:7
    #7 0x52e105 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:572:3
    #8 0x52c294 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:497:11
    #9 0x516bc9 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:226:17
    #10 0x51c3cf in main codec/console/dec/src/h264dec.cpp:510:3

Verified fixed with openh264 commit 1e2e87f

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Blocks: 1512756
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: