Closed Bug 1525089 Opened 7 years ago Closed 7 years ago

OpenH264: heap-use-after-free in [@ WelsDec::WelsReorderRefList]

Categories

(Core :: Audio/Video: GMP, defect, P2)

Product:
Core
Component:
Audio/Video: GMP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: tsmith, Unassigned)

References

Details

(4 keywords)

Attachments

(1 file)

testcase.264
1.06 KB, application/octet-stream
Details
Attached file testcase.264

Found by oss-fuzz while fuzzing openh264 revision 70eeb783515dbfee3e0c781d6667838caba5113b
reproducible with commit a943bad3bddc7bf8a76852ddc92a88d168c4ec57

NOTE: While transitioning to oss-fuzz issues will be log in bugzilla.

Build with "-fsanitize=address"

To reproduce:
./h264dec testcase.264 /dev/null

==53516==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000037c at pc 0x0000006058b4 bp 0x7fffaefef660 sp 0x7fffaefef658
READ of size 4 at 0x61500000037c thread T0
    #0 0x6058b3 in WelsDec::WelsReorderRefList(WelsDec::TagWelsDecoderContext*) codec/decoder/core/src/manage_dec_ref.cpp:378:55
    #1 0x5a6c60 in WelsDec::InitRefPicList(WelsDec::TagWelsDecoderContext*, unsigned char, int) codec/decoder/core/src/decoder_core.cpp:2340:14
    #2 0x59e22b in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2538:18
    #3 0x599453 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2257:10
    #4 0x55d97e in WelsDecodeBs codec/decoder/core/src/decoder.cpp:798:7
    #5 0x52ee02 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:575:3
    #6 0x52cf94 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:500:11
    #7 0x516bc9 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:226:17
    #8 0x51c3cf in main codec/console/dec/src/h264dec.cpp:510:3

0x61500000037c is located 124 bytes inside of 499-byte region [0x615000000300,0x6150000004f3)
freed by thread T0 here:
    #0 0x4d5b80 in __interceptor_cfree.localalias.0 (h264dec+0x4d5b80)
    #1 0x7c0c80 in WelsCommon::WelsFree(void*, char const*) codec/common/src/memory_align.cpp:113:5
    #2 0x7c0c80 in WelsCommon::CMemoryAlign::WelsFree(void*, char const*) codec/common/src/memory_align.cpp:154

previously allocated by thread T0 here:
    #0 0x4d5d38 in __interceptor_malloc (h264dec+0x4d5d38)
    #1 0x7c04d4 in WelsCommon::WelsMalloc(unsigned int, char const*, unsigned int) codec/common/src/memory_align.cpp:72:30
    #2 0x7c04d4 in WelsCommon::CMemoryAlign::WelsMalloc(unsigned int, char const*) codec/common/src/memory_align.cpp:129

This issue is fixed in openh264 commit c330a667169069c56928bfe4f8b87fe5779976c4

Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Group: media-core-security → core-security-release
Group: core-security-release
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: