Closed Bug 1525097 Opened 7 years ago Closed 7 years ago

OpenH264: index out of bounds in [@ WelsDec::DecodeCurrentAccessUnit]

Categories

(Core :: Audio/Video: GMP, defect)

Product:
Core
Component:
Audio/Video: GMP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: tsmith, Unassigned)

References

Details

(4 keywords)

Attachments

(1 file)

testcase.264
152 bytes, application/octet-stream
Details
Attached file testcase.264

Found by oss-fuzz while fuzzing openh264 revision 70eeb783515dbfee3e0c781d6667838caba5113b
reproducible with commit a943bad3bddc7bf8a76852ddc92a88d168c4ec57

NOTE: While transitioning to oss-fuzz issues will be log in bugzilla.

Build with "-fsanitize=undefined"

To reproduce:
./h264dec testcase.264 /dev/null

codec/decoder/core/src/decoder_core.cpp:2655:18: runtime error: index 17 out of bounds for type 'PPicture [17]'
    #0 0x5a24ef in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2655:18
    #1 0x599453 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2257:10
    #2 0x55d97e in WelsDecodeBs codec/decoder/core/src/decoder.cpp:798:7
    #3 0x52ee02 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:575:3
    #4 0x52cf94 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:500:11
    #5 0x516bc9 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:226:17
    #6 0x51c3cf in main codec/console/dec/src/h264dec.cpp:510:3

This issue is reproducible with the attached test case and openh264 commit c330a667169069c56928bfe4f8b87fe5779976c4

Fixed in openh264 commit d8cb746954c9052a428ba30207e2f2d1a08c238d

Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Group: media-core-security → core-security-release
Group: core-security-release
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: