Closed Bug 1525361 Opened 7 years ago Closed 7 years ago

OpenH264: heap-use-after-free in [@ CUtils::Process]

Categories

(Core :: Audio/Video: GMP, defect)

Product:
Core
Component:
Audio/Video: GMP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: tsmith, Unassigned)

References

Details

(4 keywords)

Attachments

(1 file)

testcase.264
10.78 KB, application/octet-stream
Details
Attached file testcase.264

Found while fuzzing openh264 revision a943bad3bddc7bf8a76852ddc92a88d168c4ec57

This issue affects h264dec the command line decoder tool.

Build with "-fsanitize=address"

To reproduce:
./h264dec testcase.264 /dev/null

==4502==ERROR: AddressSanitizer: heap-use-after-free on address 0x627000012530 at pc 0x0000004394b2 bp 0x7ffdd64f8af0 sp 0x7ffdd64f8298
READ of size 32 at 0x627000012530 thread T0
    #0 0x4394b1 in fwrite (h264dec+0x4394b1)
    #1 0x4f6f4e in Write2File(_IO_FILE*, unsigned char**, int*, int, int) codec/console/dec/src/d3d9_utils.cpp:631:5
    #2 0x4f6e48 in CUtils::Process(void**, TagBufferInfo*, _IO_FILE*) codec/console/dec/src/d3d9_utils.cpp:571:7
    #3 0x4fa382 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:305:21
    #4 0x4fce29 in main codec/console/dec/src/h264dec.cpp:502:3

0x627000012530 is located 3120 bytes inside of 13851-byte region [0x627000011900,0x627000014f1b)
freed by thread T0 here:
    #0 0x4c4872 in free (h264dec+0x4c4872)
    #1 0x6c7f2f in WelsCommon::WelsFree(void*, char const*) codec/common/src/memory_align.cpp:113:5
    #2 0x6c82cb in WelsCommon::CMemoryAlign::WelsFree(void*, char const*) codec/common/src/memory_align.cpp:154:3
    #3 0x57cb87 in WelsDec::FreePicture(WelsDec::SPicture*, WelsCommon::CMemoryAlign*) codec/decoder/core/src/pic_queue.cpp:130:12
    #4 0x51061a in WelsDec::DecreasePicBuff(WelsDec::TagWelsDecoderContext*, WelsDec::TagPicBuff**, int, int, int, int) codec/decoder/core/src/decoder.cpp:215:9
    #5 0x50e3f0 in WelsRequestMem codec/decoder/core/src/decoder.cpp:402:14
    #6 0x51646d in SyncPictureResolutionExt codec/decoder/core/src/decoder.cpp:834:10
    #7 0x538b3f in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2249:12
    #8 0x515e1f in WelsDecodeBs codec/decoder/core/src/decoder.cpp:798:7
    #9 0x5025c3 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:575:3
    #10 0x501823 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:500:11
    #11 0x4f8bfd in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:222:17
    #12 0x4fce29 in main codec/console/dec/src/h264dec.cpp:502:3

previously allocated by thread T0 here:
    #0 0x4c4bf3 in __interceptor_malloc (h264dec+0x4c4bf3)
    #1 0x6c7dcf in WelsCommon::WelsMalloc(unsigned int, char const*, unsigned int) codec/common/src/memory_align.cpp:72:30
    #2 0x6c8046 in WelsCommon::CMemoryAlign::WelsMalloc(unsigned int, char const*) codec/common/src/memory_align.cpp:129:20
    #3 0x6c7f62 in WelsCommon::CMemoryAlign::WelsMallocz(unsigned int, char const*) codec/common/src/memory_align.cpp:118:20
    #4 0x57c025 in WelsDec::AllocPicture(WelsDec::TagWelsDecoderContext*, int, int) codec/decoder/core/src/pic_queue.cpp:92:52
    #5 0x5112e3 in WelsDec::CreatePicBuff(WelsDec::TagWelsDecoderContext*, WelsDec::TagPicBuff**, int, int, int) codec/decoder/core/src/decoder.cpp:87:21
    #6 0x50e745 in WelsRequestMem codec/decoder/core/src/decoder.cpp:424:12
    #7 0x51646d in SyncPictureResolutionExt codec/decoder/core/src/decoder.cpp:834:10
    #8 0x538b3f in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2249:12
    #9 0x515e1f in WelsDecodeBs codec/decoder/core/src/decoder.cpp:798:7
    #10 0x5025c3 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:575:3
    #11 0x501823 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:500:11
    #12 0x4f8bfd in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:222:17
    #13 0x4fce29 in main codec/console/dec/src/h264dec.cpp:502:3

This issue is fixed in openh264 commit c330a667169069c56928bfe4f8b87fe5779976c4

Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Group: media-core-security → core-security-release
Group: core-security-release
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: