Closed Bug 1526107 Opened 7 years ago Closed 6 years ago

OpenH264: use-of-uninitialized-value in [@ H264DecodeInstance]

Categories

(Core :: Audio/Video: GMP, defect, P3)

Product:
Core
Component:
Audio/Video: GMP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: tsmith, Unassigned)

References

Details

(4 keywords)

Attachments

(1 file)

testcase.264
1 byte, application/octet-stream
Details
Attached file testcase.264

Found while fuzzing openh264 revision c330a667169069c56928bfe4f8b87fe5779976c4

This issue affects h264dec the command line decoder tool. This appears to be due to how the args are passed to H264DecodeInstance() on h264dec.c:502.

Build with "-fsanitize=memory"

To reproduce:
./h264dec testcase.264 /dev/null

Uninitialized bytes in __interceptor_fopen at offset 28 inside [0x702000000000, 29)
==15264==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x495a1c in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:108:17
    #1 0x49add0 in main codec/console/dec/src/h264dec.cpp:502:3

  Uninitialized value was created by a heap allocation
    #0 0x492cb9 in operator new(unsigned long) (h264dec+0x492cb9)
    #1 0x7fa9b8863cfa in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_mutate(unsigned long, unsigned long, char const*, unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x124cfa)

This is reproducible with openh264 revision c81d7f67583ce92664147110e8d7cd36b17a272c

P3 as it only appears to affect a command line tool not used in Firefox.

Priority: -- → P3
Group: media-core-security → core-security-release
Group: core-security-release
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: