1526408 - OpenH264: heap-use-after-free in [@ WelsDec::MapColToList0]

Status: RESOLVED FIXED

(Core :: Audio/Video: GMP, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.264

Found by oss-fuzz while fuzzing openh264 revision 0eeb783515dbfee3e0c781d6667838caba5113b
reproducible with commit c330a667169069c56928bfe4f8b87fe5779976c4

NOTE: While transitioning to oss-fuzz issues will be log in bugzilla.

Build with "-fsanitize=address"

To reproduce:
./h264dec testcase.264 /dev/null

==16382==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150000005f0 at pc 0x00000093773f bp 0x7ffe1bafb7a0 sp 0x7ffe1bafb798
READ of size 4 at 0x6150000005f0 thread T0
    #0 0x93773e in WelsDec::MapColToList0(WelsDec::TagWelsDecoderContext*&, signed char const&, int const&) codec/decoder/core/src/mv_pred.cpp:1109:71
    #1 0x93214e in WelsDec::PredBDirectTemporal(WelsDec::TagWelsDecoderContext*, short (*) [2], signed char*, unsigned int&) codec/decoder/core/src/mv_pred.cpp:628:23
    #2 0x8ab3e1 in WelsDec::WelsDecodeMbCabacBSlice(WelsDec::TagWelsDecoderContext*, WelsDec::TagNalUnit*, unsigned int&) codec/decoder/core/src/decode_slice.cpp:1424:21
    #3 0x8b3915 in WelsDec::WelsDecodeSlice(WelsDec::TagWelsDecoderContext*, bool, WelsDec::TagNalUnit*) codec/decoder/core/src/decode_slice.cpp:1560:12
    #4 0x5bd0d8 in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2557:16
    #5 0x5b28b6 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2257:10
    #6 0x54a627 in WelsDecodeBs codec/decoder/core/src/decoder.cpp:798:7
    #7 0x5128a0 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:575:3
    #8 0x510304 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:500:11
    #9 0x4fc85a in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:222:17
    #10 0x504206 in main codec/console/dec/src/h264dec.cpp:502:3

0x6150000005f0 is located 112 bytes inside of 499-byte region [0x615000000580,0x615000000773)
freed by thread T0 here:
    #0 0x4c5f72 in free (h264dec+0x4c5f72)
    #1 0xa4acc9 in WelsCommon::WelsFree(void*, char const*) codec/common/src/memory_align.cpp:113:5
    #2 0xa4b592 in WelsCommon::CMemoryAlign::WelsFree(void*, char const*) codec/common/src/memory_align.cpp:154:3
    #3 0x68c4c2 in WelsDec::FreePicture(WelsDec::SPicture*, WelsCommon::CMemoryAlign*) codec/decoder/core/src/pic_queue.cpp:150:10
    #4 0x539b42 in WelsDec::DecreasePicBuff(WelsDec::TagWelsDecoderContext*, WelsDec::TagPicBuff**, int, int, int, int) codec/decoder/core/src/decoder.cpp:215:9
    #5 0x53479b in WelsRequestMem codec/decoder/core/src/decoder.cpp:402:14
    #6 0x54b3b0 in SyncPictureResolutionExt codec/decoder/core/src/decoder.cpp:834:10
    #7 0x5b2820 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2249:12
    #8 0x54a627 in WelsDecodeBs codec/decoder/core/src/decoder.cpp:798:7
    #9 0x5128a0 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:575:3
    #10 0x510304 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:500:11
    #11 0x4fc85a in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:222:17
    #12 0x504206 in main codec/console/dec/src/h264dec.cpp:502:3

previously allocated by thread T0 here:
    #0 0x4c62f3 in __interceptor_malloc (h264dec+0x4c62f3)
    #1 0xa4a7f7 in WelsCommon::WelsMalloc(unsigned int, char const*, unsigned int) codec/common/src/memory_align.cpp:72:30
    #2 0xa4af4d in WelsCommon::CMemoryAlign::WelsMalloc(unsigned int, char const*) codec/common/src/memory_align.cpp:129:20
    #3 0xa4ada3 in WelsCommon::CMemoryAlign::WelsMallocz(unsigned int, char const*) codec/common/src/memory_align.cpp:118:20
    #4 0x68730c in WelsDec::AllocPicture(WelsDec::TagWelsDecoderContext*, int, int) codec/decoder/core/src/pic_queue.cpp:73:26
    #5 0x53bc68 in WelsDec::CreatePicBuff(WelsDec::TagWelsDecoderContext*, WelsDec::TagPicBuff**, int, int, int) codec/decoder/core/src/decoder.cpp:87:21
    #6 0x534f78 in WelsRequestMem codec/decoder/core/src/decoder.cpp:424:12
    #7 0x54b3b0 in SyncPictureResolutionExt codec/decoder/core/src/decoder.cpp:834:10
    #8 0x5b2820 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2249:12
    #9 0x54a627 in WelsDecodeBs codec/decoder/core/src/decoder.cpp:798:7
    #10 0x5128a0 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:575:3
    #11 0x510304 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:500:11
    #12 0x4fc85a in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:222:17
    #13 0x504206 in main codec/console/dec/src/h264dec.cpp:502:3

Comment 1

[Tyson Smith [:tsmith]]

Fixed in openh264 commit c81d7f67583ce92664147110e8d7cd36b17a272c