Closed Bug 1526427 Opened 5 years ago Closed 5 years ago

OpenH264: crash near null in [@ WelsDec::WelsInitBSliceRefList]

Categories

(Core :: Audio/Video: GMP, defect, P5)

Product:
Core
Component:
Audio/Video: GMP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: tsmith, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Attachments

(1 file)

testcase.264
68 bytes, application/octet-stream
Details
Attached file testcase.264

Found while fuzzing openh264 revision c330a667169069c56928bfe4f8b87fe5779976c4

Build with "-fsanitize=address"

To reproduce:
./h264dec testcase.264 /dev/null

==16459==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000060 (pc 0x00000065fbf8 bp 0x7ffe2d943280 sp 0x7ffe2d941e60 T0)
==16459==The signal is caused by a READ memory access.
==16459==Hint: address points to the zero page.
    #0 0x65fbf7 in WelsDec::WelsInitBSliceRefList(WelsDec::TagWelsDecoderContext*, int) codec/decoder/core/src/manage_dec_ref.cpp
    #1 0x5c4036 in WelsDec::InitRefPicList(WelsDec::TagWelsDecoderContext*, unsigned char, int) codec/decoder/core/src/decoder_core.cpp:2330:12
    #2 0x5bc84c in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2538:18
    #3 0x5b28b6 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2257:10
    #4 0x54a627 in WelsDecodeBs codec/decoder/core/src/decoder.cpp:798:7
    #5 0x5128a0 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:575:3
    #6 0x510304 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:500:11
    #7 0x4fc85a in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:222:17
    #8 0x504206 in main codec/console/dec/src/h264dec.cpp:502:3
Blocks: 1512756

The priority flag is not set for this bug.
:marco, could you have a look please?

Flags: needinfo?(mcastelluccio)
Flags: needinfo?(mcastelluccio)
Priority: -- → P5

Verified fixed with openh264 commit be82ccf42fc044ae1ea0792837a9415eaf535002

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: