Potential out-of-bounds write in GMPDecodeData
Categories
(Core :: WebRTC, defect, P1)
Tracking
()
People
(Reporter: deian, Assigned: dminor)
Details
(Keywords: sec-moderate, Whiteboard: [post-critsmash-triage][adv-main75+][adv-esr68.7+])
Attachments
(2 files, 1 obsolete file)
|
47 bytes,
text/x-phabricator-request
|
tjr
:
approval-mozilla-beta+
tjr
:
approval-mozilla-esr68+
tjr
:
sec-approval+
|
Details | Review |
|
310 bytes,
text/plain
|
Details |
I believe there is a potential out-of-bounds write in GMPDecodeData [1]:
GMPDecodeData(const webrtc::EncodedImage& aInputImage, bool aMissingFrames,
int64_t aRenderTimeMs)
: mImage(aInputImage),
mMissingFrames(aMissingFrames),
mRenderTimeMs(aRenderTimeMs) {
// We want to use this for queuing, and the calling code recycles the
// buffer on return from Decode()
mImage._length = aInputImage._length;
mImage._size =
aInputImage._length +
webrtc::EncodedImage::GetBufferPaddingBytes(webrtc::kVideoCodecH264); // <-- pick huge enough _length such that _length + 8 overflows
mImage._buffer = new uint8_t[mImage._size]; // <-- allocate array smaller than _length
memcpy(mImage._buffer, aInputImage._buffer, aInputImage._length); // <-- copy _length bytes
I'm not sure if this is easy to trigger or if it's really any more serious than
a crash, but seemed worth reporting. Apologies if this turns out to not be a
concern.
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Comment 1•5 years ago
|
||
a) could only apply to 32-bit builds (but that's valid)
b) _length and the buffer it points to would have to be an actual memory buffer of ~4GB (which is very unlikely to be possible)
c) encoded input images are very likely constrained in size before this point (to way less than 4G), but that can be checked
d) adding a backup error-out-on-too-big (or release-assert) here wouldn't hurt even if c) is correct that this can't happen currently.
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 2•4 years ago
|
||
|
|
Assignee | |
Comment 3•4 years ago
|
||
Comment on attachment 9129110 [details]
Bug 1544181 - Check for large frames in GMPDecodeData; r=ng!
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Not easily.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: Attached patch should apply cleanly.
- How likely is this patch to cause regressions; how much testing does it need?: Very unlikely, this adds an assertion for a condition we're unlikely to ever hit.
|
||
Updated•4 years ago
|
|
|
||
Comment 4•4 years ago
|
||
Comment on attachment 9129110 [details]
Bug 1544181 - Check for large frames in GMPDecodeData; r=ng!
Approved to land and for uplift.
|
|
||
Updated•4 years ago
|
|
||
Comment 5•4 years ago
|
||
Changing the priority to p1 as the bug is tracked by a release manager for the current beta.
See What Do You Triage for more information
|
||
Comment 6•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/2dfe1500d02eebf29c7f02d042246e7fc843ead9
https://hg.mozilla.org/mozilla-central/rev/2dfe1500d02e
|
|
||
Comment 7•4 years ago
|
||
| uplift | ||
|
||
Comment 8•4 years ago
|
||
| uplift | ||
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Comment 9•4 years ago
|
||
|
Reporter | |
Comment 10•4 years ago
|
||
@Tom can you give Fraser Brown credit too :-) She's the real hero that built the tool that found this bug.
|
|
||
Comment 11•4 years ago
|
||
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
Description
•