1566686 - OpenH264: heap-use-after-free in [@ WelsDec::DecreasePicBuff]

Status: RESOLVED FIXED

(Core :: Audio/Video: GMP, defect, P2)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.264

Google accounts are required for oss-fuzz bugs atm so here is a clone of https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14423

Reproduces with latest upstream commit c2e4abc16641a2c14cec48aef92940503116f4bb

==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000000618 at pc 0x00000057927e bp 0x7ffe38c87890 sp 0x7ffe38c87888
READ of size 8 at 0x615000000618 thread T0
SCARINESS: 51 (8-byte-read-heap-use-after-free)
    #0 0x57927d in WelsDec::DecreasePicBuff(WelsDec::TagWelsDecoderContext*, WelsDec::TagPicBuff**, int, int, int, int) openh264/codec/decoder/core/src/decoder.cpp:217:85
    #1 0x5777ba in WelsRequestMem openh264/codec/decoder/core/src/decoder.cpp:423:14
    #2 0x57c849 in SyncPictureResolutionExt openh264/codec/decoder/core/src/decoder.cpp:856:10
    #3 0x58f476 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) openh264/codec/decoder/core/src/decoder_core.cpp:2249:12
    #4 0x57af1e in WelsDecodeBs openh264/codec/decoder/core/src/decoder.cpp:819:7
    #5 0x56fa5a in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) openh264/codec/decoder/plus/src/welsDecoderExt.cpp:575:3
    #6 0x56f565 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) openh264/codec/decoder/plus/src/welsDecoderExt.cpp:500:11
    #7 0x56c596 in LLVMFuzzerTestOneInput /src/decoder_fuzzer.cpp:75:15
    #8 0x474101 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:553:15
    #9 0x45ea41 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
    #10 0x4645ce in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:775:9
    #11 0x48db72 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #12 0x7f6bf372f82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
    #13 0x41e778 in _start

0x615000000618 is located 152 bytes inside of 499-byte region [0x615000000580,0x615000000773)
freed by thread T0 here:
    #0 0x539b9d in __interceptor_free _asan_rtl_:3
    #1 0x5755a4 in WelsCommon::WelsFree(void*, char const*) openh264/codec/common/src/memory_align.cpp:113:5
    #2 0x57581d in WelsCommon::CMemoryAlign::WelsFree(void*, char const*) openh264/codec/common/src/memory_align.cpp:154:3
    #3 0x5b455a in WelsDec::FreePicture(WelsDec::SPicture*, WelsCommon::CMemoryAlign*) openh264/codec/decoder/core/src/pic_queue.cpp:150:10
    #4 0x576711 in DestroyPicBuff openh264/codec/decoder/core/src/decoder.cpp:278:9
    #5 0x577584 in WelsRequestMem openh264/codec/decoder/core/src/decoder.cpp:438:7
    #6 0x57c849 in SyncPictureResolutionExt openh264/codec/decoder/core/src/decoder.cpp:856:10
    #7 0x58f476 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) openh264/codec/decoder/core/src/decoder_core.cpp:2249:12
    #8 0x57af1e in WelsDecodeBs openh264/codec/decoder/core/src/decoder.cpp:819:7
    #9 0x56fa5a in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) openh264/codec/decoder/plus/src/welsDecoderExt.cpp:575:3
    #10 0x56f565 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) openh264/codec/decoder/plus/src/welsDecoderExt.cpp:500:11
    #11 0x56c596 in LLVMFuzzerTestOneInput /src/decoder_fuzzer.cpp:75:15
    #12 0x474101 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:553:15
    #13 0x45ea41 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
    #14 0x4645ce in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:775:9
    #15 0x48db72 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #16 0x7f6bf372f82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291

previously allocated by thread T0 here:
    #0 0x539e1d in malloc _asan_rtl_:3
    #1 0x5754b3 in WelsCommon::WelsMalloc(unsigned int, char const*, unsigned int) openh264/codec/common/src/memory_align.cpp:72:30
    #2 0x5756a4 in WelsCommon::CMemoryAlign::WelsMalloc(unsigned int, char const*) openh264/codec/common/src/memory_align.cpp:129:20
    #3 0x57560a in WelsCommon::CMemoryAlign::WelsMallocz(unsigned int, char const*) openh264/codec/common/src/memory_align.cpp:118:20
    #4 0x5b3d40 in WelsDec::AllocPicture(WelsDec::TagWelsDecoderContext*, int, int) openh264/codec/decoder/core/src/pic_queue.cpp:73:26
    #5 0x57961e in WelsDec::CreatePicBuff(WelsDec::TagWelsDecoderContext*, WelsDec::TagPicBuff**, int, int, int) openh264/codec/decoder/core/src/decoder.cpp:87:21
    #6 0x5775ca in WelsRequestMem openh264/codec/decoder/core/src/decoder.cpp:445:12
    #7 0x57c849 in SyncPictureResolutionExt openh264/codec/decoder/core/src/decoder.cpp:856:10
    #8 0x58f476 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) openh264/codec/decoder/core/src/decoder_core.cpp:2249:12
    #9 0x57af1e in WelsDecodeBs openh264/codec/decoder/core/src/decoder.cpp:819:7
    #10 0x56fa5a in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) openh264/codec/decoder/plus/src/welsDecoderExt.cpp:575:3
    #11 0x56f565 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) openh264/codec/decoder/plus/src/welsDecoderExt.cpp:500:11
    #12 0x56c596 in LLVMFuzzerTestOneInput /src/decoder_fuzzer.cpp:75:15
    #13 0x474101 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:553:15
    #14 0x45ea41 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
    #15 0x4645ce in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:775:9
    #16 0x48db72 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #17 0x7f6bf372f82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The priority flag is not set for this bug.
:marcia, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 2

[wayne]

A fix has been merged into master to fix this issue. Could you please check if it is done? Thanks.

Comment 3

[Tyson Smith [:tsmith]]

(In reply to wayne from comment #2)

A fix has been merged into master to fix this issue. Could you please check if it is done? Thanks.

Hi Wayne, This issue can no longer be reproduced with the attached test case using openh264 commit 8f83e0b.

Comment 4

[Daniel Veditz [:dveditz]]

Tyson: do you know what shipping version of OpenH264 this fix made it into? And what versions of Firefox have been updated with that version?

When you find out please update the "status firefox XX" fields in the tracking section above. Looks like both ESR-68 and nightly have version 1.8.1.1 updated last October, so if that's got the fix we're all good.

Comment 5

[Tyson Smith [:tsmith]]

The regression window is https://github.com/cisco/openh264/compare/8533dd9daaaf3d7a51d9295686c31718ec3c946e...e5107994b0f8b5781570c96e7cf6a8e3f1576f56

1.8.1 was taken at https://github.com/cisco/openh264/compare/v1.8.1-Firefox39

This issue was introduced and resolved well after 1.8.1 (1.8.1.1 was a dummy release).