heap-buffer-overflow in [@ av_packet_ref]
Categories
(Core :: Audio/Video: Playback, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr91 | --- | unaffected |
firefox-esr102 | --- | unaffected |
firefox104 | --- | unaffected |
firefox105 | --- | unaffected |
firefox106 | --- | verified |
People
(Reporter: tsmith, Assigned: padenot)
References
(Regression)
Details
(5 keywords, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(3 files)
Found while fuzzing 20220825-ed1f1140d8bd (--enable-address-sanitizer --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.mp4 --time-limit 5
==19518==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61600078217f at pc 0x55caae744787 bp 0x7f3f2f22d3c0 sp 0x7f3f2f22cb90
READ of size 523 at 0x61600078217f thread T96365 (MediaPD~oder #1)
#0 0x55caae744786 in __asan_memcpy /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
#1 0x7f3f22f2cea4 in av_packet_ref /builds/worker/checkouts/gecko/media/ffvpx/libavcodec/avpacket.c:446:13
#2 0x7f3f22f9820f in avcodec_send_packet /builds/worker/checkouts/gecko/media/ffvpx/libavcodec/decode.c:592:15
#3 0x7f3f4c6182a3 in mozilla::FFmpegAudioDecoder<46465650>::DoDecode(mozilla::MediaRawData*, unsigned char*, int, bool*, nsTArray<RefPtr<mozilla::MediaData> >&) /builds/worker/checkouts/gecko/dom/media/platforms/ffmpeg/FFmpegAudioDecoder.cpp:272:15
#4 0x7f3f4c61c37d in mozilla::FFmpegDataDecoder<46465650>::DoDecode(mozilla::MediaRawData*, bool*, nsTArray<RefPtr<mozilla::MediaData> >&) /builds/worker/checkouts/gecko/dom/media/platforms/ffmpeg/FFmpegDataDecoder.cpp:193:10
#5 0x7f3f4c61bb21 in mozilla::FFmpegDataDecoder<46465650>::ProcessDecode(mozilla::MediaRawData*) /builds/worker/checkouts/gecko/dom/media/platforms/ffmpeg/FFmpegDataDecoder.cpp:147:20
#6 0x7f3f4c63234b in applyImpl<mozilla::FFmpegDataDecoder<46465650>, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::FFmpegDataDecoder<46465650>::*)(mozilla::MediaRawData *), StoreRefPtrPassByPtr<mozilla::MediaRawData>, 0UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
#7 0x7f3f4c63234b in apply<mozilla::FFmpegDataDecoder<46465650>, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::FFmpegDataDecoder<46465650>::*)(mozilla::MediaRawData *)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
#8 0x7f3f4c63234b in mozilla::detail::MethodCall<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true>, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::FFmpegDataDecoder<46465650>::*)(mozilla::MediaRawData*), mozilla::FFmpegDataDecoder<46465650>, mozilla::MediaRawData*>::Invoke() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1518:47
#9 0x7f3f4c631e5d in mozilla::detail::ProxyRunnable<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true>, RefPtr<mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, true> > (mozilla::FFmpegDataDecoder<46465650>::*)(mozilla::MediaRawData*), mozilla::FFmpegDataDecoder<46465650>, mozilla::MediaRawData*>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1538:42
#10 0x7f3f45bc54b6 in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:259:20
#11 0x7f3f45bf01e2 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:310:14
#12 0x7f3f45be2aee in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#13 0x7f3f45bec744 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#14 0x7f3f47343b35 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#15 0x7f3f471c4901 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#16 0x7f3f471c4901 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#17 0x7f3f471c4901 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#18 0x7f3f45bd9c38 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
#19 0x7f3f6d8d8b7e in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#20 0x7f3f6e52c608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8608) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
#21 0x7f3f6e0f3132 in clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
Reporter | ||
Comment 1•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/7hcaswhRDZOb3M6v5tZYOg/index.html
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220825222149-58735c4baea3.
The bug appears to have been introduced in the following build range:
Start: 498d812eb398285bb093ade3c2534e1400e3c7ee (20220823135059)
End: 654616a4627e7c9e54ec8cd261f783f2d252f7be (20220823150013)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=498d812eb398285bb093ade3c2534e1400e3c7ee&tochange=654616a4627e7c9e54ec8cd261f783f2d252f7be
Comment 3•2 years ago
|
||
Set release status flags based on info from the regressing bug 1765480
Comment 4•2 years ago
|
||
As a buffer overflow, I'll just go ahead and mark this sec-high.
Comment 5•2 years ago
|
||
ffmpeg update related.
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Comment 6•2 years ago
|
||
Assignee | ||
Comment 7•2 years ago
|
||
Depends on D155971
Assignee | ||
Comment 8•2 years ago
|
||
Comment on attachment 9292265 [details]
Bug 1787281 - Don't consume packet when decoding audio using ffvpx and getting EAGAIN. r?alwu
Security Approval Request
- How easily could an exploit be constructed based on the patch?: This is a read of exactly one byte before an encoded media buffer. It's very unlikely to crash a regular build, but crashes with ASAN. It's always exactly one byte, this is not controllable.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: none
- If not all supported branches, which bug introduced the flaw?: Bug 1765480
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: N/A
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely, it's very clear what happens.
- Is Android affected?: Yes
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Comment 9•2 years ago
|
||
Comment on attachment 9292265 [details]
Bug 1787281 - Don't consume packet when decoding audio using ffvpx and getting EAGAIN. r?alwu
Approved to land and request uplift
Updated•2 years ago
|
Assignee | ||
Comment 10•2 years ago
|
||
This is Nightly-only, I'm just going to land this, no need to uplift.
Comment 11•2 years ago
|
||
Don't consume packet when decoding audio using ffvpx and getting EAGAIN. r=alwu
https://hg.mozilla.org/integration/autoland/rev/91c73125d1903d76e3aa31e7884554bb97db36d6
https://hg.mozilla.org/mozilla-central/rev/91c73125d190
Add a test. r=alwu
https://hg.mozilla.org/integration/autoland/rev/a9ccc61706a2b418de28397dcb8ca4c8a3296901
https://hg.mozilla.org/mozilla-central/rev/a9ccc61706a2
Comment 12•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220908123603-65e0896af25d.
Updated•2 years ago
|
Comment 13•2 years ago
|
||
I also verified that this is fixed using latest Nightly 107.0a1 asan fuzz (from today) and latest beta 106.0b8 asan fuzz build on Ubuntu 22.04.
Updated•2 years ago
|
Comment 14•2 years ago
|
||
4 months ago, Tom Ritter [:tjr] placed a reminder on the bug using the whiteboard tag [reminder-test 2022-11-3]
.
padenot, please refer to the original comment to better understand the reason for the reminder.
Assignee | ||
Updated•6 months ago
|
Description
•