this is misuse of realloc:
Tim, do you know if these have been addressed in libtheora?
I can't go through and re-check all of the links above to double-check, because the files no longer exist (and wouldn't be the same version if they did). I did a quick re-audit, and it appears that while most of the malloc/calloc/realloc usage got NULL checks added, one hunk was dropped. The following is upstream in the 1.2 development branch, but was not in the 1.1 release:
--- decinfo.c (revision 17275)
+++ decinfo.c (working copy)
@@ -128,6 +128,10 @@
+ return TH_EFAULT;
Josh asked me if we could close this bug. It had been long enough that I had forgotten what exactly had been reviewed, so I reviewed things again, and found the following problem @ media/libtheora/lib/state.c:586:
I.e., ref_frame_data was being allocated with oc_aligned_malloc(), and freed with _ogg_free() instead of oc_aligned_free() on error. This doesn't work (the aligned block is guaranteed to start after a block of memory returned by _ogg_malloc(), because it stores the alignment offset there).
This would only cause a problem if there was just enough memory to satisfy the reference frame allocation (just over 4.5 or 9 bytes per pixel) but not enough for the fragment buffer offets (1/16 or 1/8th byte per pixel). The size of the allocations is attacker-controlled, but nothing is stored in the buffers, so I don't see how this can be exploited, but it could cause a crash with libc's that don't validate pointers before trying to free them (e.g., glibc).
This was introduced in upstream commit r17563 and local commit 57091:af89c96d (Nov. 8th 2010), so it should affect everything from Firefox 4 onwards.
I've fixed this upstream in r18219. Patch for m-c forthcoming.
Created attachment 602536 [details] [diff] [review]
Fix mis-use of _ogg_free on allocation error path
Created attachment 602798 [details] [diff] [review]
Fix mis-use of _ogg_free on allocation error path v2
This version drops a couple of extraneous hunks (which I included in the upstream commit, but in order to keep this fix to a minimum, meant to exclude here). I'd dropped them from the update.sh patch, but not dropped the actual changes to the source files.
Greenish on try:
Carrying forward r=kinetik
I don't think there's any reason to keep this closed. This might be a potential DoS, but because we place limits on the maximum size of a video, the only way it can be triggered is by putting enough <video> tags on a page to actually run the system out of RAM, which would be a problem all by itself.