Closed
Bug 515376
Opened 15 years ago
Closed 15 years ago
missing index validation in dirac.c:dirac_parse_info()
Categories
(Core :: Audio/Video, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: guninski, Assigned: conrad)
References
()
Details
(Whiteboard: [sg:investigate])
Attachments
(1 file)
11.33 KB,
text/x-c++src
|
Details |
http://mxr.mozilla.org/mozilla-central/source/media/liboggz/src/liboggz/dirac.c#153 153 info->video_format = video_format = dirac_uint( &bs ); /* index */ 154 155 info->width = dirac_fsize_tbl[video_format].width; 156 info->height = dirac_fsize_tbl[video_format].height; |dirac_uint| seems to return int32 without any bound checking so using it as index potentially may read memory or cause a crash. can't hit the code yet.
Reporter | ||
Updated•15 years ago
|
Whiteboard: [sg:investigate]
Assignee | ||
Comment 1•15 years ago
|
||
Thanks for the report. I've added a check in upstream liboggz: commit 164e35e743e7681fbed34c66a015a779f73176f2 Author: Conrad Parker <conrad@metadecks.org> Date: Thu Sep 10 22:28:32 2009 +0900 Mozilla #515376: Check index in dirac_parse_info()
Comment 2•15 years ago
|
||
(In reply to comment #1) > Thanks for the report. I've added a check in upstream liboggz: I will pull this into bug 512327...
Updated•15 years ago
|
Assignee: nobody → conrad
Depends on: CVE-2009-3377
Reporter | ||
Comment 3•15 years ago
|
||
> commit 164e35e743e7681fbed34c66a015a779f73176f2
the patch on github seems sane to me.
Comment 4•15 years ago
|
||
Fixed on m-c by bug 511038.
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: wanted1.9.2?
Resolution: --- → FIXED
Comment 5•15 years ago
|
||
(In reply to comment #4) > Fixed on m-c by bug 511038. I mean fixed by bug 512327.
We don't enable Dirac so this doesn't matter to us.
Flags: wanted1.9.2? → wanted1.9.2-
Comment 7•15 years ago
|
||
(In reply to comment #6) > We don't enable Dirac so this doesn't matter to us. We've disabled the Dirac decoding code, not the Dirac identification code. We actually can hit the code in question, as it's in liboggz's stream identification. Try loading this file: http://diracvideo.org/download/test-streams/ogg/sage-640x360.ogg and you'll hit the code.
ok
Flags: wanted1.9.2- → wanted1.9.2+
Reporter | ||
Comment 9•15 years ago
|
||
the code is reachable on 3.5, it is at least a crash and potentially can be exploitable - basically it is doing stuff with ptr[atoi()]. the short patch seems quite safe and dveditz can bless branch checkins.
Comment 10•15 years ago
|
||
This is fixed by bug 512327 on trunk and on 1.9.2 branch.
Reporter | ||
Comment 11•15 years ago
|
||
> This is fixed by bug 512327 on trunk and on 1.9.2 branch. it doesn't seem fixed on 1.9.1: https://hg.mozilla.org/releases/mozilla-1.9.1/ is this branch supported ?
Updated•15 years ago
|
blocking1.9.1: --- → ?
Comment 12•15 years ago
|
||
We work backwards -- trunk first (no users). If that looks good land on the current 1.9.2 dev branch (some alpha users). If that looks good we can land it on the stable 1.9.1 branch (millions of users). As it happens cpearce is landing 512327 on the 1.9.1 branch tonight, which is scary fast for the size of the patch.
blocking1.9.1: ? → .4+
status1.9.1:
--- → wanted
Reporter | ||
Comment 13•15 years ago
|
||
>As it happens cpearce is landing 512327 on the 1.9.1 branch tonight, which is >scary fast for the size of the patch. i meant backporting only this bug, the patch is very short: http://github.com/kfish/liboggz/commit/164e35e743e7681fbed34c66a015a779f73176f2
Comment 14•15 years ago
|
||
Fixed in 1.9.1.4 by bug 512327. (In reply to comment #13) > i meant backporting only this bug, the patch is very short: > > http://github.com/kfish/liboggz/commit/164e35e743e7681fbed34c66a015a779f73176f2 We're trying to reduce the number of patches we maintain on top of external libraries. In many ways they're unavoidable, but fewer patches on top of external libraries makes updating them easier. Thanks for the bug report!
Comment 15•15 years ago
|
||
Is there any way for QA to verify this fix for 1.9.1?
Comment 16•15 years ago
|
||
Load the file in the bug URL to exercise the code. To make sure this particular bug was fixed you'd need to construct a file with a bogus video format field--I'm not sure how easy it'd be to do that.
Reporter | ||
Comment 17•15 years ago
|
||
> I'm not sure how easy it'd be to do that.
off the top of my head there are too possible approach:
1. use hex editor
2. reencode with redefined constant.
i am trying with a hex editor.
Reporter | ||
Comment 18•15 years ago
|
||
i am having troubles with the hex editor approach. if i |memcpy| into the buffer i get the needed value. screwing the value with hex editor doesn't hit the breakpoint at all.
Comment 19•15 years ago
|
||
(In reply to comment #18) > i am having troubles with the hex editor approach. > > if i |memcpy| into the buffer i get the needed value. > > screwing the value with hex editor doesn't hit the breakpoint at all. When you change the contents of an Ogg file, it's page checksums become invalid, and the pages will be rejected by the decoder. Try using this attached C++ program after you've edited the file, it will recompute the checksums and, provided your file is otherwise valid, enable your edited file to get past the checksum check.
Updated•15 years ago
|
Group: core-security
Updated•15 years ago
|
Flags: wanted1.9.0.x-
You need to log in
before you can comment on or make changes to this bug.
Description
•