Closed
Bug 750327
Opened 13 years ago
Closed 13 years ago
Opus crash invalid write [@quant_band]
Categories
(Core :: Audio/Video, defect)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox13 | --- | unaffected |
| firefox14 | --- | unaffected |
| firefox15 | + | fixed |
| firefox-esr10 | --- | unaffected |
People
(Reporter: posidron, Assigned: rillian)
References
Details
(Keywords: crash, sec-critical, testcase, Whiteboard: [asan][sg:critical][advisory-tracking-])
Attachments
(2 files)
This bug might be affiliated with bug 750231 although the location seems to differ.
|
||
Updated•13 years ago
|
Group: core-security
|
Reporter | |
Comment 1•13 years ago
|
||
|
||
Comment 2•13 years ago
|
||
Haven't investigated too deeply, but this file does not crash opusdec (available from opus-tools: http://git.xiph.org/?p=users/greg/opus-tools.git).
|
|
Reporter | |
Comment 3•13 years ago
|
||
Sorry, should have mentioned that I have deactivated the checksum verification inside the source.
|
|
Reporter | |
Comment 4•13 years ago
|
||
Same here. This bug has [asan] in whiteboard. You will need to test it with an ASAN build of Firefox or compile the decoder with ASAN.
|
|
Reporter | |
Updated•13 years ago
|
Blocks: fuzzing-opus
|
||
Updated•13 years ago
|
Keywords: sec-critical
|
||
Comment 5•13 years ago
|
||
AFAIK opus only recently landed in m-c so we shouldn't need this fix in releases prior to Firefox 15
status-firefox-esr10:
--- → unaffected
status-firefox14:
--- → unaffected
status-firefox15:
--- → affected
tracking-firefox15:
--- → +
|
Assignee | |
Comment 6•13 years ago
|
||
I should be fixed before firefox 15 uplift to Aurora, so we can give the preview wider deployment. Note that the code in question is pref'd off by default.
I was stuck for a while getting a working ASAN build so I could debug directly. I've resolved that with :decoder's help, so I hope to get to this soon.
Assignee: nobody → giles
|
|
||
Updated•13 years ago
|
status-firefox13:
--- → unaffected
|
|
Assignee | |
Comment 7•13 years ago
|
||
I can no longer reproduce this with today's inbound. The stream is now properly rejected by the decoder. Looks like derf's commit 95377:010313752c64 for bug 759612 fixed it.
|
|
Assignee | |
Comment 8•13 years ago
|
||
Specifically, this check in nsOpusCodec::ReconstructOpusGranulepos() blocks decoding the testcase:
if (!mDoneReadingHeaders && GetOpusDeltaGP(mUnstamped[0]) > gp)
return false;
|
|
Assignee | |
Comment 9•13 years ago
|
||
And only that check.
|
|
Reporter | |
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
|
||
Comment 10•13 years ago
|
||
Fixed by bug 759612, which is resolved in FF15. Marking flags to match.
|
||
Updated•13 years ago
|
Whiteboard: [asan][sg:critical] → [asan][sg:critical][advisory-tracking+]
|
|
||
Updated•13 years ago
|
Whiteboard: [asan][sg:critical][advisory-tracking+] → [asan][sg:critical][advisory-tracking-]
|
|
||
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•