Opus crash invalid write [@quant_band]

VERIFIED FIXED

Status

()

defect
--
critical
VERIFIED FIXED
7 years ago
7 years ago

People

(Reporter: posidron, Assigned: rillian)

Tracking

({crash, sec-critical, testcase})

unspecified
x86_64
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox13 unaffected, firefox14 unaffected, firefox15+ fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [asan][sg:critical][advisory-tracking-])

Attachments

(2 attachments)

Posted file testcase
This bug might be affiliated with bug 750231 although the location seems to differ.
Group: core-security
Posted file callstack
Haven't investigated too deeply, but this file does not crash opusdec (available from opus-tools: http://git.xiph.org/?p=users/greg/opus-tools.git).
Sorry, should have mentioned that I have deactivated the checksum verification inside the source.
Same here. This bug has [asan] in whiteboard. You will need to test it with an ASAN build of Firefox or compile the decoder with ASAN.
Blocks: fuzzing-opus
AFAIK opus only recently landed in m-c so we shouldn't need this fix in releases prior to Firefox 15
I should be fixed before firefox 15 uplift to Aurora, so we can give the preview wider deployment. Note that the code in question is pref'd off by default.

I was stuck for a while getting a working ASAN build so I could debug directly. I've resolved that with :decoder's help, so I hope to get to this soon.
Assignee: nobody → giles
I can no longer reproduce this with today's inbound. The stream is now properly rejected by the decoder. Looks like derf's commit 95377:010313752c64 for bug 759612 fixed it.
Status: NEW → RESOLVED
Closed: 7 years ago
Depends on: 759612
Resolution: --- → FIXED
Specifically, this check in nsOpusCodec::ReconstructOpusGranulepos() blocks decoding the testcase:

if (!mDoneReadingHeaders && GetOpusDeltaGP(mUnstamped[0]) > gp)
  return false;
And only that check.
Status: RESOLVED → VERIFIED
Fixed by bug 759612, which is resolved in FF15. Marking flags to match.
Whiteboard: [asan][sg:critical] → [asan][sg:critical][advisory-tracking+]
Whiteboard: [asan][sg:critical][advisory-tracking+] → [asan][sg:critical][advisory-tracking-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.