Closed
Bug 958929
Opened 10 years ago
Closed 10 years ago
OpenH264: global-buffer-overflow crash [@WelsDec::CheckIntraChromaPredMode]
Categories
(Core :: WebRTC: Audio/Video, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox30 | --- | disabled |
firefox-esr24 | --- | unaffected |
People
(Reporter: posidron, Unassigned)
References
(Blocks 1 open bug)
Details
(5 keywords)
Crash Data
Attachments
(2 files)
codec/decoder/core/src/parse_mb_syn_cavlc.cpp:437 #define CHECK_CHROMA_MODE(a, b, c, d) \ ((a == g_ksChromaPredInfo[a].iPredMode) && \ (b >= g_ksChromaPredInfo[a].iLeftAvail) && \ (c >= g_ksChromaPredInfo[a].iTopAvail) && \ (d >= g_ksChromaPredInfo[a].iLeftTopAvail)); int32_t CheckIntraChromaPredMode (uint8_t uiSampleAvail, int8_t* pMode) { [...] if (*pMode > MAX_PRED_MODE_ID_CHROMA) { return ERR_INFO_INVALID_I_CHROMA_PRED_MODE; } [...] * bool_t bModeAvail = CHECK_CHROMA_MODE (*pMode, iLeftAvail, iTopAvail, bLeftTopAvail); [...] } Tested with https://github.com/cisco/openh264/commit/4a8a9aabc1
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Updated•10 years ago
|
Component: Video/Audio → WebRTC: Audio/Video
Reporter | ||
Updated•10 years ago
|
Blocks: fuzzing-openh264
root cause found, error type conversion from long to short bits without detection. pull request can be seen via https://github.com/cisco/openh264/pull/146
Hi Christoph: fix it. Could you verify it on cisco/master branch? thanks!
Reporter | ||
Comment 4•10 years ago
|
||
Fixed. Tested with https://github.com/cisco/openh264/commit/fcd7a13816
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Comment 5•10 years ago
|
||
What versions of Firefox were affected by this? What version took the github fix into it (if any yet)?
status-firefox27:
--- → ?
status-firefox28:
--- → ?
status-firefox29:
--- → ?
status-firefox30:
--- → ?
Updated•10 years ago
|
status-firefox27:
? → ---
status-firefox28:
? → ---
status-firefox29:
? → ---
status-firefox-esr24:
--- → unaffected
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•