958929 - OpenH264: global-buffer-overflow crash [@WelsDec::CheckIntraChromaPredMode]

Status: RESOLVED FIXED

(Core :: WebRTC: Audio/Video, defect)

Description

[Christoph Diehl [:posidron]]

Attachment: testcase.264

codec/decoder/core/src/parse_mb_syn_cavlc.cpp:437

#define CHECK_CHROMA_MODE(a, b, c, d)                                \
                         ((a == g_ksChromaPredInfo[a].iPredMode) &&  \
                          (b >= g_ksChromaPredInfo[a].iLeftAvail) && \
                          (c >= g_ksChromaPredInfo[a].iTopAvail) &&  \
                          (d >= g_ksChromaPredInfo[a].iLeftTopAvail));

int32_t CheckIntraChromaPredMode (uint8_t uiSampleAvail, int8_t* pMode) {
  [...]
  if (*pMode > MAX_PRED_MODE_ID_CHROMA) {
    return ERR_INFO_INVALID_I_CHROMA_PRED_MODE;
  }
  [...]
*   bool_t bModeAvail = CHECK_CHROMA_MODE (*pMode, iLeftAvail, iTopAvail, bLeftTopAvail);
  [...]
}


Tested with https://github.com/cisco/openh264/commit/4a8a9aabc1

Comment 1

[Christoph Diehl [:posidron]]

Attachment: callstack

Comment 2

[wayne]

root cause found, error type conversion from long to short bits without detection.
pull request can be seen via 
https://github.com/cisco/openh264/pull/146

Comment 3

[wayne]

Hi Christoph:
   fix it. Could you verify it on cisco/master branch? thanks!

Comment 4

[Christoph Diehl [:posidron]]

Fixed.

Tested with https://github.com/cisco/openh264/commit/fcd7a13816

Comment 5

[Al Billings [:abillings - ex-MoCo]]

What versions of Firefox were affected by this? What version took the github fix into it (if any yet)?