Closed Bug 958929 Opened 10 years ago Closed 10 years ago

OpenH264: global-buffer-overflow crash [@WelsDec::CheckIntraChromaPredMode]

Categories

(Core :: WebRTC: Audio/Video, defect)

Product:
Core
Component:
WebRTC: Audio/Video
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox30 --- disabled
firefox-esr24 --- unaffected

People

(Reporter: posidron, Unassigned)

References

(Blocks 1 open bug)

Details

(5 keywords)

Crash Data

Attachments

(2 files)

testcase.264
48.18 KB, application/octet-stream
Details
callstack
2.49 KB, text/plain
Details
Attached file testcase.264 
codec/decoder/core/src/parse_mb_syn_cavlc.cpp:437

#define CHECK_CHROMA_MODE(a, b, c, d)                                \
                         ((a == g_ksChromaPredInfo[a].iPredMode) &&  \
                          (b >= g_ksChromaPredInfo[a].iLeftAvail) && \
                          (c >= g_ksChromaPredInfo[a].iTopAvail) &&  \
                          (d >= g_ksChromaPredInfo[a].iLeftTopAvail));

int32_t CheckIntraChromaPredMode (uint8_t uiSampleAvail, int8_t* pMode) {
  [...]
  if (*pMode > MAX_PRED_MODE_ID_CHROMA) {
    return ERR_INFO_INVALID_I_CHROMA_PRED_MODE;
  }
  [...]
*   bool_t bModeAvail = CHECK_CHROMA_MODE (*pMode, iLeftAvail, iTopAvail, bLeftTopAvail);
  [...]
}


Tested with https://github.com/cisco/openh264/commit/4a8a9aabc1
Attached file callstack 

    
  
Component: Video/Audio → WebRTC: Audio/Video

    
  
Blocks: fuzzing-openh264

    
    

    
  
root cause found, error type conversion from long to short bits without detection.
pull request can be seen via 
https://github.com/cisco/openh264/pull/146

    
    

    
  
Hi Christoph:
   fix it. Could you verify it on cisco/master branch? thanks!

    
    

    
  
Fixed.

Tested with https://github.com/cisco/openh264/commit/fcd7a13816
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED

    
    

    
  
What versions of Firefox were affected by this? What version took the github fix into it (if any yet)?

          status-firefox27:
          --- → ?

          status-firefox28:
          --- → ?

          status-firefox29:
          --- → ?

          status-firefox30:
          --- → ?

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: