Closed Bug 958958 Opened 12 years ago Closed 12 years ago

OpenH264: global-buffer-overflow crash [@WelsDec::IdctResAddPred_c]

Categories

(Core :: WebRTC: Audio/Video, defect)

Product:
Core
Component:
WebRTC: Audio/Video
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox30 --- disabled
firefox-esr24 --- unaffected

People

(Reporter: posidron, Unassigned)

References

(Blocks 1 open bug)

Details

(5 keywords)

Attachments

(2 files)

testcase.264
69.82 KB, application/octet-stream
Details
callstack
2.61 KB, text/plain
Details
Attached file testcase.264
Similar to https://bugzilla.mozilla.org/show_bug.cgi?id=958935 but has a different stack and uses kiStride2. codec/decoder/core/src/decode_mb_aux.cpp:102 void_t IdctResAddPred_c (uint8_t* pPred, const int32_t kiStride, int16_t* pRs) { [...] const int32_t kiStride2 = kiStride << 1; [...] pDst[i + kiStride2] = pClip[ ((32 + kT1 - kT2) >> 6) + pDst[i + kiStride2] ]; [...] } Tested with https://github.com/cisco/openh264/commit/4a8a9aabc1
Attached file callstack
Component: Video/Audio → WebRTC: Audio/Video
Blocks: fuzzing-openh264
root cause found, reason same as 958948, pull request can be seen via https://github.com/cisco/openh264/pull/146
Hi Christoph: fix it. Could you verify it on cisco/master branch? thanks!
Fixed. Tested with https://github.com/cisco/openh264/commit/fcd7a13816
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
What versions of Firefox were affected by this? What version took the github fix into it (if any yet)?
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: