Closed
Bug 958988
Opened 11 years ago
Closed 11 years ago
OpenH264: stack-buffer-overflow crash [@WelsSVCEnc::RcInitTlWeight]
Categories
(Core :: WebRTC: Audio/Video, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr24 | --- | unaffected |
| b2g18 | --- | unaffected |
| b2g-v1.2 | --- | unaffected |
| b2g-v1.3 | --- | unaffected |
People
(Reporter: posidron, Unassigned)
References
(Blocks 1 open bug)
Details
(5 keywords)
Attachments
(3 files)
codec/encoder/core/src/ratectl.cpp:196
void RcInitTlWeight (sWelsEncCtx* pEncCtx) {
SWelsSvcRc* pWelsSvcRc = &pEncCtx->pWelsSvcRc[pEncCtx->uiDependencyId];
SRCTemporal* pTOverRc = pWelsSvcRc->pTemporalOverRc;
SDLayerParam* pDLayerParam = &pEncCtx->pSvcParam->sDependencyLayers[pEncCtx->uiDependencyId];
const int32_t kiDecompositionStages = pDLayerParam->iDecompositionStages;
const int32_t kiHighestTid = pDLayerParam->iHighestTemporalId;
[...]
n = 0;
while (n <= kiHighestTid) {
* pTOverRc[n].dTlayerWeight = WeightArray[kiDecompositionStages][n];
++ n;
}
To reproduce do:
./h264enc welsenc_fuzz.cfg
Happened accidentally while auto generating a new configuration.
Tested with https://github.com/cisco/openh264/commit/4a8a9aabc1
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Comment 2•11 years ago
|
||
|
|
Reporter | |
Comment 3•11 years ago
|
||
|
||
Comment 4•11 years ago
|
||
Taking a quick look at this, it appears that this may be a bogus configuration. Which isn't to say it should crash :)
|
|
Reporter | |
Comment 5•11 years ago
|
||
I am yet unclear about what all these flags exactly do but I believe it is related to the GOPSize entry.
Using 16 here crashes, whereby 4 makes no trouble.
|
|
Reporter | |
Updated•11 years ago
|
Component: Video/Audio → WebRTC: Audio/Video
|
|
Reporter | |
Updated•11 years ago
|
Blocks: fuzzing-openh264
I checked code, there is no overflows for "WeightArray" variable.
is it a false positive? I found the blew hint when running code.
" HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)"
|
|
Reporter | |
Comment 7•11 years ago
|
||
(In reply to karina from comment #6)
> is it a false positive? I found the blew hint when running code.
Seems possible, "kiHighestTid" and "kiDecompositionStages" are both 4.
Can we add some code to prevent ASan from complaining about it?
|
|
Reporter | |
Comment 8•11 years ago
|
||
Wait. It's late here. Shouldn't that be:
while (n < kiHighestTid) {
...
}
got it. I found the root cause for this.
there is some potential issues to support GOPsize = 16. We will discuss whether we close GOPsize = 16.
will update it later. thanks for you help.
|
||
Comment 10•11 years ago
|
||
Hi Christoph:
fix it. Could you verify it on cisco/master branch? thanks!
|
|
Reporter | |
Comment 11•11 years ago
|
||
Fixed.
Tested with https://github.com/cisco/openh264/commit/de935a523
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-b2g-v1.2:
--- → unaffected
status-b2g-v1.3:
--- → unaffected
status-firefox-esr24:
--- → unaffected
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•