Closed Bug 960932 Opened 11 years ago Closed 10 years ago

OpenH264: global-buffer-overflow crash [@WelsDec::WelsResidualBlockCavlc]

Categories

(Core :: WebRTC: Audio/Video, defect)

Product:
Core
Component:
WebRTC: Audio/Video
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox30 --- disabled
firefox-esr24 --- unaffected

People

(Reporter: posidron, Unassigned)

References

(Blocks 1 open bug)

Details

(5 keywords)

Attachments

(2 files)

testcase.264
48.18 KB, application/octet-stream
Details
callstack
2.41 KB, text/plain
Details
Attached file testcase.264 
wayne fixed the root cause of the crash in his 'fix-sanitize-error branch' so this seems to be of different origin.

codec/decoder/core/src/parse_mb_syn_cavlc.cpp:780

  int32_t WelsResidualBlockCavlc (...) {
    [...]
    } else if (iResidualProperty == I16_LUMA_DC) { //DC coefficent, only call in Intra_16x16, base_mode_flag = 0
      for (i = uiTotalCoeff - 1; i >= 0; --i) { //FIXME merge into rundecode?
        int32_t j;
        iCoeffNum += iRun[i] + 1; //FIXME add 1 earlier ?
        j          = kpZigzagTable[ iCoeffNum ];
*       pTCoeff[j] = iLevel[i];
      }
   [...]

Tested with https://github.com/licaiguo/openh264/commit/ff00044c04
Blocks: fuzzing-openh264
Attached file callstack 

    
    

    
  
Hi Christoph, this part has been code reviewed and fixed by our colleague last week, but not uploaded in time. Will pull a request ASAP.

    
    

    
  
root cause found, i.e., in CAVLC decoding, the run_before value may exceeds the valid data. Add a boundary check. pull request can be found by https://github.com/cisco/openh264/pull/168

    
    

    
  
Hi Christoph:
   fix it. Could you verify it on cisco/master branch? thanks!

    
    

    
  
Fixed.

Tested with https://github.com/cisco/openh264/commit/fcd7a13816
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED

    
    

    
  
What versions of Firefox were affected by this? What version took the github fix into it (if any yet)?

          status-firefox27:
          --- → ?

          status-firefox28:
          --- → ?

          status-firefox29:
          --- → ?

          status-firefox30:
          --- → ?

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: