960932 - OpenH264: global-buffer-overflow crash [@WelsDec::WelsResidualBlockCavlc]

Status: RESOLVED FIXED

(Core :: WebRTC: Audio/Video, defect)

Description

[Christoph Diehl [:posidron]]

Attachment: testcase.264

wayne fixed the root cause of the crash in his 'fix-sanitize-error branch' so this seems to be of different origin.

codec/decoder/core/src/parse_mb_syn_cavlc.cpp:780

  int32_t WelsResidualBlockCavlc (...) {
    [...]
    } else if (iResidualProperty == I16_LUMA_DC) { //DC coefficent, only call in Intra_16x16, base_mode_flag = 0
      for (i = uiTotalCoeff - 1; i >= 0; --i) { //FIXME merge into rundecode?
        int32_t j;
        iCoeffNum += iRun[i] + 1; //FIXME add 1 earlier ?
        j          = kpZigzagTable[ iCoeffNum ];
*       pTCoeff[j] = iLevel[i];
      }
   [...]

Tested with https://github.com/licaiguo/openh264/commit/ff00044c04

Comment 1

[Christoph Diehl [:posidron]]

Attachment: callstack

Comment 2

[wayne]

Hi Christoph, this part has been code reviewed and fixed by our colleague last week, but not uploaded in time. Will pull a request ASAP.

Comment 3

[wayne]

root cause found, i.e., in CAVLC decoding, the run_before value may exceeds the valid data. Add a boundary check. pull request can be found by https://github.com/cisco/openh264/pull/168

Comment 4

[wayne]

Hi Christoph:
   fix it. Could you verify it on cisco/master branch? thanks!

Comment 5

[Christoph Diehl [:posidron]]

Fixed.

Tested with https://github.com/cisco/openh264/commit/fcd7a13816

Comment 6

[Al Billings [:abillings - ex-MoCo]]

What versions of Firefox were affected by this? What version took the github fix into it (if any yet)?