Closed Bug 963483 Opened 8 years ago Closed 8 years ago

OpenH264: global-buffer-overflow crash [@WelsDec::DeblockingInterMb]

Categories

(Core :: WebRTC: Audio/Video, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox30 --- disabled
firefox-esr24 --- unaffected

People

(Reporter: posidron, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(2 files)

Attached file testcase.264
codec/decoder/core/src/deblocking.cpp:279

  void_t FilteringEdgeLumaH (SDeblockingFilter* pFilter, uint8_t* pPix, int32_t iStride, uint8_t* pBS) {
    int32_t iIndexA;
    int32_t iAlpha;
    int32_t iBeta;
    FORCE_STACK_ALIGN_1D (int8_t, tc, 4, 16);

    GET_ALPHA_BETA_FROM_QP (pFilter->iLumaQP, pFilter->iSliceAlphaC0Offset, pFilter->iSliceBetaOffset, iIndexA, iAlpha,
                            iBeta);

    if (iAlpha | iBeta) {
*     TC0_TBL_LOOKUP (tc, iIndexA, pBS, 0);
      pFilter->pLoopf->pfLumaDeblockingLT4Ver (pPix, iStride, iAlpha, iBeta, tc);
    }
    return;
  }

Tested with https://github.com/cisco/openh264/commit/fcd7a13816
Attached file callstack.txt
Will look into this. But it may need some time.
Hi Christoph, the root cause is found the same as 963602, which is already fixed in our local test for syntax checking. It is due to the error iSliceAlphaC0Offset parse leadingto invalid array access. will be updated after checking code is reviewed.
Hi Christoph, the bug has been fixed in cisco master branch.
Could u please check it? Thanks.
Testcase in ASan/UBSan build shows:

codec/decoder/core/inc/dec_golomb.h:176:5: runtime error: left shift of 15131 by 19 places cannot be represented in type 'int'

global-buffer-overflow crash is fixed.

Tested with https://github.com/cisco/openh264/commit/d468404822
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Hi Christoph, the new issue has been fixed in latest cisco master branch.

Could u please have a check?

Thanks for your advice.
Fixed - including the the UBSan runtime error.

Tested with https://github.com/cisco/openh264/commit/6854e06796
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.