Closed Bug 963483 Opened 11 years ago Closed 11 years ago

OpenH264: global-buffer-overflow crash [@WelsDec::DeblockingInterMb]

Categories

(Core :: WebRTC: Audio/Video, defect)

Product:
Core
Component:
WebRTC: Audio/Video
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox30 --- disabled
firefox-esr24 --- unaffected

People

(Reporter: posidron, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(2 files)

testcase.264
719.40 KB, application/octet-stream
Details
callstack.txt
5.77 KB, text/plain
Details
Attached file testcase.264 
codec/decoder/core/src/deblocking.cpp:279

  void_t FilteringEdgeLumaH (SDeblockingFilter* pFilter, uint8_t* pPix, int32_t iStride, uint8_t* pBS) {
    int32_t iIndexA;
    int32_t iAlpha;
    int32_t iBeta;
    FORCE_STACK_ALIGN_1D (int8_t, tc, 4, 16);

    GET_ALPHA_BETA_FROM_QP (pFilter->iLumaQP, pFilter->iSliceAlphaC0Offset, pFilter->iSliceBetaOffset, iIndexA, iAlpha,
                            iBeta);

    if (iAlpha | iBeta) {
*     TC0_TBL_LOOKUP (tc, iIndexA, pBS, 0);
      pFilter->pLoopf->pfLumaDeblockingLT4Ver (pPix, iStride, iAlpha, iBeta, tc);
    }
    return;
  }

Tested with https://github.com/cisco/openh264/commit/fcd7a13816
Blocks: fuzzing-openh264
Attached file callstack.txt 

    
    

    
  
Will look into this. But it may need some time.

    
    

    
  
Hi Christoph, the root cause is found the same as 963602, which is already fixed in our local test for syntax checking. It is due to the error iSliceAlphaC0Offset parse leadingto invalid array access. will be updated after checking code is reviewed.

    
    

    
  
Hi Christoph, the bug has been fixed in cisco master branch.
Could u please check it? Thanks.

    
    

    
  
Testcase in ASan/UBSan build shows:

codec/decoder/core/inc/dec_golomb.h:176:5: runtime error: left shift of 15131 by 19 places cannot be represented in type 'int'

global-buffer-overflow crash is fixed.

Tested with https://github.com/cisco/openh264/commit/d468404822
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED

    
    

    
  
Hi Christoph, the new issue has been fixed in latest cisco master branch.

Could u please have a check?

Thanks for your advice.

    
    

    
  
Fixed - including the the UBSan runtime error.

Tested with https://github.com/cisco/openh264/commit/6854e06796

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: