Closed Bug 1485208 Opened 6 years ago Closed 6 years ago

OpenH264: signed integer in [@ WelsDec::BaseMC]

Categories

(Core :: Audio/Video: GMP, defect)

Product:
Core
Component:
Audio/Video: GMP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- unaffected

People

(Reporter: tsmith, Unassigned)

References

Details

(Keywords: csectype-intoverflow, sec-high, testcase)

Attachments

(1 file)

testcase.264
(deleted), application/octet-stream
Details
Attached file testcase.264 (deleted) —
Found while fuzzing openh264 revision 3c93d6bedfb712109899755b6d9626772cee3847 Built with "-fsanitize=undefined" To reproduce: ./h264dec testcase.264 /dev/null codec/decoder/core/src/rec_mb.cpp:249:65: runtime error: signed integer overflow: 4 * -598666368 cannot be represented in type 'int' #0 0x61a067 in WelsDec::BaseMC(WelsDec::TagMCRefMember*, int, int, TagMcFunc*, int, int, short*) codec/decoder/core/src/rec_mb.cpp:249:65 #1 0x6273b5 in WelsDec::GetInterBPred(unsigned char**, unsigned char**, WelsDec::TagWelsDecoderContext*) codec/decoder/core/src/rec_mb.cpp:702:7 #2 0x6a6143 in WelsDec::WelsMbInterPrediction(WelsDec::TagWelsDecoderContext*, WelsDec::TagDqLayer*) codec/decoder/core/src/decode_slice.cpp:319:5 #3 0x69ffba in WelsDec::WelsTargetMbConstruction(WelsDec::TagWelsDecoderContext*) codec/decoder/core/src/decode_slice.cpp:333:7 #4 0x69db37 in WelsDec::WelsTargetSliceConstruction(WelsDec::TagWelsDecoderContext*) codec/decoder/core/src/decode_slice.cpp:104:11 #5 0x59b0ee in WelsDec::WelsDecodeConstructSlice(WelsDec::TagWelsDecoderContext*, WelsDec::TagNalUnit*) codec/decoder/core/src/decoder_core.cpp:290:19 #6 0x59b0ee in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2568 #7 0x595ee3 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2254:10 #8 0x55a73b in WelsDecodeBs codec/decoder/core/src/decoder.cpp:798:7 #9 0x52e405 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:570:3 #10 0x52c594 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:495:11 #11 0x516be9 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:226:17 #12 0x51c3ef in main codec/console/dec/src/h264dec.cpp:510:3 #13 0x7f0d5354082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #14 0x41d6d8 in _start (h264dec+0x41d6d8)
The issue has been addressed by openh264 #PR 3014
Verified with commit 1b3980b3437e83f30001e9b7dfdf4a98e69b87bc
Group: media-core-security
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
No longer blocks: 1481142
Blocks: 1486988
Blocks: 1512756
No longer blocks: 1486988
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: