Closed
Bug 1485208
Opened 6 years ago
Closed 6 years ago
OpenH264: signed integer in [@ WelsDec::BaseMC]
Categories
(Core :: Audio/Video: GMP, defect)
Core
Audio/Video: GMP
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox63 | --- | unaffected |
People
(Reporter: tsmith, Unassigned)
References
Details
(Keywords: csectype-intoverflow, sec-high, testcase)
Attachments
(1 file)
(deleted),
application/octet-stream
|
Details |
Found while fuzzing openh264 revision 3c93d6bedfb712109899755b6d9626772cee3847
Built with "-fsanitize=undefined"
To reproduce:
./h264dec testcase.264 /dev/null
codec/decoder/core/src/rec_mb.cpp:249:65: runtime error: signed integer overflow: 4 * -598666368 cannot be represented in type 'int'
#0 0x61a067 in WelsDec::BaseMC(WelsDec::TagMCRefMember*, int, int, TagMcFunc*, int, int, short*) codec/decoder/core/src/rec_mb.cpp:249:65
#1 0x6273b5 in WelsDec::GetInterBPred(unsigned char**, unsigned char**, WelsDec::TagWelsDecoderContext*) codec/decoder/core/src/rec_mb.cpp:702:7
#2 0x6a6143 in WelsDec::WelsMbInterPrediction(WelsDec::TagWelsDecoderContext*, WelsDec::TagDqLayer*) codec/decoder/core/src/decode_slice.cpp:319:5
#3 0x69ffba in WelsDec::WelsTargetMbConstruction(WelsDec::TagWelsDecoderContext*) codec/decoder/core/src/decode_slice.cpp:333:7
#4 0x69db37 in WelsDec::WelsTargetSliceConstruction(WelsDec::TagWelsDecoderContext*) codec/decoder/core/src/decode_slice.cpp:104:11
#5 0x59b0ee in WelsDec::WelsDecodeConstructSlice(WelsDec::TagWelsDecoderContext*, WelsDec::TagNalUnit*) codec/decoder/core/src/decoder_core.cpp:290:19
#6 0x59b0ee in WelsDec::DecodeCurrentAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2568
#7 0x595ee3 in WelsDec::ConstructAccessUnit(WelsDec::TagWelsDecoderContext*, unsigned char**, TagBufferInfo*) codec/decoder/core/src/decoder_core.cpp:2254:10
#8 0x55a73b in WelsDecodeBs codec/decoder/core/src/decoder.cpp:798:7
#9 0x52e405 in WelsDec::CWelsDecoder::DecodeFrame2(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:570:3
#10 0x52c594 in WelsDec::CWelsDecoder::DecodeFrameNoDelay(unsigned char const*, int, unsigned char**, TagBufferInfo*) codec/decoder/plus/src/welsDecoderExt.cpp:495:11
#11 0x516be9 in H264DecodeInstance(ISVCDecoder*, char const*, char const*, int&, int&, char const*, char const*, int, bool) codec/console/dec/src/h264dec.cpp:226:17
#12 0x51c3ef in main codec/console/dec/src/h264dec.cpp:510:3
#13 0x7f0d5354082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#14 0x41d6d8 in _start (h264dec+0x41d6d8)
Updated•6 years ago
|
Comment 1•6 years ago
|
||
The issue has been addressed by openh264 #PR 3014
Reporter | ||
Comment 2•6 years ago
|
||
Verified with commit 1b3980b3437e83f30001e9b7dfdf4a98e69b87bc
Group: media-core-security
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•2 years ago
|
Component: OpenH264 → Audio/Video: GMP
Product: External Software Affecting Firefox → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•