View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000348 | JVT JM H.264/AVC reference software | decoder | public | 2015-04-12 18:52 | 2015-04-16 12:28 |
| Reporter | Andrei Terechko | Assigned To | Karsten Suehring | ||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Platform | x86_64-linux | OS | Ubuntu | OS Version | 12.04 |
| Product Version | JM 18.6 | ||||
| Fixed in Version | JM 19.0 | ||||
| Summary | 0000348: Static buffer overflow in function biari_init_context() on arrays INIT_FLD_MAP_I and INIT_FLD_LAST_I | ||||
| Description | The static global array INIT_FLD_MAP_I[1][8][15][2] is read past its boundary in function biari_init_context() on line 299 using the ini pointer: int pstate = ((ini[0]* qp )>>4) + ini[1]; On line 90 in ldecod/src/context_ini.c the following macro is expanded with the NUM_BLOCK_TYPES argument equal to 22. IBIARI_CTX_INIT2 (NUM_BLOCK_TYPES, NUM_MAP_CTX, tc->map_contexts[1], INIT_FLD_MAP, model_number, qp); This NUM_BLOCK_TYPES argument specifies the number of i loop iterations in the macro definition, where i indexes the second dimension of the array. The second dimension of INIT_FLD_MAP_I[1][8][15][2] has only 8 entries and array accesses with the i values between 8 and 21 quickly cause out of bound memory reads. The same problem occurs on line 91 in ldecod/src/context_ini.c for the INIT_FLD_LAST_I[1][8][15][2] array. This bug was detected by Pareon Verify, a software verification tool from Vector Fabrics, http://www.vectorfabrics.com/products/pareon_verify. The report Pareon Verify generated for JMDecode is attached as jmdecode.verify.log. | ||||
| Steps To Reproduce | To reproduce execute with the attached .h264 file: ./ldecod.dbg.exe -p InputFile=sintel-trailer-3frames.h264 | ||||
| Additional Information | $ uname -a Linux andrei 3.5.0-54-generic 0000081~precise1-Ubuntu SMP Tue Jul 15 04:02:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux $ gcc --version gcc (Ubuntu/Linaro 4.6.3-1ubuntu5) 4.6.3 Copyright (C) 2011 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | ||||
| Tags | No tags attached. | ||||
|
|
|
|
|
jmdecode.verify.log (3,250 bytes)
===== PAREON VERIFY =====
[M0193] Static-buffer overflow(s) detected:
the read in
function biari_init_context at /tmp/proj_WrdtO3/src/JM/ldecod/src/biaridecod.c:299
called from function init_contexts at /tmp/proj_WrdtO3/src/JM/ldecod/src/context_ini.c:90
called from function decode_slice at /tmp/proj_WrdtO3/src/JM/ldecod/src/image.c:737
called from function decode_one_frame at /tmp/proj_WrdtO3/src/JM/ldecod/src/image.c:943
called from function DecodeOneFrame at /tmp/proj_WrdtO3/src/JM/ldecod/src/ldecod.c:1254
called from function main at /tmp/proj_WrdtO3/src/JM/ldecod/src/decoder_test.c:245
called from function main_thread
performed 1 access(es) of size 1 at an offset of 548 bytes from the start of
the static object of size 240 allocated as `INIT_FLD_MAP_I' at /tmp/proj_WrdtO3/src/JM/lcommon/inc/ctx_tables.h:879
and 1 access(es) of size 1 at an offset of 346 bytes from the start of
the static object of size 240 allocated as `INIT_FLD_MAP_I' at /tmp/proj_WrdtO3/src/JM/lcommon/inc/ctx_tables.h:879
and 1 access(es) of size 1 at an offset of 624 bytes from the start of
the static object of size 240 allocated as `INIT_FLD_MAP_I' at /tmp/proj_WrdtO3/src/JM/lcommon/inc/ctx_tables.h:879
and 1 access(es) of size 1 at an offset of 422 bytes from the start of
the static object of size 240 allocated as `INIT_FLD_MAP_I' at /tmp/proj_WrdtO3/src/JM/lcommon/inc/ctx_tables.h:879
and 1 access(es) of size 1 at an offset of 498 bytes from the start of
the static object of size 240 allocated as `INIT_FLD_MAP_I' at /tmp/proj_WrdtO3/src/JM/lcommon/inc/ctx_tables.h:879
etc.
[M0193] Static-buffer overflow(s) detected:
the read in
function biari_init_context at /tmp/proj_WrdtO3/src/JM/ldecod/src/biaridecod.c:299
called from function init_contexts at /tmp/proj_WrdtO3/src/JM/ldecod/src/context_ini.c:91
called from function decode_slice at /tmp/proj_WrdtO3/src/JM/ldecod/src/image.c:737
called from function decode_one_frame at /tmp/proj_WrdtO3/src/JM/ldecod/src/image.c:943
called from function DecodeOneFrame at /tmp/proj_WrdtO3/src/JM/ldecod/src/ldecod.c:1254
called from function main at /tmp/proj_WrdtO3/src/JM/ldecod/src/decoder_test.c:245
called from function main_thread
performed 1 access(es) of size 1 at an offset of 388 bytes from the start of
the static object of size 240 allocated as `INIT_FLD_LAST_I' at /tmp/proj_WrdtO3/src/JM/lcommon/inc/ctx_tables.h:935
and 1 access(es) of size 1 at an offset of 464 bytes from the start of
the static object of size 240 allocated as `INIT_FLD_LAST_I' at /tmp/proj_WrdtO3/src/JM/lcommon/inc/ctx_tables.h:935
and 1 access(es) of size 1 at an offset of 306 bytes from the start of
the static object of size 240 allocated as `INIT_FLD_LAST_I' at /tmp/proj_WrdtO3/src/JM/lcommon/inc/ctx_tables.h:935
and 1 access(es) of size 1 at an offset of 584 bytes from the start of
the static object of size 240 allocated as `INIT_FLD_LAST_I' at /tmp/proj_WrdtO3/src/JM/lcommon/inc/ctx_tables.h:935
and 1 access(es) of size 1 at an offset of 382 bytes from the start of
the static object of size 240 allocated as `INIT_FLD_LAST_I' at /tmp/proj_WrdtO3/src/JM/lcommon/inc/ctx_tables.h:935
etc.
2 error(s)
|
|
|
Agreed. The array is smaller than number of values used in the init loop. |
|
|
After checking back with Alexis, I have extended the tables for 4:4:4 support in my development branch. The fix will be included in the next release. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2015-04-12 18:52 | Andrei Terechko | New Issue | |
| 2015-04-12 18:52 | Andrei Terechko | File Added: sintel-trailer-3frames.h264 | |
| 2015-04-12 18:53 | Andrei Terechko | File Added: jmdecode.verify.log | |
| 2015-04-12 18:54 | Andrei Terechko | Description Updated | |
| 2015-04-13 15:38 | Karsten Suehring | Note Added: 0000621 | |
| 2015-04-13 15:38 | Karsten Suehring | Assigned To | => Karsten Suehring |
| 2015-04-13 15:38 | Karsten Suehring | Status | new => confirmed |
| 2015-04-16 12:28 | Karsten Suehring | Note Added: 0000623 | |
| 2015-04-16 12:28 | Karsten Suehring | Status | confirmed => resolved |
| 2015-04-16 12:28 | Karsten Suehring | Fixed in Version | => JM 19.0 |
| 2015-04-16 12:28 | Karsten Suehring | Resolution | open => fixed |
