Comments (8)
Ok, at least one issue is in find_nal_unit
, which can over read its buffer. Patch coming soon, although I need to take a break at the moment.
from h264bitstream.
Also, NAL_UNIT_TYPE_SUBSET_SPS
in read_nal_unit
shallow copies sps_subset
into sps_subset_table
, causing a double free.
from h264bitstream.
@pallas That is exceptional work - thank you!
If you find any input sequences which cause a crash/buffer overrun, I should be able to tell how (and fix it).
Note: this has been fuzzed before, but a very long time ago, circa 2012. The bs_read_* functions can safely (try to) read past the end of the existing buffer, they just read an infinite string of 0's - this is one of the main mechanisms protecting against overruns. I suspect that there could be issues in code which bypasses bs_read (mainly because of performance reasons).
from h264bitstream.
Thanks, I've got some patches coming. One question: it looks like the .in.c files are not in sync with the .c files.. should I be updating .in.c and regenerating or should I just update the .cs directly?
from h264bitstream.
Ok, I found a few different issues and now the fuzzer has been running for half an hour with no new error paths. I'm going to let it run overnight, refine my patches, & likely will make a PR tomorrow.
from h264bitstream.
I'm seeing similar issues in read_pred_weight_table and read_slice_header, at least the debug versions, and at least one more double free somewhere (later assert failure in malloc, so no backtrace).
from h264bitstream.
Ok, I've lost my momentum to keep working on this. The following functions have array overrun problems and/or double-frees post the PR I made a few weeks ago.
read_debug_dec_ref_pic_marking
read_debug_pred_weight_table
read_debug_ref_pic_list_reordering
read_debug_slice_header
read_debug_slice_header_in_scalable_extension
read_debug_slice_layer_rbsp
You can run the fuzzer by
CC=/usr/bin/afl-clang-fast CXX=/usr/bin/afl-clang-fast++ ./configure --disable-debug --disable-shared
env AFL_HARDEN=1 make
env AFL_SKIP_CPUFREQ=1 afl-fuzz -i samples/ -o results/ ./h264_analyze -p @@
I'm analyzing the results with
mkdir -p traces/
for i in results/crashes/id* ; do echo $i && valgrind --track-origins=yes ./h264_analyze -p $i 2>&1 | tee traces/$(basename $i).out ; done
ag -H 'of size' traces/ -C 10| grep \\.c: | sed s,^.\\\+0x,0x, | sed s,^.\[^:\]\\\+:,, | sort | uniq -c
from h264bitstream.
Hey, it seems pretty obvious that I gave up on this. Basically, ever time a dynamically sized array is created/used/destroyed, the bounds are never checked. I'm going to go ahead and close since I don't intend to do any more work here.
from h264bitstream.
Related Issues (20)
- Exponential golomb encoding fixes HOT 3
- h265bitstream support HOT 6
- libh264bitstream.so.0 file not found HOT 1
- "error while loading shared libraries" when running h264_analyze HOT 1
- No avcc-support
- debug_nal not existent? HOT 1
- Compile command for h264bitstream
- How to recombine base and enhancement layer, splitted using svc_split?
- platform support HOT 1
- Extract motion vectors HOT 3
- autoreconf: 'configure.ac' or 'configure.in' is require
- Write a h264 stream copy-paste using this library
- SPS scaling list writer assumes 8 and only 8 indices
- segmentation fault in read_slice_layer_rbsp HOT 1
- Missing braces in for loop HOT 1
- Homp
- How do I install & use h264bitstream? HOT 1
- Bug: bs_read_ue compiler-dependent behavior when i==32 HOT 2
- avcc->pps_table is initialised using the SPS count instead of the PPS count HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from h264bitstream.