Bug 266653
Summary: | [WebRTC] Fix logic when parsing H264 packets to make sure the buffer isn't exceeded | ||
---|---|---|---|
Product: | WebKit | Reporter: | Nicole Rosario <Nicole_rosario> |
Component: | WebRTC | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED WONTFIX | ||
Severity: | Normal | CC: | ddkilzer, webkit-bug-importer, youennf |
Priority: | P1 | Keywords: | InRadar |
Version: | Other | ||
Hardware: | Unspecified | ||
OS: | Unspecified |
Nicole Rosario
rdar://118861473
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1871439528
INFO: Loaded 2 modules (741459 inline 8-bit counters): 741309 [0x11657d1c0, 0x11663217d), 150 [0x1008bc000, 0x1008bc096),
./Release/rtp_packetizer_h264_fuzzer: Running 1 inputs 1 time(s) each.
Running: /Users/nicolerosario/Desktop/Bugs/118861473/ptf_1701108736_593a.tc
#
# Fatal error in: /Users/nicolerosario/Desktop/BrowserSecurity_3/OpenSource/Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc, line 292
# last system error: 3
# Check failed: index + kLengthFieldSize + fragment.size() <= payload_capacity (502 vs. 374)
# ==67474== ERROR: libFuzzer: deadly signal
#0 0x1011d9a34 in __sanitizer_print_stack_trace+0x2c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x5da34)
#1 0x1008ae0e4 in fuzzer::PrintStackTrace() FuzzerUtil.cpp:210
#2 0x1008913cc in fuzzer::Fuzzer::CrashCallback() FuzzerLoop.cpp:233
#3 0x183d57a20 in _sigtramp+0x34 (libsystem_platform.dylib:arm64e+0x3a20)
#4 0x183d28cbc in pthread_kill+0x11c (libsystem_pthread.dylib:arm64e+0x6cbc)
#5 0x183c34a3c in abort+0xb0 (libsystem_c.dylib:arm64e+0x76a3c)
#6 0x1102d3fbc in rtc::webrtc_checks_impl::WriteFatalLog(std::__1::basic_string_view<char, std::__1::char_traits<char>>) checks.cc:78
#7 0x1102d4188 in rtc::webrtc_checks_impl::WriteFatalLog(char const*, int, std::__1::basic_string_view<char, std::__1::char_traits<char>>) checks.cc:84
#8 0x1102d5418 in rtc::webrtc_checks_impl::FatalLog(char const*, int, char const*, rtc::webrtc_checks_impl::CheckArgType const*, ...) checks.cc:179
#9 0x1126af36c in webrtc::RtpPacketizerH264::NextAggregatePacket(webrtc::RtpPacketToSend*) rtp_format_h264.cc:292
#10 0x1126ad764 in webrtc::RtpPacketizerH264::NextPacket(webrtc::RtpPacketToSend*) rtp_format_h264.cc:268
#11 0x100874fa0 in webrtc::FuzzOneInput(unsigned char const*, unsigned long) rtp_packetizer_h264_fuzzer.cc:66
#12 0x10087a010 in LLVMFuzzerTestOneInput webrtc_fuzzer_main.cc:39
#13 0x100892838 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) FuzzerLoop.cpp:617
#14 0x10087db24 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) FuzzerDriver.cpp:324
#15 0x100882fd8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) FuzzerDriver.cpp:860
#16 0x1008af5d4 in main FuzzerMain.cpp:20
#17 0x1839a90dc (<unknown module>)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
Attachments | ||
---|---|---|
Add attachment proposed patch, testcase, etc. |
Nicole Rosario
Pull request: https://github.com/WebKit/WebKit/pull/22171
David Kilzer (:ddkilzer)
GitHub PR was closed. We're fixing this a different way.