[Webkit-unassigned] [Bug 266653] New: [WebRTC] Fix logic when parsing H264 packets to make sure the buffer isn't exceeded

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Dec 19 12:07:05 PST 2023 

https://bugs.webkit.org/show_bug.cgi?id=266653

            Bug ID: 266653
           Summary: [WebRTC] Fix logic when parsing H264 packets to make
                    sure the buffer isn't exceeded
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P1
         Component: WebRTC
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: Nicole_rosario at apple.com
                CC: youennf at gmail.com

rdar://118861473

INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1871439528
INFO: Loaded 2 modules  (741459 inline 8-bit counters): 741309 [0x11657d1c0, 0x11663217d), 150 [0x1008bc000, 0x1008bc096), 
./Release/rtp_packetizer_h264_fuzzer: Running 1 inputs 1 time(s) each.
Running: /Users/nicolerosario/Desktop/Bugs/118861473/ptf_1701108736_593a.tc
#
# Fatal error in: /Users/nicolerosario/Desktop/BrowserSecurity_3/OpenSource/Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc, line 292
# last system error: 3
# Check failed: index + kLengthFieldSize + fragment.size() <= payload_capacity (502 vs. 374)
# ==67474== ERROR: libFuzzer: deadly signal
  #0 0x1011d9a34 in __sanitizer_print_stack_trace+0x2c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x5da34)
  #1 0x1008ae0e4 in fuzzer::PrintStackTrace() FuzzerUtil.cpp:210
  #2 0x1008913cc in fuzzer::Fuzzer::CrashCallback() FuzzerLoop.cpp:233
  #3 0x183d57a20 in _sigtramp+0x34 (libsystem_platform.dylib:arm64e+0x3a20)
  #4 0x183d28cbc in pthread_kill+0x11c (libsystem_pthread.dylib:arm64e+0x6cbc)
  #5 0x183c34a3c in abort+0xb0 (libsystem_c.dylib:arm64e+0x76a3c)
  #6 0x1102d3fbc in rtc::webrtc_checks_impl::WriteFatalLog(std::__1::basic_string_view<char, std::__1::char_traits<char>>) checks.cc:78
  #7 0x1102d4188 in rtc::webrtc_checks_impl::WriteFatalLog(char const*, int, std::__1::basic_string_view<char, std::__1::char_traits<char>>) checks.cc:84
  #8 0x1102d5418 in rtc::webrtc_checks_impl::FatalLog(char const*, int, char const*, rtc::webrtc_checks_impl::CheckArgType const*, ...) checks.cc:179
  #9 0x1126af36c in webrtc::RtpPacketizerH264::NextAggregatePacket(webrtc::RtpPacketToSend*) rtp_format_h264.cc:292
  #10 0x1126ad764 in webrtc::RtpPacketizerH264::NextPacket(webrtc::RtpPacketToSend*) rtp_format_h264.cc:268
  #11 0x100874fa0 in webrtc::FuzzOneInput(unsigned char const*, unsigned long) rtp_packetizer_h264_fuzzer.cc:66
  #12 0x10087a010 in LLVMFuzzerTestOneInput webrtc_fuzzer_main.cc:39
  #13 0x100892838 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) FuzzerLoop.cpp:617
  #14 0x10087db24 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) FuzzerDriver.cpp:324
  #15 0x100882fd8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) FuzzerDriver.cpp:860
  #16 0x1008af5d4 in main FuzzerMain.cpp:20
  #17 0x1839a90dc (<unknown module>)

NOTE: libFuzzer has rudimentary signal handlers.
   Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20231219/1e2fcac5/attachment.htm>

More information about the webkit-unassigned mailing list