Issue metadata
Sign in to add a comment
|
Security: Unchecked .end() iterator dereference in VTVideoDecodeAccelerator::ReusePictureBuffer |
||||||||||||||||||||||
Issue description
In media::VTVideoDecodeAccelerator::ReusePictureBuffer,
void VTVideoDecodeAccelerator::ReusePictureBuffer(int32_t picture_id) {
DCHECK(gpu_thread_checker_.CalledOnValidThread());
DCHECK(picture_info_map_.count(picture_id));
PictureInfo* picture_info = picture_info_map_.find(picture_id)->second.get(); // <--- unchecked deref
picture_info->cv_image.reset();
picture_info->gl_image->Destroy(false);
picture_info->gl_image = nullptr;
For release builds, picture_info_map_.find(picture_id) is not checked against picture_info_map_.end(), but a malicious renderer (or possibly a malicious/compromised flash plugin through the PPB_VideoDecoder_Dev interface?) can send a bogus picture_id. This can then lead to memory corruption in the GPU process.
A renderer patch is attached that gives the following stacktrace in the GPU process (full stacktrace attached).
==93384==ERROR: AddressSanitizer: SEGV on unknown address 0x000112fd6af0 (pc 0x000112fdfcd3 bp 0x7fff595ad5d0 sp 0x7fff595ad500 T0)
==93384==WARNING: invalid path to external symbolizer!
==93384==WARNING: Failed to use and restart external symbolizer!
#0 0x112fdfcd2 in media::VTVideoDecodeAccelerator::ReusePictureBuffer(int) (/Users/ochang/chromium/src/out/Default/Chromium.app/Contents/Versions/54.0.2828.0/Chromium Framework.framework/Chromium Framework+0x933fcd2)
#1 0x11599b553 in bool IPC::MessageT<AcceleratedVideoDecoderMsg_ReusePictureBuffer_Meta, std::__1::tuple<int>, void>::Dispatch<media::GpuVideoDecodeAccelerator, media::GpuVideoDecodeAccelerator, void, void (media::GpuVideoDecodeAccelerator::*)(int)>(IPC::Message const*, media::GpuVideoDecodeAccelerator*, media::GpuVideoDecodeAccelerator*, void*, void (media::GpuVideoDecodeAccelerator::*)(int)) (/Users/ochang/chromium/src/out/Default/Chromium.app/Contents/Versions/54.0.2828.0/Chromium Framework.framework/Chromium Framework+0xbcfb553)
#2 0x115998831 in media::GpuVideoDecodeAccelerator::OnMessageReceived(IPC::Message const&) (/Users/ochang/chromium/src/out/Default/Chromium.app/Contents/Versions/54.0.2828.0/Chromium Framework.framework/Chromium Framework+0xbcf8831)
,
Aug 12 2016
,
Aug 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c925db56332eff18cee034f0836a0406a3b62ac8 commit c925db56332eff18cee034f0836a0406a3b62ac8 Author: sandersd <sandersd@chromium.org> Date: Sat Aug 13 00:40:11 2016 VTVDA: Verify |picture_id| in ResusePictureBuffer(). BUG= 637320 Review-Url: https://codereview.chromium.org/2244853002 Cr-Commit-Position: refs/heads/master@{#411834} [modify] https://crrev.com/c925db56332eff18cee034f0836a0406a3b62ac8/media/gpu/vt_video_decode_accelerator_mac.cc
,
Aug 13 2016
,
Aug 13 2016
,
Aug 13 2016
,
Aug 13 2016
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 13 2016
Your change meets the bar and is auto-approved for M53 (branch: 2785)
,
Aug 14 2016
,
Aug 14 2016
Please merge your change by Monday (08/15) 5:00 PM PT so we can take it in for next week Beta release. Thank you.
,
Aug 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c179a7643dd3af27d7425a2b2e876cd59c07131e commit c179a7643dd3af27d7425a2b2e876cd59c07131e Author: Dan Sanders <sandersd@chromium.org> Date: Mon Aug 15 19:35:21 2016 Merge to M53: VTVDA: Verify |picture_id| in ResusePictureBuffer(). BUG= 637320 Review-Url: https://codereview.chromium.org/2244853002 Cr-Commit-Position: refs/heads/master@{#411834} (cherry picked from commit c925db56332eff18cee034f0836a0406a3b62ac8) Review URL: https://codereview.chromium.org/2247883002 . Cr-Commit-Position: refs/branch-heads/2785@{#604} Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382} [modify] https://crrev.com/c179a7643dd3af27d7425a2b2e876cd59c07131e/media/gpu/vt_video_decode_accelerator_mac.cc
,
Aug 15 2016
ochang@: Please confirm if it is useful to merge this to M52.
,
Aug 15 2016
+awhalley. not sure if merges are still being considered for M52.
,
Aug 16 2016
[Automated comment] Request affecting a post-stable build (M52), manual review required.
,
Aug 17 2016
+inferno since awhalley is out.
,
Aug 30 2016
,
Sep 14 2016
,
Nov 19 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
,
Jul 17
,
Jul 17
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by och...@chromium.org
, Aug 12 2016Labels: Security_Severity-High Security_Impact-Stable
Owner: sande...@chromium.org
Status: Assigned (was: Unconfirmed)