Re: Multiple issues in OpenH264 1.5.1

[Brandon Perry <bperry.volatile () gmail com>]

> On Jan 1, 2017, at 7:32 PM, Brandon Perry <bperry.volatile () gmail com> wrote:
>
> Recently, Firefox updated their OpenH264 plugin to 1.6. Earlier this year, I reported multiple crashes I had found 
> while fuzzing version 1.5.1 of the decoder (which was what was shipped at the time).
>
> While these issues have been resolved on the 1.6 branch of the openh264 codebase for some time (a year?), it doesn’t 
> seem like Firefox got the update until recently (correct me if I’m wrong), which is why I am releasing my fuzz 
> results. I initially reported these to Mozilla, but collided with Tyler Smith, one of their security engineers who 
> had also been fuzzing the decoder. I am not sure if these issues got CVEs or not, but I don’t see any.
>
> https://raw.githubusercontent.com/brandonprry/openh264-fuzz/ 
> <https://raw.githubusercontent.com/brandonprry/openh264-fuzz/>
Whoops, mislinked.

https://github.com/brandonprry/openh264-fuzz <https://github.com/brandonprry/openh264-fuzz>
> Attached is the README for the linked GitHub repo, which shows the three distinct bugs and their stack traces. There 
> might be another bug or two that I missed during triage. None of the crashes work on 1.6, which is now shipped with 
> up-to-date Firefox installs.
>
> Happy New Year!
>
> <README.md>