#7980 closed defect (fixed)
heap-buffer-overflow at ffmpeg/libavcodec/zmbvenc.c:97:30 in block_cmp by null pointer or undefined-behavior libavformat/nutenc.c:794:27
| Reported by: | Suhwan | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | avcodec |
| Version: | git-master | Keywords: | zmbv nut ubsan asan regression |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | yes | |
| Analyzed by developer: | no |
Description
Summary of the bug:
There's a heap-buffer-overflow ffmpeg/libavcodec/zmbvenc.c:97:30 in block_cmp due to null pointer or undefined-behavior at libavformat/nutenc.c:794:27.
How to reproduce:
input file: tmp.webm , output file: tmp_.nut % ffmpeg_g -y -r 3 -i tmp.webm -map 0 -c:v zmbv -c:s adpcm_ms -disposition:a:86 vc2 -disposition:s prores_ks -vframes 52 -r 8 -ar 22050 -b:v 928 -strict 2 tmp_.nut ffmpeg version : N-94137-g89b96900fa Copyright (c) 2000-2019 the FFmpeg developers built with clang-9, clang-asan option.
Here's ASAN log below.
libavutil 56. 30.100 / 56. 30.100
libavcodec 58. 53.100 / 58. 53.100
libavformat 58. 28.101 / 58. 28.101
libavdevice 58. 7.100 / 58. 7.100
libavfilter 7. 55.100 / 7. 55.100
libswscale 5. 4.101 / 5. 4.101
libswresample 3. 4.100 / 3. 4.100
Input #0, matroska,webm, from 'tmp.webm':
Metadata:
encoder : Lavf53.17.0
Duration: 00:00:05.57, start: 0.000000, bitrate: 329 kb/s
Stream #0:0: Video: vp8, yuv420p(progressive), 560x320, SAR 1:1 DAR 7:4, 30 fps, 30 tbr, 1k tbn, 1k tbc (default)
Stream #0:1(eng): Audio: vorbis, 48000 Hz, mono, fltp (default)
[New Thread 0x7ffff025b700 (LWP 8902)]
[New Thread 0x7fffefa5a700 (LWP 8903)]
[New Thread 0x7fffef259700 (LWP 8904)]
[New Thread 0x7fffeea58700 (LWP 8905)]
[New Thread 0x7fffee257700 (LWP 8906)]
[New Thread 0x7fffeda56700 (LWP 8907)]
[New Thread 0x7fffed255700 (LWP 8908)]
[New Thread 0x7fffeca54700 (LWP 8909)]
[New Thread 0x7fffec253700 (LWP 8910)]
[New Thread 0x7fffeba52700 (LWP 8911)]
[New Thread 0x7fffeb251700 (LWP 8912)]
[New Thread 0x7fffeaa50700 (LWP 8913)]
[New Thread 0x7fffea24f700 (LWP 8914)]
Stream mapping:
Stream #0:0 -> #0:0 (vp8 (native) -> zmbv (native))
Stream #0:1 -> #0:1 (vorbis (native) -> mp2 (native))
Press [q] to stop, [?] for help
[New Thread 0x7fffe9a4e700 (LWP 8916)]
[New Thread 0x7fffe924d700 (LWP 8917)]
[New Thread 0x7fffe8a4c700 (LWP 8918)]
[New Thread 0x7fffe824b700 (LWP 8919)]
[New Thread 0x7fffe7a4a700 (LWP 8920)]
[New Thread 0x7fffe7249700 (LWP 8921)]
[New Thread 0x7fffe6a32700 (LWP 8922)]
[New Thread 0x7fffe621b700 (LWP 8923)]
[New Thread 0x7fffe5a04700 (LWP 8924)]
[New Thread 0x7fffe51ed700 (LWP 8925)]
[New Thread 0x7fffe49d6700 (LWP 8926)]
[New Thread 0x7fffe41bf700 (LWP 8927)]
[New Thread 0x7fffe372c700 (LWP 8930)]
[New Thread 0x7fffe2f15700 (LWP 8931)]
[New Thread 0x7fffe26fe700 (LWP 8932)]
[New Thread 0x7fffe1ee7700 (LWP 8933)]
[New Thread 0x7fffe16d0700 (LWP 8934)]
[New Thread 0x7fffe0eb9700 (LWP 8935)]
[New Thread 0x7fffe06a2700 (LWP 8936)]
[New Thread 0x7fffdfe8b700 (LWP 8937)]
[New Thread 0x7fffdf674700 (LWP 8938)]
[New Thread 0x7fffdee5d700 (LWP 8939)]
[New Thread 0x7fffde646700 (LWP 8940)]
[New Thread 0x7fffdde2f700 (LWP 8941)]
[zmbv @ 0x619000015480] Bitrate 928 is extremely low, maybe you mean 928k
The bitrate parameter is set too low. It takes bits/s as argument, not kbits/s
Output #0, nut, to 'tmp/tmp_.nut':
Metadata:
encoder : Lavf58.28.101
Stream #0:0: Video: zmbv (ZMBV / 0x56424D5A), bgr0, 560x320 [SAR 1:1 DAR 7:4], q=2-31, 0 kb/s, 8 fps, 65536 tbn, 8 tbc (default)
Metadata:
encoder : Lavc58.53.100 zmbv
Stream #0:1: Audio: mp2 (P[0][0][0] / 0x0050), 22050 Hz, mono, s16, 160 kb/s (default)
Metadata:
X-Language : eng
encoder : Lavc58.53.100 mp2
libavformat/nutenc.c:794:27: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:64:33: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavformat/nutenc.c:794:27 in
=================================================================
==8843==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fffdd32e7f0 at pc 0x00000632b075 bp 0x7fffffffa2d0 sp 0x7fffffffa2c8
READ of size 1 at 0x7fffdd32e7f0 thread T0
#0 0x632b074 in block_cmp ffmpeg/libavcodec/zmbvenc.c:97:30
#1 0x63249cb in zmbv_me ffmpeg/libavcodec/zmbvenc.c:153:18
#2 0x63249cb in encode_frame ffmpeg/libavcodec/zmbvenc.c:242
#3 0x3036600 in avcodec_encode_video2 ffmpeg/libavcodec/encode.c:296:11
#4 0x303979e in do_encode ffmpeg/libavcodec/encode.c:365:15
#5 0x3038e7a in avcodec_send_frame ffmpeg/libavcodec/encode.c:414:12
#6 0x631f2a in do_video_out ffmpeg/fftools/ffmpeg.c:1287:15
#7 0x629ae0 in reap_filters ffmpeg/fftools/ffmpeg.c:1504:17
#8 0x5bd503 in transcode_step ffmpeg/fftools/ffmpeg.c:4648:12
#9 0x5bd503 in transcode ffmpeg/fftools/ffmpeg.c:4692
#10 0x5b2c0b in main ffmpeg/fftools/ffmpeg.c:4894:9
#11 0x7ffff4fb2b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x41fb39 in _start (ffmpeg/ffmpeg_g+0x41fb39)
0x7fffdd32e7f0 is located 16 bytes to the left of 763424-byte region [0x7fffdd32e800,0x7fffdd3e8e20)
allocated by thread T0 here:
#0 0x4ad2ad in posix_memalign opt/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cc:226
#1 0x8334fc5 in av_malloc ffmpeg/libavutil/mem.c:87:9
#2 0x8334fc5 in av_mallocz ffmpeg/libavutil/mem.c:238
#3 0x6320250 in encode_init ffmpeg/libavcodec/zmbvenc.c:413:25
SUMMARY: AddressSanitizer: heap-buffer-overflow ffmpeg/libavcodec/zmbvenc.c:97:30 in block_cmp
Attachments (2)
Change History (10)
by , 5 years ago
| Attachment: | gdb_log_7980 added |
|---|
by , 5 years ago
comment:1 by , 5 years ago
| Keywords: | avcodec added |
|---|
comment:2 by , 5 years ago
| Component: | ffmpeg → avcodec |
|---|---|
| Keywords: | zmbv ubsan added; Heap buffer overflow ASAN Null pointer avformat avcodec removed |
| Priority: | critical → important |
comment:3 by , 5 years ago
Thanks for Patching.
To check heap buffer overflow in the program is needed to be compiled with clang-asan.
usan option is for checking undefined behaviours.
so I think asan option will reproduce the same log that I reported.
comment:4 by , 5 years ago
| Keywords: | asan regression added |
|---|---|
| Reproduced by developer: | set |
| Status: | new → open |
The buffer overflow is a regression since 0321370601833f4ae47e8e11c44570ea4bd382a4
$ ffmpeg -i tmp.webm -vcodec zmbv -f null -
ffmpeg version N-94148-g4877b5869e Copyright (c) 2000-2019 the FFmpeg developers
built with gcc 9 (SUSE Linux)
configuration: --toolchain=gcc-asan
libavutil 56. 30.100 / 56. 30.100
libavcodec 58. 53.101 / 58. 53.101
libavformat 58. 28.101 / 58. 28.101
libavdevice 58. 7.100 / 58. 7.100
libavfilter 7. 55.100 / 7. 55.100
libswscale 5. 4.101 / 5. 4.101
libswresample 3. 4.100 / 3. 4.100
Input #0, matroska,webm, from 'tmp.webm':
Metadata:
encoder : Lavf53.17.0
Duration: 00:00:05.57, start: 0.000000, bitrate: 329 kb/s
Stream #0:0: Video: vp8, yuv420p(progressive), 560x320, SAR 1:1 DAR 7:4, 30 fps, 30 tbr, 1k tbn, 1k tbc (default)
Stream #0:1(eng): Audio: vorbis, 48000 Hz, mono, fltp (default)
Stream mapping:
Stream #0:0 -> #0:0 (vp8 (native) -> zmbv (native))
Stream #0:1 -> #0:1 (vorbis (native) -> pcm_s16le (native))
Press [q] to stop, [?] for help
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf58.28.101
Stream #0:0: Video: zmbv, bgr0, 560x320 [SAR 1:1 DAR 7:4], q=2-31, 200 kb/s, 30 fps, 30 tbn, 30 tbc (default)
Metadata:
encoder : Lavc58.53.101 zmbv
Stream #0:1(eng): Audio: pcm_s16le, 48000 Hz, mono, s16, 768 kb/s (default)
Metadata:
encoder : Lavc58.53.101 pcm_s16le
=================================================================
==24243==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1cc348e7f0 at pc 0x000001fa74f1 bp 0x7fff41dee710 sp 0x7fff41dee708
READ of size 1 at 0x7f1cc348e7f0 thread T0
#0 0x1fa74f0 in block_cmp src/libavcodec/zmbvenc.c:97
#1 0x1fa871b in zmbv_me src/libavcodec/zmbvenc.c:153
#2 0x1fa871b in encode_frame src/libavcodec/zmbvenc.c:242
#3 0x104c9b5 in avcodec_encode_video2 src/libavcodec/encode.c:296
#4 0x104d250 in do_encode src/libavcodec/encode.c:365
#5 0x104d65a in avcodec_send_frame src/libavcodec/encode.c:414
#6 0x5d9dfb in do_video_out src/fftools/ffmpeg.c:1287
#7 0x5dc553 in reap_filters src/fftools/ffmpeg.c:1504
#8 0x5ea71a in transcode_step src/fftools/ffmpeg.c:4648
#9 0x5ea71a in transcode src/fftools/ffmpeg.c:4692
#10 0x57df6b in main src/fftools/ffmpeg.c:4894
#11 0x7f1cd3812bca in __libc_start_main (/lib64/libc.so.6+0x26bca)
#12 0x592719 in _start (/mnt/sdb6/cehoyos/android/linux64/ffmpeg_g+0x592719)
0x7f1cc348e7f0 is located 16 bytes to the left of 763424-byte region [0x7f1cc348e800,0x7f1cc3548e20)
allocated by thread T0 here:
#0 0x7f1cd40944a5 in __interceptor_posix_memalign (/usr/lib64/libasan.so.5+0x10b4a5)
#1 0x29c4074 in av_malloc src/libavutil/mem.c:87
#2 0x29c4074 in av_mallocz src/libavutil/mem.c:238
SUMMARY: AddressSanitizer: heap-buffer-overflow src/libavcodec/zmbvenc.c:97 in block_cmp
Shadow bytes around the buggy address:
0x0fe418689ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe418689cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe418689cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe418689cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe418689ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0fe418689cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
0x0fe418689d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe418689d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe418689d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe418689d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe418689d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==24243==ABORTING
comment:5 by , 5 years ago
Please confirm if version 4.0.0 is impacted due to the above vulnerability?
comment:6 by , 5 years ago
The zmbvenc bug has been fixed in def04022f4a7058f99e669bfd978d431d79aec18.
@kamasubb: Only the release 4.2 has been affected by this.
comment:7 by , 4 years ago
| Resolution: | → fixed |
|---|---|
| Status: | open → closed |
The ubsan issue in the nut muxer was fixed by Michael in e4fdeb3fcefeb98f2225f7ccded156fb175959c5
comment:8 by , 4 years ago
| Keywords: | nut added |
|---|
Note:
See TracTickets
for help on using tickets.
I only see the following error, patch sent:
$ ffmpeg_g -i tmp.webm -c:v zmbv -f null - ffmpeg version N-94142-g3b2082c663 Copyright (c) 2000-2019 the FFmpeg developers built with clang version 8.0.0 (tags/RELEASE_800/final 356365) configuration: --enable-gpl --toolchain=clang-usan libavutil 56. 30.100 / 56. 30.100 libavcodec 58. 53.100 / 58. 53.100 libavformat 58. 28.101 / 58. 28.101 libavdevice 58. 7.100 / 58. 7.100 libavfilter 7. 55.100 / 7. 55.100 libswscale 5. 4.101 / 5. 4.101 libswresample 3. 4.100 / 3. 4.100 libpostproc 55. 4.100 / 55. 4.100 Input #0, matroska,webm, from 'tmp.webm': Metadata: encoder : Lavf53.17.0 Duration: 00:00:05.57, start: 0.000000, bitrate: 329 kb/s Stream #0:0: Video: vp8, yuv420p(progressive), 560x320, SAR 1:1 DAR 7:4, 30 fps, 30 tbr, 1k tbn, 1k tbc (default) Stream #0:1(eng): Audio: vorbis, 48000 Hz, mono, fltp (default) Stream mapping: Stream #0:0 -> #0:0 (vp8 (native) -> zmbv (native)) Stream #0:1 -> #0:1 (vorbis (native) -> pcm_s16le (native)) Press [q] to stop, [?] for help Output #0, null, to 'pipe:': Metadata: encoder : Lavf58.28.101 Stream #0:0: Video: zmbv, bgr0, 560x320 [SAR 1:1 DAR 7:4], q=2-31, 200 kb/s, 30 fps, 30 tbn, 30 tbc (default) Metadata: encoder : Lavc58.53.100 zmbv Stream #0:1(eng): Audio: pcm_s16le, 48000 Hz, mono, s16, 768 kb/s (default) Metadata: encoder : Lavc58.53.100 pcm_s16le src/libavcodec/zmbvenc.c:243:29: runtime error: left shift of negative value -4 src/libavcodec/zmbvenc.c:244:28: runtime error: left shift of negative value -2 [matroska,webm @ 0x9884740] Element at 0x38041 ending at 0x3804f exceeds containing master element ending at 0x38035 frame= 166 fps=3.4 q=-0.0 Lsize=N/A time=00:00:05.58 bitrate=N/A speed=0.113x video:12130kB audio:522kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: unknown