#8845 closed defect (fixed)
A stack-buffer-overflow in FFmpeg JIT code
| Reported by: | Zhou Anshunkang | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | avcodec |
| Version: | git-master | Keywords: | aac |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
System info
Ubuntu x86_64, clang 6.0, ffmpeg (git-master https://github.com/FFmpeg/FFmpeg/commit/1ead176d874acb489827ace3935fc71e1eea7e0e)
Configure
./configure --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan
Command line
./ffmpeg -i @@ -y -f mov /dev/null
Address Sanitizer
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan
libavutil 56. 58.100 / 56. 58.100
libavcodec 58.100.100 / 58.100.100
libavformat 58. 50.100 / 58. 50.100
libavdevice 58. 11.101 / 58. 11.101
libavfilter 7. 87.100 / 7. 87.100
libswscale 5. 8.100 / 5. 8.100
libswresample 3. 8.100 / 3. 8.100
[aac @ 0x61b000000080] Format aac detected only with low score of 1, misdetection possible!
[aac @ 0x619000000580] More than one AAC RDB per ADTS frame is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
[aac @ 0x61b000000080] Packet corrupt (stream = 0, dts = NOPTS).
[aac @ 0x619000000580] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000000580] Inconsistent channel configuration.
[aac @ 0x619000000580] get_buffer() failed
[aac @ 0x61b000000080] decoding for stream 0 failed
[aac @ 0x61b000000080] Estimating duration from bitrate, this may be inaccurate
[aac @ 0x61b000000080] Could not find codec parameters for stream 0 (Audio: aac (Main), 13 channels (FL+FR+FLC+FRC+TC+TFL+TFC+TFR+TBL+TBC+TBR+TSL+TSR+BFC+BFL+BFR), fltp, 5 kb/s): unspecified sample rate
Consider increasing the value for the 'analyzeduration' (0) and 'probesize' (5000000) options
Input #0, aac, from '/home/seviezhou//experiment-3/AlphaFuzz-ffmpeg/alpha_out/crashes/id:000001,src:003723,op:havoc':
Duration: 00:00:00.18, bitrate: 5 kb/s
Stream #0:0: Audio: aac (Main), 13 channels (FL+FR+FLC+FRC+TC+TFL+TFC+TFR+TBL+TBC+TBR+TSL+TSR+BFC+BFL+BFR), fltp, 5 kb/s
[aac @ 0x619000002380] Channel layout '16 channels (FL+FR+FLC+FRC+TC+TFL+TFC+TFR+TBL+TBC+TBR+TSL+TSR+BFC+BFL+BFR)' with 16 channels does not match specified number of channels 13: ignoring specified channel layout
Stream mapping:
Stream #0:0 -> #0:0 (aac (native) -> aac (native))
Press [q] to stop, [?] for help
[aac @ 0x619000002380] More than one AAC RDB per ADTS frame is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
[aac @ 0x619000002380] channel element 3.7 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002380] Sample rate index in program config element does not match the sample rate index configured by the container.
=================================================================
==48056==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffff1e2fba5 at pc 0x0000029497f1 bp 0x7ffff1e2eb50 sp 0x7ffff1e2eb48
READ of size 1 at 0x7ffff1e2fba5 thread T0
#0 0x29497f0 (/home/seviezhou/ffmpeg/ffmpeg+0x29497f0)
#1 0x2959670 (/home/seviezhou/ffmpeg/ffmpeg+0x2959670)
#2 0x2941d83 (/home/seviezhou/ffmpeg/ffmpeg+0x2941d83)
#3 0x126e91c (/home/seviezhou/ffmpeg/ffmpeg+0x126e91c)
#4 0x126e22d (/home/seviezhou/ffmpeg/ffmpeg+0x126e22d)
#5 0x567dae (/home/seviezhou/ffmpeg/ffmpeg+0x567dae)
#6 0x560488 (/home/seviezhou/ffmpeg/ffmpeg+0x560488)
#7 0x555ea5 (/home/seviezhou/ffmpeg/ffmpeg+0x555ea5)
#8 0x7f1571274b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#9 0x41dea9 in _init (/home/seviezhou/ffmpeg/ffmpeg+0x41dea9)
Address 0x7ffff1e2fba5 is located in stack of thread T0 at offset 165 in frame
#0 0x294179f (/home/seviezhou/ffmpeg/ffmpeg+0x294179f)
This frame has 4 object(s):
[32, 64) 'gb.i' (line 1113)
[96, 128) 'gb' (line 3413)
[160, 164) 'new_extradata_size' (line 3417) <== Memory access at offset 165 overflows this variable
[176, 180) 'jp_dualmono_size' (line 3421)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/seviezhou/ffmpeg/ffmpeg+0x29497f0)
Shadow bytes around the buggy address:
0x10007e3bdf20: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
0x10007e3bdf30: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e3bdf40: 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3
0x10007e3bdf50: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e3bdf60: f1 f1 f1 f1 f8 f8 f8 f8 f2 f2 f2 f2 00 00 00 00
=>0x10007e3bdf70: f2 f2 f2 f2[04]f2 04 f3 00 00 00 00 00 00 00 00
0x10007e3bdf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e3bdf90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e3bdfa0: 00 00 00 00 f1 f1 f1 f1 04 f2 f8 f3 00 00 00 00
0x10007e3bdfb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e3bdfc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==48056==ABORTING
It seems that if I ran this command multiple times, it can crash different objects, here is another ASAN output, using the same input:
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan
libavutil 56. 58.100 / 56. 58.100
libavcodec 58.100.100 / 58.100.100
libavformat 58. 50.100 / 58. 50.100
libavdevice 58. 11.101 / 58. 11.101
libavfilter 7. 87.100 / 7. 87.100
libswscale 5. 8.100 / 5. 8.100
libswresample 3. 8.100 / 3. 8.100
[aac @ 0x61b000000080] Format aac detected only with low score of 1, misdetection possible!
[aac @ 0x619000000580] More than one AAC RDB per ADTS frame is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
[aac @ 0x61b000000080] Packet corrupt (stream = 0, dts = NOPTS).
[aac @ 0x619000000580] Sample rate index in program config element does not match the sample rate index configured by the container.
=================================================================
==73492==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe338744d7 at pc 0x0000029497f1 bp 0x7ffe33873cd0 sp 0x7ffe33873cc8
READ of size 1 at 0x7ffe338744d7 thread T0
#0 0x29497f0 (/home/seviezhou/ffmpeg/ffmpeg+0x29497f0)
#1 0x2959670 (/home/seviezhou/ffmpeg/ffmpeg+0x2959670)
#2 0x2941d83 (/home/seviezhou/ffmpeg/ffmpeg+0x2941d83)
#3 0x126e91c (/home/seviezhou/ffmpeg/ffmpeg+0x126e91c)
#4 0x126e22d (/home/seviezhou/ffmpeg/ffmpeg+0x126e22d)
#5 0xfbf83f (/home/seviezhou/ffmpeg/ffmpeg+0xfbf83f)
#6 0xfb6db4 (/home/seviezhou/ffmpeg/ffmpeg+0xfb6db4)
#7 0x51815a (/home/seviezhou/ffmpeg/ffmpeg+0x51815a)
#8 0x516cca (/home/seviezhou/ffmpeg/ffmpeg+0x516cca)
#9 0x5166f5 (/home/seviezhou/ffmpeg/ffmpeg+0x5166f5)
#10 0x555cef (/home/seviezhou/ffmpeg/ffmpeg+0x555cef)
#11 0x7f0651f26b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x41dea9 in _init (/home/seviezhou/ffmpeg/ffmpeg+0x41dea9)
Address 0x7ffe338744d7 is located in stack of thread T0 at offset 2039 in frame
#0 0x294596f (/home/seviezhou/ffmpeg/ffmpeg+0x294596f)
This frame has 26 object(s):
[32, 37) '.compoundliteral.sroa.5.i.i' (line 199)
[64, 69) '.compoundliteral11.sroa.5.i.i' (line 199)
[96, 101) '.compoundliteral22.sroa.5.i.i' (line 199)
[128, 1152) 'e2c_vec.i' (line 263)
[1280, 1285) '.compoundliteral.sroa.5.i' (line 260)
[1312, 1317) '.compoundliteral60.sroa.5.i' (line 260)
[1344, 1349) '.compoundliteral80.sroa.5.i' (line 260)
[1376, 1381) '.compoundliteral99.sroa.5.i' (line 260)
[1408, 1413) '.compoundliteral118.sroa.5.i' (line 260)
[1440, 1445) '.compoundliteral133.sroa.5.i' (line 260)
[1472, 1477) '.compoundliteral156.sroa.5.i' (line 260)
[1504, 1509) '.compoundliteral176.sroa.5.i' (line 260)
[1536, 1541) '.compoundliteral193.sroa.5.i' (line 260)
[1568, 1584) 'SWAP_tmp.i' (line 438)
[1600, 1616) 'SWAP_tmp219.i' (line 439)
[1632, 1648) 'SWAP_tmp224.i' (line 440)
[1664, 1680) 'SWAP_tmp229.i' (line 441)
[1696, 1712) 'SWAP_tmp234.i' (line 442)
[1728, 1744) 'SWAP_tmp239.i' (line 443)
[1760, 1776) 'SWAP_tmp244.i' (line 444)
[1792, 1808) 'SWAP_tmp249.i' (line 445)
[1824, 1840) 'SWAP_tmp254.i' (line 446)
[1856, 1872) 'SWAP_tmp270.i' (line 454)
[1888, 1892) 'channels' (line 514)
[1904, 2016) 'id_map' (line 516)
[2048, 2055) 'type_counts' (line 517) <== Memory access at offset 2039 underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/seviezhou/ffmpeg/ffmpeg+0x29497f0)
Shadow bytes around the buggy address:
0x100046706840: f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2
0x100046706850: f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2
0x100046706860: f8 f8 f2 f2 f8 f8 f2 f2 f8 f8 f2 f2 f8 f8 f2 f2
0x100046706870: f8 f8 f2 f2 f8 f8 f2 f2 f8 f8 f2 f2 f8 f8 f2 f2
0x100046706880: f8 f8 f2 f2 f8 f8 f2 f2 04 f2 00 00 00 00 00 00
=>0x100046706890: 00 00 00 00 00 00 00 00 f2 f2[f2]f2 07 f3 f3 f3
0x1000467068a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000467068b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000467068c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000467068d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000467068e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==73492==ABORTING
After it crashes, it also seems to mess up the terminal.
Attachments (1)
Change History (6)
by , 4 years ago
| Attachment: | stack-overflow-ffmpeg-JIT added |
|---|
comment:1 by , 4 years ago
| Component: | ffmpeg → avcodec |
|---|---|
| Keywords: | aac added; asan removed |
| Priority: | normal → important |
comment:2 by , 4 years ago
I am not surely if these three bug reports point to the same location. I think it is a little bit strange.
comment:3 by , 4 years ago
For the record I posted a patch set that would improve the sanity checks for 22.2 so that it is not as easy to get handled as such on the 18th, but so far have received no reviews:
https://patchwork.ffmpeg.org/project/ffmpeg/list/?series=2055
This causes both of the fuzzing samples I have received to no longer be an issue (with both valgrind and clang 10 ASAN), while it still enables valid 22.2 content to decode properly.
comment:4 by , 4 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Fixed by Jan Ekström in d6f293353c94c7ce200f6e0975ae3de49787f91f
comment:5 by , 3 years ago
Since the information in the CVE report is wrong:
This issue is neither reproducible with FFmpeg 4.3 nor earlier versions.
Note:
See TracTickets
for help on using tickets.
valgrind shows a possible issue: