Opened 15 months ago

#10244 new defect

stack-buffer-overflow in ffmpeg (libavcodec/options.c:4)

Reported by: Youngseok Choi Owned by:
Priority: normal Component: ffmpeg
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Hello, we are developing a new fuzzing technique, and it found a stack-buffer-overflow in ffmpeg.

How to reproduce:

% ./ffmpeg -discard "" -i <input_file>

<input_file> is available at https://github.com/3-24/oss-fuzz-reports/raw/master/ffmpeg/poc_4/poc_file.

Stack Trace:

==16401==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffce3a8f980 at pc 0x558c3518c716 bp 0x7ffce3a8ce00 sp 0x7ffce3a8cdf0
READ of size 8 at 0x7ffce3a8f980 thread T0
    #0 0x558c3518c715 in context_to_name libavcodec/options.c:44
    #1 0x558c36928c38 in format_line libavutil/log.c:309
    #2 0x558c369295e3 in av_log_default_callback libavutil/log.c:368
    #3 0x558c3692a147 in av_vlog libavutil/log.c:434
    #4 0x558c36929d8d in av_log libavutil/log.c:413
    #5 0x558c3690685f in parse_primary libavutil/eval.c:387
    #6 0x558c369094a3 in parse_pow libavutil/eval.c:522
    #7 0x558c36909770 in parse_dB libavutil/eval.c:537
    #8 0x558c369098c9 in parse_factor libavutil/eval.c:544
    #9 0x558c36909e78 in parse_term libavutil/eval.c:571
    #10 0x558c3690a295 in parse_subexpr libavutil/eval.c:595
    #11 0x558c3690a6bb in parse_expr libavutil/eval.c:623
    #12 0x558c3690b33f in av_expr_parse libavutil/eval.c:716
    #13 0x558c3690be8e in av_expr_parse_and_eval libavutil/eval.c:783
    #14 0x558c36936994 in set_string_number libavutil/opt.c:307
    #15 0x558c36938720 in av_opt_eval_int libavutil/opt.c:602
    #16 0x558c336bcabc in add_input_streams fftools/ffmpeg_demux.c:784
    #17 0x558c336c2932 in ifile_open fftools/ffmpeg_demux.c:1165
    #18 0x558c337072f4 in open_files fftools/ffmpeg_opt.c:1244
    #19 0x558c33707669 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1283
    #20 0x558c337450df in main fftools/ffmpeg.c:4160
    #21 0x7fc525d28c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #22 0x558c336b0499 in _start (/home/youngseok/latest-subjects/ffmpeg/ffmpeg+0x52f499)

Environment:

  • OS: Ubuntu 18.04
  • gcc: 7.5.0
  • ffmpeg: version N-109968-gcc76e8340d (git-master)

Note that I built ffmpeg with address sanitizer.

./configure --extra-cflags="-fsanitize=address -g -O0" \
--extra-cxxflags="-fsanitize=address -g -O0" --extra-ldflags="-fsanitize=address -g -O0" \
--disable-optimizations --disable-stripping

Change History (0)

Note: See TracTickets for help on using tickets.