Opened 18 months ago
Closed 13 months ago
#10308 closed defect (fixed)
heap-buffer-overflow in ffmpeg (get_vlc2 at libavcodec/get_bits.h:639)
Reported by: | Youngseok Choi | Owned by: | |
---|---|---|---|
Priority: | important | Component: | avcodec |
Version: | git-master | Keywords: | fuzzing, heap-overflow |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | yes | |
Analyzed by developer: | no |
Description
Hello, our fuzzer found a new heap-overflow bug.
Command to Reproduce
ffmpeg -err_detect ignore_err -i poc_file -f null @
poc_file is attached.
Command Output
ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg developers built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04) configuration: --prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g -O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations --disable-stripping libavutil 58. 5.100 / 58. 5.100 libavcodec 60. 9.100 / 60. 9.100 libavformat 60. 4.101 / 60. 4.101 libavdevice 60. 2.100 / 60. 2.100 libavfilter 9. 5.100 / 9. 5.100 libswscale 7. 2.100 / 7. 2.100 libswresample 4. 11.100 / 4. 11.100 [mpeg4 @ 0x619000000580] time_increment_bits 0 is invalid in relation to the current bitstream, this is likely caused by a missing VOL header [mpeg4 @ 0x619000000580] time_increment_bits set to 14 bits, based on bitstream analysis [mpeg4 @ 0x619000000580] Marker bit missing at 56 of 376 before time_increment_resolution [mpeg4 @ 0x619000000580] Marker bit missing at 73 of 376 before fixed_vop_rate [mpeg4 @ 0x619000000580] Marker bit missing at 75 of 376 before width [mpeg4 @ 0x619000000580] Marker bit missing at 89 of 376 before height [mpeg4 @ 0x619000000580] N-bit not supported [mpeg4 @ 0x619000000580] quant precision 15 [mpeg4 @ 0x619000000580] insufficient data for custom matrix [mpeg4 @ 0x619000000580] looks like this file was encoded with (divx4/(old)xvid/opendivx) -> forcing low_delay flag [mpeg4 @ 0x619000000580] [IMGUTILS @ 0x7fffffffc650] Picture size 0x0 is invalid [mpeg4 @ 0x619000000580] Marker bit missing at 56 of 376 before time_increment_resolution [mpeg4 @ 0x619000000580] Marker bit missing at 73 of 376 before fixed_vop_rate [mpeg4 @ 0x619000000580] Marker bit missing at 75 of 376 before width [mpeg4 @ 0x619000000580] Marker bit missing at 89 of 376 before height [mpeg4 @ 0x619000000580] N-bit not supported [mpeg4 @ 0x619000000580] quant precision 15 [mpeg4 @ 0x619000000580] insufficient data for custom matrix [mpeg4 @ 0x619000000580] Reverting picture dimensions change due to header decoding failure [mpeg4 @ 0x619000000580] header damaged Input #0, m4v, from '/home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/ffmpeg/2_id:026013/poc_file': Duration: N/A, start: 4.997986, bitrate: N/A Stream #0:0: Video: mpeg4, yuv420p, 3x7038, 512.16 fps, 512 tbr, 1200k tbn Stream mapping: Stream #0:0 -> #0:0 (mpeg4 (native) -> wrapped_avframe (native)) Press [q] to stop, [?] for help [mpeg4 @ 0x619000003280] looks like this file was encoded with (divx4/(old)xvid/opendivx) -> forcing low_delay flag [mpeg4 @ 0x619000003780] Context scratch buffers could not be allocated due to unknown size. [mpeg4 @ 0x619000003780] warning: first frame is no keyframe [mpeg4 @ 0x619000003780] mcbpc damaged at 0 0 [mpeg4 @ 0x619000003780] Error at MB: 0 [mpeg4 @ 0x619000003780] ac-tex damaged at 0 16 [mpeg4 @ 0x619000003780] Error at MB: 32 [mpeg4 @ 0x619000003780] Error at MB: 40 [mpeg4 @ 0x619000003780] Error at MB: 46 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 24 [mpeg4 @ 0x619000003780] Error at MB: 48 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 25 [mpeg4 @ 0x619000003780] Error at MB: 50 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 26 [mpeg4 @ 0x619000003780] Error at MB: 52 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 27 [mpeg4 @ 0x619000003780] Error at MB: 54 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 28 [mpeg4 @ 0x619000003780] Error at MB: 56 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 29 [mpeg4 @ 0x619000003780] Error at MB: 58 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 30 [mpeg4 @ 0x619000003780] Error at MB: 60 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 31 [mpeg4 @ 0x619000003780] Error at MB: 62 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 32 [mpeg4 @ 0x619000003780] Error at MB: 64 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 33 [mpeg4 @ 0x619000003780] Error at MB: 66 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 34 [mpeg4 @ 0x619000003780] Error at MB: 68 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 35 [mpeg4 @ 0x619000003780] Error at MB: 70 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 36 [mpeg4 @ 0x619000003780] Error at MB: 72 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 37 [mpeg4 @ 0x619000003780] Error at MB: 74 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 38 [mpeg4 @ 0x619000003780] Error at MB: 76 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 39 [mpeg4 @ 0x619000003780] Error at MB: 78 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 40 [mpeg4 @ 0x619000003780] Error at MB: 80 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 41 [mpeg4 @ 0x619000003780] Error at MB: 82 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 42 [mpeg4 @ 0x619000003780] Error at MB: 84 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 43 [mpeg4 @ 0x619000003780] Error at MB: 86 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 44 [mpeg4 @ 0x619000003780] Error at MB: 88 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 45 [mpeg4 @ 0x619000003780] Error at MB: 90 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 46 [mpeg4 @ 0x619000003780] Error at MB: 92 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 47 [mpeg4 @ 0x619000003780] Error at MB: 94 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 48 [mpeg4 @ 0x619000003780] Error at MB: 96 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 49 [mpeg4 @ 0x619000003780] Error at MB: 98 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 50 [mpeg4 @ 0x619000003780] Error at MB: 100 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 51 [mpeg4 @ 0x619000003780] Error at MB: 102 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 52 [mpeg4 @ 0x619000003780] Error at MB: 104 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 53 [mpeg4 @ 0x619000003780] Error at MB: 106 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 54 [mpeg4 @ 0x619000003780] Error at MB: 108 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 55 [mpeg4 @ 0x619000003780] Error at MB: 110 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 56 [mpeg4 @ 0x619000003780] Error at MB: 112 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 57 [mpeg4 @ 0x619000003780] Error at MB: 114 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 58 [mpeg4 @ 0x619000003780] Error at MB: 116 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 59 [mpeg4 @ 0x619000003780] Error at MB: 118 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 60 [mpeg4 @ 0x619000003780] Error at MB: 120 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 61 [mpeg4 @ 0x619000003780] Error at MB: 122 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 62 [mpeg4 @ 0x619000003780] Error at MB: 124 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 63 [mpeg4 @ 0x619000003780] Error at MB: 126 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 64 [mpeg4 @ 0x619000003780] Error at MB: 128 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 65 [mpeg4 @ 0x619000003780] Error at MB: 130 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 66 [mpeg4 @ 0x619000003780] Error at MB: 132 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 67 [mpeg4 @ 0x619000003780] Error at MB: 134 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 68 [mpeg4 @ 0x619000003780] Error at MB: 136 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 69 [mpeg4 @ 0x619000003780] Error at MB: 138 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 70 [mpeg4 @ 0x619000003780] Error at MB: 140 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 71 [mpeg4 @ 0x619000003780] Error at MB: 142 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 72 [mpeg4 @ 0x619000003780] Error at MB: 144 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 73 [mpeg4 @ 0x619000003780] Error at MB: 146 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 74 [mpeg4 @ 0x619000003780] Error at MB: 148 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 75 [mpeg4 @ 0x619000003780] Error at MB: 150 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 76 [mpeg4 @ 0x619000003780] Error at MB: 152 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 77 [mpeg4 @ 0x619000003780] Error at MB: 154 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 78 [mpeg4 @ 0x619000003780] Error at MB: 156 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 79 [mpeg4 @ 0x619000003780] Error at MB: 158 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 80 [mpeg4 @ 0x619000003780] Error at MB: 160 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 81 [mpeg4 @ 0x619000003780] Error at MB: 162 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 82 [mpeg4 @ 0x619000003780] Error at MB: 164 [mpeg4 @ 0x619000003780] mcbpc damaged at 0 83 [mpeg4 @ 0x619000003780] Error at MB: 166 ================================================================= [mpeg4 @ 0x619000003c80] Marker bit missing at 56 of 376 before time_increment_resolution [mpeg4 @ 0x619000003c80] Marker bit missing at 73 of 376 before fixed_vop_rate [mpeg4 @ 0x619000003c80] Marker bit missing at 75 of 376 before width [mpeg4 @ 0x619000003c80] Marker bit missing at 89 of 376 before height [mpeg4 @ 0x619000003c80] N-bit not supported [mpeg4 @ 0x619000003c80] quant precision 15 [mpeg4 @ 0x619000003c80] insufficient data for custom matrix [mpeg4 @ 0x619000003c80] header damaged [mpeg4 @ 0x619000004180] header damaged Error while decoding stream #0:0: Invalid data found when processing input
Backtrace (asan)
==11134==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b0000000a0 at pc 0x5555573e3f56 bp 0x7ffff14fd960 sp 0x7ffff14fd950 READ of size 4 at 0x60b0000000a0 thread T2 (av:mpeg4:df1) #0 0x5555573e3f55 in get_vlc2 libavcodec/get_bits.h:639 #1 0x5555573e3f55 in mpeg4_decode_mb libavcodec/mpeg4videodec.c:1692 #2 0x555556fbfc28 in decode_slice libavcodec/h263dec.c:248 #3 0x555556fc3779 in ff_h263_decode_frame libavcodec/h263dec.c:594 #4 0x555557621ab1 in frame_worker_thread libavcodec/pthread_frame.c:214 #5 0x7ffff59d86da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da) #6 0x7ffff570161e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12161e) 0x60b0000000a3 is located 0 bytes to the right of 99-byte region [0x60b000000040,0x60b0000000a3) allocated by thread T0 here: #0 0x7ffff6ef6f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30) #1 0x555558d1133a in av_realloc libavutil/mem.c:162 #2 0x555558ccb931 in av_buffer_realloc libavutil/buffer.c:192 #3 0x555556b4ee09 in packet_alloc libavcodec/avpacket.c:88 #4 0x555556b514ab in av_packet_make_refcounted libavcodec/avpacket.c:492 #5 0x5555565b6256 in parse_packet libavformat/demux.c:1167 #6 0x5555565b85a6 in read_frame_internal libavformat/demux.c:1334 #7 0x5555565c5184 in avformat_find_stream_info libavformat/demux.c:2613 #8 0x555555a95a11 in ifile_open fftools/ffmpeg_demux.c:1077 #9 0x555555adb403 in open_files fftools/ffmpeg_opt.c:1244 #10 0x555555adb778 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1283 #11 0x555555b195ba in main fftools/ffmpeg.c:4165 #12 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Thread T2 (av:mpeg4:df1) created by T0 here: #0 0x7ffff6e4fd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f) #1 0x555557627dc3 in init_thread libavcodec/pthread_frame.c:797 #2 0x555557628503 in ff_frame_thread_init libavcodec/pthread_frame.c:853 #3 0x555557620b8b in ff_thread_init libavcodec/pthread.c:78 #4 0x555556b4b1f4 in avcodec_open2 libavcodec/avcodec.c:309 #5 0x555555b0b2d4 in init_input_stream fftools/ffmpeg.c:2838 #6 0x555555b11ac8 in transcode_init fftools/ffmpeg.c:3335 #7 0x555555b18980 in transcode fftools/ffmpeg.c:4020 #8 0x555555b196f8 in main fftools/ffmpeg.c:4182 #9 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
gdb didn't produce the assembly code around the program counter and the registers' info.
Thank you.
Attachments (1)
Change History (3)
by , 18 months ago
comment:1 by , 17 months ago
Component: | undetermined → avcodec |
---|---|
Priority: | normal → important |
Reproduced by developer: | set |
Status: | new → open |
Version: | unspecified → git-master |
comment:2 by , 13 months ago
Resolution: | → fixed |
---|---|
Status: | open → closed |
Note:
See TracTickets
for help on using tickets.
poc_file used in command input