#10308 closed defect (fixed)

heap-buffer-overflow in ffmpeg (get_vlc2 at libavcodec/get_bits.h:639)

Reported by: Youngseok Choi Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: fuzzing, heap-overflow
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Hello, our fuzzer found a new heap-overflow bug.

Command to Reproduce

ffmpeg -err_detect ignore_err -i poc_file -f null @

poc_file is attached.

Command Output

ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg developers
  built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04)
  configuration: --prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g -O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations --disable-stripping
  libavutil      58.  5.100 / 58.  5.100
  libavcodec     60.  9.100 / 60.  9.100
  libavformat    60.  4.101 / 60.  4.101
  libavdevice    60.  2.100 / 60.  2.100
  libavfilter     9.  5.100 /  9.  5.100
  libswscale      7.  2.100 /  7.  2.100
  libswresample   4. 11.100 /  4. 11.100
[mpeg4 @ 0x619000000580] time_increment_bits 0 is invalid in relation to the current bitstream, this is likely caused by a missing VOL header
[mpeg4 @ 0x619000000580] time_increment_bits set to 14 bits, based on bitstream analysis
[mpeg4 @ 0x619000000580] Marker bit missing at 56 of 376 before time_increment_resolution
[mpeg4 @ 0x619000000580] Marker bit missing at 73 of 376 before fixed_vop_rate
[mpeg4 @ 0x619000000580] Marker bit missing at 75 of 376 before width
[mpeg4 @ 0x619000000580] Marker bit missing at 89 of 376 before height
[mpeg4 @ 0x619000000580] N-bit not supported
[mpeg4 @ 0x619000000580] quant precision 15
[mpeg4 @ 0x619000000580] insufficient data for custom matrix
[mpeg4 @ 0x619000000580] looks like this file was encoded with (divx4/(old)xvid/opendivx) -> forcing low_delay flag
[mpeg4 @ 0x619000000580] [IMGUTILS @ 0x7fffffffc650] Picture size 0x0 is invalid
[mpeg4 @ 0x619000000580] Marker bit missing at 56 of 376 before time_increment_resolution
[mpeg4 @ 0x619000000580] Marker bit missing at 73 of 376 before fixed_vop_rate
[mpeg4 @ 0x619000000580] Marker bit missing at 75 of 376 before width
[mpeg4 @ 0x619000000580] Marker bit missing at 89 of 376 before height
[mpeg4 @ 0x619000000580] N-bit not supported
[mpeg4 @ 0x619000000580] quant precision 15
[mpeg4 @ 0x619000000580] insufficient data for custom matrix
[mpeg4 @ 0x619000000580] Reverting picture dimensions change due to header decoding failure
[mpeg4 @ 0x619000000580] header damaged
Input #0, m4v, from '/home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/ffmpeg/2_id:026013/poc_file':
  Duration: N/A, start: 4.997986, bitrate: N/A
  Stream #0:0: Video: mpeg4, yuv420p, 3x7038, 512.16 fps, 512 tbr, 1200k tbn
Stream mapping:
  Stream #0:0 -> #0:0 (mpeg4 (native) -> wrapped_avframe (native))
Press [q] to stop, [?] for help
[mpeg4 @ 0x619000003280] looks like this file was encoded with (divx4/(old)xvid/opendivx) -> forcing low_delay flag
[mpeg4 @ 0x619000003780] Context scratch buffers could not be allocated due to unknown size.
[mpeg4 @ 0x619000003780] warning: first frame is no keyframe
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 0
[mpeg4 @ 0x619000003780] Error at MB: 0
[mpeg4 @ 0x619000003780] ac-tex damaged at 0 16
[mpeg4 @ 0x619000003780] Error at MB: 32
[mpeg4 @ 0x619000003780] Error at MB: 40
[mpeg4 @ 0x619000003780] Error at MB: 46
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 24
[mpeg4 @ 0x619000003780] Error at MB: 48
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 25
[mpeg4 @ 0x619000003780] Error at MB: 50
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 26
[mpeg4 @ 0x619000003780] Error at MB: 52
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 27
[mpeg4 @ 0x619000003780] Error at MB: 54
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 28
[mpeg4 @ 0x619000003780] Error at MB: 56
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 29
[mpeg4 @ 0x619000003780] Error at MB: 58
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 30
[mpeg4 @ 0x619000003780] Error at MB: 60
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 31
[mpeg4 @ 0x619000003780] Error at MB: 62
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 32
[mpeg4 @ 0x619000003780] Error at MB: 64
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 33
[mpeg4 @ 0x619000003780] Error at MB: 66
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 34
[mpeg4 @ 0x619000003780] Error at MB: 68
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 35
[mpeg4 @ 0x619000003780] Error at MB: 70
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 36
[mpeg4 @ 0x619000003780] Error at MB: 72
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 37
[mpeg4 @ 0x619000003780] Error at MB: 74
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 38
[mpeg4 @ 0x619000003780] Error at MB: 76
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 39
[mpeg4 @ 0x619000003780] Error at MB: 78
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 40
[mpeg4 @ 0x619000003780] Error at MB: 80
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 41
[mpeg4 @ 0x619000003780] Error at MB: 82
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 42
[mpeg4 @ 0x619000003780] Error at MB: 84
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 43
[mpeg4 @ 0x619000003780] Error at MB: 86
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 44
[mpeg4 @ 0x619000003780] Error at MB: 88
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 45
[mpeg4 @ 0x619000003780] Error at MB: 90
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 46
[mpeg4 @ 0x619000003780] Error at MB: 92
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 47
[mpeg4 @ 0x619000003780] Error at MB: 94
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 48
[mpeg4 @ 0x619000003780] Error at MB: 96
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 49
[mpeg4 @ 0x619000003780] Error at MB: 98
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 50
[mpeg4 @ 0x619000003780] Error at MB: 100
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 51
[mpeg4 @ 0x619000003780] Error at MB: 102
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 52
[mpeg4 @ 0x619000003780] Error at MB: 104
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 53
[mpeg4 @ 0x619000003780] Error at MB: 106
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 54
[mpeg4 @ 0x619000003780] Error at MB: 108
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 55
[mpeg4 @ 0x619000003780] Error at MB: 110
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 56
[mpeg4 @ 0x619000003780] Error at MB: 112
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 57
[mpeg4 @ 0x619000003780] Error at MB: 114
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 58
[mpeg4 @ 0x619000003780] Error at MB: 116
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 59
[mpeg4 @ 0x619000003780] Error at MB: 118
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 60
[mpeg4 @ 0x619000003780] Error at MB: 120
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 61
[mpeg4 @ 0x619000003780] Error at MB: 122
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 62
[mpeg4 @ 0x619000003780] Error at MB: 124
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 63
[mpeg4 @ 0x619000003780] Error at MB: 126
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 64
[mpeg4 @ 0x619000003780] Error at MB: 128
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 65
[mpeg4 @ 0x619000003780] Error at MB: 130
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 66
[mpeg4 @ 0x619000003780] Error at MB: 132
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 67
[mpeg4 @ 0x619000003780] Error at MB: 134
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 68
[mpeg4 @ 0x619000003780] Error at MB: 136
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 69
[mpeg4 @ 0x619000003780] Error at MB: 138
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 70
[mpeg4 @ 0x619000003780] Error at MB: 140
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 71
[mpeg4 @ 0x619000003780] Error at MB: 142
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 72
[mpeg4 @ 0x619000003780] Error at MB: 144
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 73
[mpeg4 @ 0x619000003780] Error at MB: 146
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 74
[mpeg4 @ 0x619000003780] Error at MB: 148
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 75
[mpeg4 @ 0x619000003780] Error at MB: 150
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 76
[mpeg4 @ 0x619000003780] Error at MB: 152
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 77
[mpeg4 @ 0x619000003780] Error at MB: 154
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 78
[mpeg4 @ 0x619000003780] Error at MB: 156
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 79
[mpeg4 @ 0x619000003780] Error at MB: 158
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 80
[mpeg4 @ 0x619000003780] Error at MB: 160
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 81
[mpeg4 @ 0x619000003780] Error at MB: 162
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 82
[mpeg4 @ 0x619000003780] Error at MB: 164
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 83
[mpeg4 @ 0x619000003780] Error at MB: 166
=================================================================
[mpeg4 @ 0x619000003c80] Marker bit missing at 56 of 376 before time_increment_resolution
[mpeg4 @ 0x619000003c80] Marker bit missing at 73 of 376 before fixed_vop_rate
[mpeg4 @ 0x619000003c80] Marker bit missing at 75 of 376 before width
[mpeg4 @ 0x619000003c80] Marker bit missing at 89 of 376 before height
[mpeg4 @ 0x619000003c80] N-bit not supported
[mpeg4 @ 0x619000003c80] quant precision 15
[mpeg4 @ 0x619000003c80] insufficient data for custom matrix
[mpeg4 @ 0x619000003c80] header damaged
[mpeg4 @ 0x619000004180] header damaged
Error while decoding stream #0:0: Invalid data found when processing input

Backtrace (asan)

==11134==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b0000000a0 at pc 0x5555573e3f56 bp 0x7ffff14fd960 sp 0x7ffff14fd950
READ of size 4 at 0x60b0000000a0 thread T2 (av:mpeg4:df1)
    #0 0x5555573e3f55 in get_vlc2 libavcodec/get_bits.h:639
    #1 0x5555573e3f55 in mpeg4_decode_mb libavcodec/mpeg4videodec.c:1692
    #2 0x555556fbfc28 in decode_slice libavcodec/h263dec.c:248
    #3 0x555556fc3779 in ff_h263_decode_frame libavcodec/h263dec.c:594
    #4 0x555557621ab1 in frame_worker_thread libavcodec/pthread_frame.c:214
    #5 0x7ffff59d86da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #6 0x7ffff570161e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12161e)
0x60b0000000a3 is located 0 bytes to the right of 99-byte region [0x60b000000040,0x60b0000000a3)

allocated by thread T0 here:
    #0 0x7ffff6ef6f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30)
    #1 0x555558d1133a in av_realloc libavutil/mem.c:162
    #2 0x555558ccb931 in av_buffer_realloc libavutil/buffer.c:192
    #3 0x555556b4ee09 in packet_alloc libavcodec/avpacket.c:88
    #4 0x555556b514ab in av_packet_make_refcounted libavcodec/avpacket.c:492
    #5 0x5555565b6256 in parse_packet libavformat/demux.c:1167
    #6 0x5555565b85a6 in read_frame_internal libavformat/demux.c:1334
    #7 0x5555565c5184 in avformat_find_stream_info libavformat/demux.c:2613
    #8 0x555555a95a11 in ifile_open fftools/ffmpeg_demux.c:1077
    #9 0x555555adb403 in open_files fftools/ffmpeg_opt.c:1244
    #10 0x555555adb778 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1283
    #11 0x555555b195ba in main fftools/ffmpeg.c:4165
    #12 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

Thread T2 (av:mpeg4:df1) created by T0 here:
    #0 0x7ffff6e4fd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x555557627dc3 in init_thread libavcodec/pthread_frame.c:797
    #2 0x555557628503 in ff_frame_thread_init libavcodec/pthread_frame.c:853
    #3 0x555557620b8b in ff_thread_init libavcodec/pthread.c:78
    #4 0x555556b4b1f4 in avcodec_open2 libavcodec/avcodec.c:309
    #5 0x555555b0b2d4 in init_input_stream fftools/ffmpeg.c:2838
    #6 0x555555b11ac8 in transcode_init fftools/ffmpeg.c:3335
    #7 0x555555b18980 in transcode fftools/ffmpeg.c:4020
    #8 0x555555b196f8 in main fftools/ffmpeg.c:4182
    #9 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

gdb didn't produce the assembly code around the program counter and the registers' info.

Thank you.

Attachments (1)

poc_file (210 bytes ) - added by Youngseok Choi 18 months ago.
poc_file used in command input

Download all attachments as: .zip

Change History (3)

by Youngseok Choi, 18 months ago

Attachment: poc_file added

poc_file used in command input

comment:1 by Elon Musk, 17 months ago

Component: undeterminedavcodec
Priority: normalimportant
Reproduced by developer: set
Status: newopen
Version: unspecifiedgit-master

comment:2 by Elon Musk, 13 months ago

Resolution: fixed
Status: openclosed
Note: See TracTickets for help on using tickets.