Opened 14 months ago
Closed 13 months ago
#10309 closed defect (fixed)
heap-buffer-overflow bug in FFmpeg (new_output_stream at fftools/ffmpeg_mux_init.c:610)
| Reported by: | Youngseok Choi | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | undetermined |
| Version: | git-master | Keywords: | fuzzing, heap-overflow |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description (last modified by )
Our fuzzer found a new heap overflow bug in FFmpeg.
Command input
ffmpeg -i poc_file -f mp4 -tag e @
Command Output
ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg developers built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04) configuration: --prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g -O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations --disable-stripping libavutil 58. 5.100 / 58. 5.100 libavcodec 60. 9.100 / 60. 9.100 libavformat 60. 4.101 / 60. 4.101 libavdevice 60. 2.100 / 60. 2.100 libavfilter 9. 5.100 / 9. 5.100 libswscale 7. 2.100 / 7. 2.100 libswresample 4. 11.100 / 4. 11.100 [amr @ 0x617000000080] Estimating duration from bitrate, this may be inaccurate Input #0, amr, from '/home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/ffmpeg/5_id:012265/poc_file': Duration: 00:00:00.03, bitrate: 14 kb/s Stream #0:0: Audio: amr_nb (samr / 0x726D6173), 8000 Hz, mono, fltp, 12 kb/s
Backtrace (Asan dump)
=================================================================
==16792==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000470 at pc 0x555555ab684c bp 0x7fffffffb8f0 sp 0x7fffffffb8e0
READ of size 4 at 0x602000000470 thread T0
#0 0x555555ab684b in new_output_stream fftools/ffmpeg_mux_init.c:610
#1 0x555555ac20a6 in new_audio_stream fftools/ffmpeg_mux_init.c:952
#2 0x555555ac72ae in map_auto_audio fftools/ffmpeg_mux_init.c:1230
#3 0x555555ac9214 in create_streams fftools/ffmpeg_mux_init.c:1432
#4 0x555555ad2482 in of_open fftools/ffmpeg_mux_init.c:2274
#5 0x555555adb403 in open_files fftools/ffmpeg_opt.c:1244
#6 0x555555adb820 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1297
#7 0x555555b195ba in main fftools/ffmpeg.c:4165
#8 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#9 0x555555a84499 in _start (/home/youngseok/subjects/latest_asan_install/ffmpeg/bin/ffmpeg+0x530499)
0x602000000472 is located 0 bytes to the right of 2-byte region [0x602000000470,0x602000000472)
allocated by thread T0 here:
#0 0x7ffff6ef6f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30)
#1 0x555558d1133a in av_realloc libavutil/mem.c:162
#2 0x555558d1207d in av_strdup libavutil/mem.c:275
#3 0x555555ae2178 in write_option fftools/cmdutils.c:282
#4 0x555555ae31c4 in parse_optgroup fftools/cmdutils.c:405
#5 0x555555adb2d2 in open_files fftools/ffmpeg_opt.c:1235
#6 0x555555adb820 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1297
#7 0x555555b195ba in main fftools/ffmpeg.c:4165
#8 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86
Environment
We used git master branch version to test FFmpeg. To detect heap overflow, it is built with address sanitizer.
OS: Ubuntu 18.04
GCC: 7.5.0
Attachments (1)
Change History (3)
by , 14 months ago
comment:1 by , 14 months ago
| Description: | modified (diff) |
|---|
comment:2 by , 13 months ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
| Summary: | haep-buffer-overflow bug in FFmpeg (new_output_stream at fftools/ffmpeg_mux_init.c:610) → heap-buffer-overflow bug in FFmpeg (new_output_stream at fftools/ffmpeg_mux_init.c:610) |
Fixed in 89c9a3ac3542.
Backported to:
- 6.0 as 8f61cbf1b92
- 5.1 as 1e413487bf8
- 5.0 as e30302c6363
Note:
See TracTickets
for help on using tickets.
poc_file used in command input