#10309 closed defect (fixed)

heap-buffer-overflow bug in FFmpeg (new_output_stream at fftools/ffmpeg_mux_init.c:610)

Reported by: Youngseok Choi Owned by:
Priority: normal Component: undetermined
Version: git-master Keywords: fuzzing, heap-overflow
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description (last modified by Youngseok Choi)

Our fuzzer found a new heap overflow bug in FFmpeg.

Command input

ffmpeg -i poc_file -f mp4 -tag e @

Command Output

ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg developers
  built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04)
  configuration: --prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g -O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations --disable-stripping
  libavutil      58.  5.100 / 58.  5.100
  libavcodec     60.  9.100 / 60.  9.100
  libavformat    60.  4.101 / 60.  4.101
  libavdevice    60.  2.100 / 60.  2.100
  libavfilter     9.  5.100 /  9.  5.100
  libswscale      7.  2.100 /  7.  2.100
  libswresample   4. 11.100 /  4. 11.100
[amr @ 0x617000000080] Estimating duration from bitrate, this may be inaccurate
Input #0, amr, from '/home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/ffmpeg/5_id:012265/poc_file':
  Duration: 00:00:00.03, bitrate: 14 kb/s
  Stream #0:0: Audio: amr_nb (samr / 0x726D6173), 8000 Hz, mono, fltp, 12 kb/s

Backtrace (Asan dump)

=================================================================
==16792==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000470 at pc 0x555555ab684c bp 0x7fffffffb8f0 sp 0x7fffffffb8e0
READ of size 4 at 0x602000000470 thread T0
    #0 0x555555ab684b in new_output_stream fftools/ffmpeg_mux_init.c:610
    #1 0x555555ac20a6 in new_audio_stream fftools/ffmpeg_mux_init.c:952
    #2 0x555555ac72ae in map_auto_audio fftools/ffmpeg_mux_init.c:1230
    #3 0x555555ac9214 in create_streams fftools/ffmpeg_mux_init.c:1432
    #4 0x555555ad2482 in of_open fftools/ffmpeg_mux_init.c:2274
    #5 0x555555adb403 in open_files fftools/ffmpeg_opt.c:1244
    #6 0x555555adb820 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1297
    #7 0x555555b195ba in main fftools/ffmpeg.c:4165
    #8 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #9 0x555555a84499 in _start (/home/youngseok/subjects/latest_asan_install/ffmpeg/bin/ffmpeg+0x530499)

0x602000000472 is located 0 bytes to the right of 2-byte region [0x602000000470,0x602000000472)
allocated by thread T0 here:
    #0 0x7ffff6ef6f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30)
    #1 0x555558d1133a in av_realloc libavutil/mem.c:162
    #2 0x555558d1207d in av_strdup libavutil/mem.c:275
    #3 0x555555ae2178 in write_option fftools/cmdutils.c:282
    #4 0x555555ae31c4 in parse_optgroup fftools/cmdutils.c:405
    #5 0x555555adb2d2 in open_files fftools/ffmpeg_opt.c:1235
    #6 0x555555adb820 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1297
    #7 0x555555b195ba in main fftools/ffmpeg.c:4165
    #8 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86

Environment

We used git master branch version to test FFmpeg. To detect heap overflow, it is built with address sanitizer.
OS: Ubuntu 18.04
GCC: 7.5.0

Attachments (1)

poc_file (47 bytes ) - added by Youngseok Choi 13 months ago.
poc_file used in command input

Download all attachments as: .zip

Change History (3)

by Youngseok Choi, 13 months ago

Attachment: poc_file added

poc_file used in command input

comment:1 by Youngseok Choi, 13 months ago

Description: modified (diff)

comment:2 by elenril, 12 months ago

Resolution: fixed
Status: newclosed
Summary: haep-buffer-overflow bug in FFmpeg (new_output_stream at fftools/ffmpeg_mux_init.c:610)heap-buffer-overflow bug in FFmpeg (new_output_stream at fftools/ffmpeg_mux_init.c:610)

Fixed in 89c9a3ac3542.

Backported to:

  • 6.0 as 8f61cbf1b92
  • 5.1 as 1e413487bf8
  • 5.0 as e30302c6363
Note: See TracTickets for help on using tickets.