id summary reporter owner description type status priority component version resolution keywords cc blockedby blocking reproduced analyzed 10309 heap-buffer-overflow bug in FFmpeg (new_output_stream at fftools/ffmpeg_mux_init.c:610) Youngseok Choi "Our fuzzer found a new heap overflow bug in FFmpeg. **Command input** {{{ ffmpeg -i poc_file -f mp4 -tag e @ }}} **Command Output** {{{ ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg developers built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04) configuration: --prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g -O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations --disable-stripping libavutil 58. 5.100 / 58. 5.100 libavcodec 60. 9.100 / 60. 9.100 libavformat 60. 4.101 / 60. 4.101 libavdevice 60. 2.100 / 60. 2.100 libavfilter 9. 5.100 / 9. 5.100 libswscale 7. 2.100 / 7. 2.100 libswresample 4. 11.100 / 4. 11.100 [amr @ 0x617000000080] Estimating duration from bitrate, this may be inaccurate Input #0, amr, from '/home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/ffmpeg/5_id:012265/poc_file': Duration: 00:00:00.03, bitrate: 14 kb/s Stream #0:0: Audio: amr_nb (samr / 0x726D6173), 8000 Hz, mono, fltp, 12 kb/s }}} **Backtrace** (Asan dump) {{{ ================================================================= ==16792==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000470 at pc 0x555555ab684c bp 0x7fffffffb8f0 sp 0x7fffffffb8e0 READ of size 4 at 0x602000000470 thread T0 #0 0x555555ab684b in new_output_stream fftools/ffmpeg_mux_init.c:610 #1 0x555555ac20a6 in new_audio_stream fftools/ffmpeg_mux_init.c:952 #2 0x555555ac72ae in map_auto_audio fftools/ffmpeg_mux_init.c:1230 #3 0x555555ac9214 in create_streams fftools/ffmpeg_mux_init.c:1432 #4 0x555555ad2482 in of_open fftools/ffmpeg_mux_init.c:2274 #5 0x555555adb403 in open_files fftools/ffmpeg_opt.c:1244 #6 0x555555adb820 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1297 #7 0x555555b195ba in main fftools/ffmpeg.c:4165 #8 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #9 0x555555a84499 in _start (/home/youngseok/subjects/latest_asan_install/ffmpeg/bin/ffmpeg+0x530499) 0x602000000472 is located 0 bytes to the right of 2-byte region [0x602000000470,0x602000000472) allocated by thread T0 here: #0 0x7ffff6ef6f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30) #1 0x555558d1133a in av_realloc libavutil/mem.c:162 #2 0x555558d1207d in av_strdup libavutil/mem.c:275 #3 0x555555ae2178 in write_option fftools/cmdutils.c:282 #4 0x555555ae31c4 in parse_optgroup fftools/cmdutils.c:405 #5 0x555555adb2d2 in open_files fftools/ffmpeg_opt.c:1235 #6 0x555555adb820 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1297 #7 0x555555b195ba in main fftools/ffmpeg.c:4165 #8 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86 }}} **Environment** We used git master branch version to test FFmpeg. To detect heap overflow, it is built with address sanitizer. OS: Ubuntu 18.04 GCC: 7.5.0" defect closed normal undetermined git-master fixed fuzzing, heap-overflow 0 0