stack-buffer-overflow in FFmpeg (libavcodec/aacenc_tns.c:203 in ff_aac_search_for_tns)

[Youngseok Choi]

Our fuzzer found a new stack overflow bug.

Command Input

ffmpeg -i poc_file -aac_pred true .mpd

poc_file is attached.

Command Output

ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg developers
  built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04)
  configuration: --prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g -O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations --disable-stripping
  libavutil      58.  5.100 / 58.  5.100
  libavcodec     60.  9.100 / 60.  9.100
  libavformat    60.  4.101 / 60.  4.101
  libavdevice    60.  2.100 / 60.  2.100
  libavfilter     9.  5.100 /  9.  5.100
  libswscale      7.  2.100 /  7.  2.100
  libswresample   4. 11.100 /  4. 11.100
[ea_cdata @ 0x617000000080] Format ea_cdata detected only with low score of 12, misdetection possible!
[aist#0:0/adpcm_ea_xas @ 0x616000000980] Guessed Channel Layout: mono
Input #0, ea_cdata, from '/home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/ffmpeg/1_id:024501/poc_file':
  Duration: N/A, start: 0.000000, bitrate: N/A
  Stream #0:0: Audio: adpcm_ea_xas, 304 Hz, 1 channels, s16p
Stream mapping:
  Stream #0:0 -> #0:0 (adpcm_ea_xas (native) -> aac (native))
Press [q] to stop, [?] for help
[ea_cdata @ 0x617000000080] Packet corrupt (stream = 0, dts = NOPTS).
[in#0/ea_cdata @ 0x612000000040] corrupt input packet in stream 0
[aac @ 0x619000001e80] Too many bits 9613.061224 > 6144 per frame requested, clamping to max
[aac @ 0x619000001e80] Chainging profile to "aac_main"
[dash @ 0x617000000400] Opening 'init-stream0.m4s' for writing
Output #0, dash, to '.mpd':
  Metadata:
    encoder         : Lavf60.4.101
  Stream #0:0: Audio: aac (Main), 7350 Hz, mono, fltp, 44 kb/s
    Metadata:
      encoder         : Lavc60.9.100 aac
[adpcm_ea_xas @ 0x619000000a80] invalid number of samples in packet
Error while decoding stream #0:0: Invalid data found when processing input
[dash @ 0x617000000400] Opening 'chunk-stream0-00001.m4s.tmp' for writing

Stack Trace

==24765==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffc958 at pc 0x55555881107c bp 0x7fffffffc8a0 sp 0x7fffffffc890
READ of size 4 at 0x7fffffffc958 thread T0
    #0 0x55555881107b in ff_aac_search_for_tns libavcodec/aacenc_tns.c:203
    #1 0x55555817ebf0 in aac_encode_frame libavcodec/aacenc.c:1021
    #2 0x555556e51a6e in ff_encode_encode_cb libavcodec/encode.c:223
    #3 0x555556e525eb in encode_simple_internal libavcodec/encode.c:309
    #4 0x555556e52734 in encode_simple_receive_packet libavcodec/encode.c:323
    #5 0x555556e52c71 in encode_receive_packet_internal libavcodec/encode.c:357
    #6 0x555556e537e8 in avcodec_send_frame libavcodec/encode.c:506
    #7 0x555555af7260 in encode_frame fftools/ffmpeg.c:904
    #8 0x555555af871d in submit_encode_frame fftools/ffmpeg.c:985
    #9 0x555555af8d79 in do_audio_out fftools/ffmpeg.c:1046
    #10 0x555555afcb2c in reap_filters fftools/ffmpeg.c:1440
    #11 0x555555b17958 in transcode_from_filter fftools/ffmpeg.c:3887
    #12 0x555555b1822d in transcode_step fftools/ffmpeg.c:3975
    #13 0x555555b18a9e in transcode fftools/ffmpeg.c:4044
    #14 0x555555b196f8 in main fftools/ffmpeg.c:4182
    #15 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #16 0x555555a84499 in _start (/home/youngseok/subjects/latest_asan_install/ffmpeg/bin/ffmpeg+0x530499)

Environment

OS: Ubuntu 18.04
GCC: 7.5.0
FFmpeg: version N-110167-g97c95961f0, configured with following flags:

--extra-cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g -O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations --disable-stripping

[Youngseok Choi]

poc_file used in command input