id summary reporter owner description type status priority component version resolution keywords cc blockedby blocking reproduced analyzed 10319 heap overflow in ffmpeg(add_input_streams fftools/ffmpeg_demux.c:691) Youngseok Choi "Our fuzzer found a new heap overflow bug in ffmpeg. **Command Input** {{{ ffmpeg -tag F -pattern_type 1 -i ?.y }}} Interestingly, there is no input file. Only command line arguments lead ffmpeg to crash. **Command Output** {{{ ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg developers built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04) configuration: --prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g -O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations --disable-stripping libavutil 58. 5.100 / 58. 5.100 libavcodec 60. 9.100 / 60. 9.100 libavformat 60. 4.101 / 60. 4.101 libavdevice 60. 2.100 / 60. 2.100 libavfilter 9. 5.100 / 9. 5.100 libswscale 7. 2.100 / 7. 2.100 libswresample 4. 11.100 / 4. 11.100 [rawvideo @ 0x619000000580] Invalid pixel format. [image2 @ 0x617000000080] Failed to open codec in avformat_find_stream_info [image2 @ 0x617000000080] Could not open file : ?.y [rawvideo @ 0x619000000580] Invalid pixel format. [image2 @ 0x617000000080] Failed to open codec in avformat_find_stream_info [image2 @ 0x617000000080] Could not find codec parameters for stream 0 (Video: rawvideo, none): unspecified size Consider increasing the value for the 'analyzeduration' (0) and 'probesize' (5000000) options }}} **Sanitizer Dump** {{{ ==19936==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000b0 at pc 0x555555a8dd9e bp 0x7fffffffc820 sp 0x7fffffffc810 READ of size 4 at 0x6020000000b0 thread T0 #0 0x555555a8dd9d in add_input_streams fftools/ffmpeg_demux.c:691 #1 0x555555a96932 in ifile_open fftools/ffmpeg_demux.c:1165 #2 0x555555adb403 in open_files fftools/ffmpeg_opt.c:1244 #3 0x555555adb778 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1283 #4 0x555555b195ba in main fftools/ffmpeg.c:4165 #5 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #6 0x555555a84499 in _start (/home/youngseok/subjects/latest_asan_install/ffmpeg/bin/ffmpeg+0x530499) 0x6020000000b2 is located 0 bytes to the right of 2-byte region [0x6020000000b0,0x6020000000b2) allocated by thread T0 here: #0 0x7ffff6ef6f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30) #1 0x555558d1133a in av_realloc libavutil/mem.c:162 #2 0x555558d1207d in av_strdup libavutil/mem.c:275 #3 0x555555ae2178 in write_option fftools/cmdutils.c:282 #4 0x555555ae31c4 in parse_optgroup fftools/cmdutils.c:405 #5 0x555555adb2d2 in open_files fftools/ffmpeg_opt.c:1235 #6 0x555555adb778 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1283 #7 0x555555b195ba in main fftools/ffmpeg.c:4165 #8 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) }}} **Environment** Built with address sanitizer. {{{ ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg developers built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04) configuration: --prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g -O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations --disable-stripping }}}" defect closed normal ffmpeg git-master fixed fuzzing heap-overflow 0 0