Opened 7 months ago

Closed 7 months ago

#10686 closed defect (fixed)

heap-buffer-overflow at libavfilter/asrc_afirsrc.c:495:30 in config_eq_output in FFmpeg

Reported by: ZengYunxiang Owned by:
Priority: critical Component: avfilter
Version: git-master Keywords: bugs
Cc: ZengYunxiang Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:

Dear developers, hello!
I recently proposed a new fuzzing method named fuzzyx, and found the following heap-buffer-overflow bug on FFmpeg6.1, please confirm.

POC file link:

poc1ffmpeg: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc1ffmpeg

How to reproduce:

Reproduction:
git clone https://github.com/FFmpeg/FFmpeg.git ffmpeg6-1
cd ffmpeg6-1
git checkout 466799d
./configure --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan
make -j30

./ffmpeg_g -y -i poc1ffmpeg -filter_complex afireqsrc tmp.mp4

ASAN Log:

=================================================================
==444674==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60a000000580 at pc 0x00000054dfe7 bp 0x7fffffff6ad0 sp 0x7fffffff6ac8
WRITE of size 4 at 0x60a000000580 thread T0
    #0 0x54dfe6 in config_eq_output /ffmpeg6-1/libavfilter/asrc_afirsrc.c:495:30
    #1 0x5d5cd9 in avfilter_config_links /ffmpeg6-1/libavfilter/avfilter.c:340:31
    #2 0x5d5c91 in avfilter_config_links /ffmpeg6-1/libavfilter/avfilter.c:329:24
    #3 0x5d5c91 in avfilter_config_links /ffmpeg6-1/libavfilter/avfilter.c:329:24
    #4 0x5e44d6 in graph_config_links /ffmpeg6-1/libavfilter/avfiltergraph.c:254:24
    #5 0x5e44d6 in avfilter_graph_config /ffmpeg6-1/libavfilter/avfiltergraph.c:1177:16
    #6 0x4ea9bd in configure_filtergraph /ffmpeg6-1/fftools/ffmpeg_filter.c:1681:16
    #7 0x4e5e0b in ofilter_bind_ost /ffmpeg6-1/fftools/ffmpeg_filter.c:763:15
    #8 0x512b21 in ost_add /ffmpeg6-1/fftools/ffmpeg_mux_init.c:1428:19
    #9 0x4fd744 in create_streams /ffmpeg6-1/fftools/ffmpeg_mux_init.c:1809:19
    #10 0x4fd744 in of_open /ffmpeg6-1/fftools/ffmpeg_mux_init.c:2695:11
    #11 0x51828d in open_files /ffmpeg6-1/fftools/ffmpeg_opt.c:1286:15
    #12 0x51828d in ffmpeg_parse_options /ffmpeg6-1/fftools/ffmpeg_opt.c:1340:11
    #13 0x533747 in main /ffmpeg6-1/fftools/ffmpeg.c:1312:11
    #14 0x7ffff7c0d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #15 0x420b4d in _start (/ffmpeg6-1/ffmpeg_g+0x420b4d)

0x60a000000580 is located 0 bytes to the right of 64-byte region [0x60a000000540,0x60a000000580)
allocated by thread T0 here:
    #0 0x4994e7 in posix_memalign /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:226:3
    #1 0x3c7bdf6 in av_malloc /ffmpeg6-1/libavutil/mem.c:105:9
    #2 0x3c7bdf6 in av_mallocz /ffmpeg6-1/libavutil/mem.c:256:17
    #3 0x3c7bdf6 in av_calloc /ffmpeg6-1/libavutil/mem.c:267:12
    #4 0x54cb75 in config_eq_output /ffmpeg6-1/libavfilter/asrc_afirsrc.c:483:24
    #5 0x5d5cd9 in avfilter_config_links /ffmpeg6-1/libavfilter/avfilter.c:340:31

SUMMARY: AddressSanitizer: heap-buffer-overflow /ffmpeg6-1/libavfilter/asrc_afirsrc.c:495:30 in config_eq_output
Shadow bytes around the buggy address:
  0x0c147fff8060: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c147fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c147fff8080: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c147fff8090: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c147fff80a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c147fff80b0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c147fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c147fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c147fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c147fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c147fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==444674==ABORTING

ffmpeg version:

ffmpeg version n6.1-3-g466799d4f5 Copyright (c) 2000-2023 the FFmpeg developers
built with clang version 9.0.0 (https://github.com/llvm-mirror/llvm c62b24f070c9a4bb1a76409e623042a740cac4cd)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan
libavutil      58. 29.100 / 58. 29.100
libavcodec     60. 31.102 / 60. 31.102
libavformat    60. 16.100 / 60. 16.100
libavdevice    60.  3.100 / 60.  3.100
libavfilter     9. 12.100 /  9. 12.100
libswscale      7.  5.100 /  7.  5.100
libswresample   4. 12.100 /  4. 12.100

Credit:

Zeng Yunxiang , HUST
Song Jiaxuan , HUST

Thanks for your time!

Attachments (1)

poc1ffmpeg (150.7 KB ) - added by ZengYunxiang 7 months ago.
POC file

Download all attachments as: .zip

Change History (2)

by ZengYunxiang, 7 months ago

Attachment: poc1ffmpeg added

POC file

comment:1 by Elon Musk, 7 months ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.