Opened 2 years ago
Closed 2 years ago
#10687 closed defect (fixed)
SEGV bug at /fftools/ffmpeg_enc.c in set_encoder_id in FFmpeg
| Reported by: | ZengYunxiang | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | ffmpeg |
| Version: | 6.1 | Keywords: | bugs |
| Cc: | ZengYunxiang | Blocked By: | |
| Blocking: | Reproduced by developer: | yes | |
| Analyzed by developer: | no |
Description
Summary of the bug:
Dear developers, hello!
I recently proposed a new fuzzing method named fuzzyx, and found the following SEGV bug on FFmpeg6.1, please confirm.
POC file link:
poc2ffmpeg:https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc2ffmpeg
How to reproduce:
git clone https://github.com/FFmpeg/FFmpeg.git ffmpeg6-1 cd ffmpeg6-1 git checkout 466799d ./configure --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan make -j30 ./ffmpeg_g -y -i poc2ffmpeg -filter_complex sinc tmp2.mp4
ASAN Log:
AddressSanitizer:DEADLYSIGNALimes
=================================================================
==444720==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004df1a2 bp 0x7fffffffc220 sp 0x7fffffffc080 T0)
==444720==The signal is caused by a READ memory access.
==444720==Hint: address points to the zero page.
#0 0x4df1a1 in set_encoder_id /ffmpeg6-1/fftools/ffmpeg_enc.c
#1 0x4df1a1 in enc_open /ffmpeg6-1/fftools/ffmpeg_enc.c:190:11
#2 0x4e2903 in enc_frame /ffmpeg6-1/fftools/ffmpeg_enc.c:855:11
#3 0x4f5784 in fg_output_frame /ffmpeg6-1/fftools/ffmpeg_filter.c:2125:15
#4 0x4f0b2d in fg_output_step /ffmpeg6-1/fftools/ffmpeg_filter.c:2220:11
#5 0x4f0b2d in reap_filters /ffmpeg6-1/fftools/ffmpeg_filter.c:2239:19
#6 0x4f3103 in ifilter_send_frame /ffmpeg6-1/fftools/ffmpeg_filter.c:2410:15
#7 0x4c9149 in send_frame_to_filters /ffmpeg6-1/fftools/ffmpeg_dec.c:153:15
#8 0x4c9149 in dec_packet /ffmpeg6-1/fftools/ffmpeg_dec.c:813:19
#9 0x538938 in process_input_packet /ffmpeg6-1/fftools/ffmpeg.c:811:15
#10 0x5368a6 in transcode /ffmpeg6-1/fftools/ffmpeg.c:1219:23
#11 0x5368a6 in main /ffmpeg6-1/fftools/ffmpeg.c:1330:11
#12 0x7ffff7c0d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#13 0x420b4d in _start (/ffmpeg6-1/ffmpeg_g+0x420b4d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /ffmpeg6-1/fftools/ffmpeg_enc.c in set_encoder_id
==444720==ABORTING
ffmpeg version:
ffmpeg version n6.1-3-g466799d4f5 Copyright (c) 2000-2023 the FFmpeg developers built with clang version 9.0.0 (https://github.com/llvm-mirror/llvm c62b24f070c9a4bb1a76409e623042a740cac4cd) configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan libavutil 58. 29.100 / 58. 29.100 libavcodec 60. 31.102 / 60. 31.102 libavformat 60. 16.100 / 60. 16.100 libavdevice 60. 3.100 / 60. 3.100 libavfilter 9. 12.100 / 9. 12.100 libswscale 7. 5.100 / 7. 5.100 libswresample 4. 12.100 / 4. 12.100
Credit:
Song Jiaxuan , HUST Zeng Yunxiang , HUST
Thanks for your time!
Attachments (1)
Change History (4)
by , 2 years ago
| Attachment: | poc2ffmpeg added |
|---|
comment:1 by , 2 years ago
| Component: | avfilter → ffmpeg |
|---|---|
| Reproduced by developer: | set |
| Status: | new → open |
| Version: | git-master → 6.1 |
Reproduces on 6.1 but not git master
bug disappears with commit d35c05cb9ee39e1d90fab326a6aaec6c6c9433e1
comment:2 by , 2 years ago
| Priority: | critical → important |
|---|
Also as a null pointer dereference id say its important not critical
comment:3 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | open → closed |
Note:
See TracTickets
for help on using tickets.
POC file