Opened 5 months ago
Closed 4 months ago
#10699 closed defect (fixed)
heap-buffer-overflow at libavfilter/edge_template.c:116:5 in ff_gaussian_blur_8 in FFmpeg
| Reported by: | ZengYunxiang | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | avfilter |
| Version: | git-master | Keywords: | bugs |
| Cc: | ZengYunxiang | Blocked By: | |
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Summary of the bug:
Dear developers,
I found the following heap-buffer-overflow bug on FFmpeg6.1 when using blurdetect filter, please confirm.
The poc file(poc5ffmpeg) will be attached to this ticket.
How to reproduce:
git clone https://github.com/FFmpeg/FFmpeg.git ffmpeg6-1 cd ffmpeg6-1 git checkout 466799d ./configure --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan make -j30 ./ffmpeg_g -y -i poc5ffmpeg -filter_complex blurdetect tmp.mp4
ASAN Log:
=================================================================
==1720809==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e0000022bb at pc 0x559c66da631a bp 0x7fff763641f0 sp 0x7fff763639c0
WRITE of size 873 at 0x61e0000022bb thread T0
#0 0x559c66da6319 in __asan_memcpy (/ffmpeg6-1/ffmpeg_g+0x924319) (BuildId: 235e8d23658b9f137a6f44e3f2d1bddad7c9bf95)
#1 0x559c67729e03 in ff_gaussian_blur_8 /ffmpeg6-1/libavfilter/edge_template.c:116:5
#2 0x559c6700a960 in blurdetect_filter_frame /ffmpeg6-1/libavfilter/vf_blurdetect.c:287:9
#3 0x559c66ef8142 in ff_filter_frame_framed /ffmpeg6-1/libavfilter/avfilter.c:969:11
#4 0x559c66ef8142 in ff_filter_frame_to_filter /ffmpeg6-1/libavfilter/avfilter.c:1123:11
#5 0x559c66ef8142 in ff_filter_activate_default /ffmpeg6-1/libavfilter/avfilter.c:1172:20
#6 0x559c66ef8142 in ff_filter_activate /ffmpeg6-1/libavfilter/avfilter.c:1331:11
#7 0x559c66f0a137 in push_frame /ffmpeg6-1/libavfilter/buffersrc.c:167:15
#8 0x559c66f0a137 in av_buffersrc_add_frame_flags /ffmpeg6-1/libavfilter/buffersrc.c:271:15
#9 0x559c66e0d431 in ifilter_send_frame /ffmpeg6-1/fftools/ffmpeg_filter.c:2440:11
#10 0x559c66de2cbe in send_frame_to_filters /ffmpeg6-1/fftools/ffmpeg_dec.c:153:15
#11 0x559c66de2cbe in dec_packet /ffmpeg6-1/fftools/ffmpeg_dec.c:813:19
#12 0x559c66e53f7b in process_input_packet /ffmpeg6-1/fftools/ffmpeg.c:811:15
#13 0x559c66e51373 in process_input /ffmpeg6-1/fftools/ffmpeg.c:1115:11
#14 0x559c66e51373 in transcode_step /ffmpeg6-1/fftools/ffmpeg.c:1142:11
#15 0x559c66e51373 in transcode /ffmpeg6-1/fftools/ffmpeg.c:1204:15
#16 0x559c66e51373 in main /ffmpeg6-1/fftools/ffmpeg.c:1330:11
#17 0x7f29f0e35d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
#18 0x7f29f0e35e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
#19 0x559c66d240f4 in _start (/ffmpeg6-1/ffmpeg_g+0x8a20f4) (BuildId: 235e8d23658b9f137a6f44e3f2d1bddad7c9bf95)
0x61e0000022bb is located 0 bytes to the right of 2619-byte region [0x61e000001880,0x61e0000022bb)
allocated by thread T0 here:
#0 0x559c66da7ab7 in __interceptor_posix_memalign (/ffmpeg6-1/ffmpeg_g+0x925ab7) (BuildId: 235e8d23658b9f137a6f44e3f2d1bddad7c9bf95)
#1 0x559c6a3dfa5e in av_malloc /ffmpeg6-1/libavutil/mem.c:105:9
#2 0x559c6700c565 in blurdetect_config_input /ffmpeg6-1/libavfilter/vf_blurdetect.c:112:21
SUMMARY: AddressSanitizer: heap-buffer-overflow (/ffmpeg6-1/ffmpeg_g+0x924319) (BuildId: 235e8d23658b9f137a6f44e3f2d1bddad7c9bf95) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c3c7fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fff8450: 00 00 00 00 00 00 00[03]fa fa fa fa fa fa fa fa
0x0c3c7fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff84a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1720809==ABORTING
ffmpeg version:
# ./ffmpeg -version ffmpeg version n6.1-3-g466799d4f5 Copyright (c) 2000-2023 the FFmpeg developers built with clang version 9.0.0 (https://github.com/llvm-mirror/llvm c62b24f070c9a4bb1a76409e623042a740cac4cd) configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan libavutil 58. 29.100 / 58. 29.100 libavcodec 60. 31.102 / 60. 31.102 libavformat 60. 16.100 / 60. 16.100 libavdevice 60. 3.100 / 60. 3.100 libavfilter 9. 12.100 / 9. 12.100 libswscale 7. 5.100 / 7. 5.100 libswresample 4. 12.100 / 4. 12.100
Credit:
Zeng Yunxiang
Thanks for your time!
Attachments (2)
Change History (4)
by , 5 months ago
| Attachment: | poc5ffmpeg added |
|---|
comment:1 by , 5 months ago
Hello. I also found this bug when using the edgedetect filter for fuzzing.
Command: ./ffmpeg_g -y -i poc19ffmpeg -filter_complex edgedetect tmp.mp4
The ASAN log is as follows:
=================================================================
==4079588==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x609000012a60 at pc 0x55fba344fefa bp 0x7f79beb26f90 sp 0x7f79beb26760
WRITE of size 16 at 0x609000012a60 thread T19 (fc0)
#0 0x55fba344fef9 in __asan_memcpy (/ffmpeg/ffmpeg_g+0x922ef9) (BuildId: 8d6ccf457a75d047d11f9627d0b67208c2215c8c)
#1 0x55fba3df4ecb in ff_gaussian_blur_8 /ffmpeg/libavfilter/edge_template.c:115:5
#2 0x55fba37f4b91 in filter_frame /ffmpeg/libavfilter/vf_edgedetect.c:194:9
#3 0x55fba35abed2 in ff_filter_frame_framed /ffmpeg/libavfilter/avfilter.c:969:11
#4 0x55fba35abed2 in ff_filter_frame_to_filter /ffmpeg/libavfilter/avfilter.c:1123:11
#5 0x55fba35abed2 in ff_filter_activate_default /ffmpeg/libavfilter/avfilter.c:1182:20
#6 0x55fba35abed2 in ff_filter_activate /ffmpeg/libavfilter/avfilter.c:1341:11
#7 0x55fba35bdf57 in push_frame /ffmpeg/libavfilter/buffersrc.c:168:15
#8 0x55fba35bdf57 in av_buffersrc_add_frame_flags /ffmpeg/libavfilter/buffersrc.c:272:15
#9 0x55fba34abd3b in send_frame /ffmpeg/fftools/ffmpeg_filter.c:2668:11
#10 0x55fba34abd3b in filter_thread /ffmpeg/fftools/ffmpeg_filter.c:2808:19
#11 0x55fba34edc18 in task_wrapper /ffmpeg/fftools/ffmpeg_sched.c:2200:21
#12 0x7f79cac06ac2 (/lib/x86_64-linux-gnu/libc.so.6+0x94ac2) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
#13 0x7f79cac98a3f (/lib/x86_64-linux-gnu/libc.so.6+0x126a3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
0x609000012a60 is located 0 bytes to the right of 32-byte region [0x609000012a40,0x609000012a60)
allocated by thread T19 (fc0) here:
#0 0x55fba3451697 in __interceptor_posix_memalign (/ffmpeg/ffmpeg_g+0x924697) (BuildId: 8d6ccf457a75d047d11f9627d0b67208c2215c8c)
#1 0x55fba6ab9abe in av_malloc /ffmpeg/libavutil/mem.c:105:9
#2 0x55fba37f5a80 in config_props /ffmpeg/libavfilter/vf_edgedetect.c:134:29
Thread T19 (fc0) created by T0 here:
#0 0x55fba3439f9c in __interceptor_pthread_create (/ffmpeg/ffmpeg_g+0x90cf9c) (BuildId: 8d6ccf457a75d047d11f9627d0b67208c2215c8c)
#1 0x55fba34e8161 in task_start /ffmpeg/fftools/ffmpeg_sched.c:403:11
#2 0x55fba3506e68 in transcode /ffmpeg/fftools/ffmpeg.c:922:11
#3 0x55fba3506e68 in main /ffmpeg/fftools/ffmpeg.c:1050:11
#4 0x7f79cab9bd8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/ffmpeg/ffmpeg_g+0x922ef9) (BuildId: 8d6ccf457a75d047d11f9627d0b67208c2215c8c) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c127fffa4f0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c127fffa500: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c127fffa510: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c127fffa520: fa fa fa fa fa fa fa fa 00 00 00 fa fa fa fa fa
0x0c127fffa530: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 fa fa
=>0x0c127fffa540: fa fa fa fa fa fa fa fa 00 00 00 00[fa]fa fa fa
0x0c127fffa550: fa fa fa fa fa fa fa fa 00 00 00 00 fa fa fa fa
0x0c127fffa560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c127fffa570: 00 00 00 00 00 04 fa fa fa fa fa fa fa fa fa fa
0x0c127fffa580: 00 00 04 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c127fffa590: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4079588==ABORTING
by , 5 months ago
| Attachment: | poc19ffmpeg added |
|---|
comment:2 by , 4 months ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
POC file