Opened 12 months ago
Closed 11 months ago
#10699 closed defect (fixed)
heap-buffer-overflow at libavfilter/edge_template.c:116:5 in ff_gaussian_blur_8 in FFmpeg
Reported by: | ZengYunxiang | Owned by: | |
---|---|---|---|
Priority: | important | Component: | avfilter |
Version: | git-master | Keywords: | bugs |
Cc: | ZengYunxiang | Blocked By: | |
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
Summary of the bug:
Dear developers,
I found the following heap-buffer-overflow bug on FFmpeg6.1 when using blurdetect filter, please confirm.
The poc file(poc5ffmpeg) will be attached to this ticket.
How to reproduce:
git clone https://github.com/FFmpeg/FFmpeg.git ffmpeg6-1 cd ffmpeg6-1 git checkout 466799d ./configure --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan make -j30 ./ffmpeg_g -y -i poc5ffmpeg -filter_complex blurdetect tmp.mp4
ASAN Log:
================================================================= ==1720809==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e0000022bb at pc 0x559c66da631a bp 0x7fff763641f0 sp 0x7fff763639c0 WRITE of size 873 at 0x61e0000022bb thread T0 #0 0x559c66da6319 in __asan_memcpy (/ffmpeg6-1/ffmpeg_g+0x924319) (BuildId: 235e8d23658b9f137a6f44e3f2d1bddad7c9bf95) #1 0x559c67729e03 in ff_gaussian_blur_8 /ffmpeg6-1/libavfilter/edge_template.c:116:5 #2 0x559c6700a960 in blurdetect_filter_frame /ffmpeg6-1/libavfilter/vf_blurdetect.c:287:9 #3 0x559c66ef8142 in ff_filter_frame_framed /ffmpeg6-1/libavfilter/avfilter.c:969:11 #4 0x559c66ef8142 in ff_filter_frame_to_filter /ffmpeg6-1/libavfilter/avfilter.c:1123:11 #5 0x559c66ef8142 in ff_filter_activate_default /ffmpeg6-1/libavfilter/avfilter.c:1172:20 #6 0x559c66ef8142 in ff_filter_activate /ffmpeg6-1/libavfilter/avfilter.c:1331:11 #7 0x559c66f0a137 in push_frame /ffmpeg6-1/libavfilter/buffersrc.c:167:15 #8 0x559c66f0a137 in av_buffersrc_add_frame_flags /ffmpeg6-1/libavfilter/buffersrc.c:271:15 #9 0x559c66e0d431 in ifilter_send_frame /ffmpeg6-1/fftools/ffmpeg_filter.c:2440:11 #10 0x559c66de2cbe in send_frame_to_filters /ffmpeg6-1/fftools/ffmpeg_dec.c:153:15 #11 0x559c66de2cbe in dec_packet /ffmpeg6-1/fftools/ffmpeg_dec.c:813:19 #12 0x559c66e53f7b in process_input_packet /ffmpeg6-1/fftools/ffmpeg.c:811:15 #13 0x559c66e51373 in process_input /ffmpeg6-1/fftools/ffmpeg.c:1115:11 #14 0x559c66e51373 in transcode_step /ffmpeg6-1/fftools/ffmpeg.c:1142:11 #15 0x559c66e51373 in transcode /ffmpeg6-1/fftools/ffmpeg.c:1204:15 #16 0x559c66e51373 in main /ffmpeg6-1/fftools/ffmpeg.c:1330:11 #17 0x7f29f0e35d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9) #18 0x7f29f0e35e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9) #19 0x559c66d240f4 in _start (/ffmpeg6-1/ffmpeg_g+0x8a20f4) (BuildId: 235e8d23658b9f137a6f44e3f2d1bddad7c9bf95) 0x61e0000022bb is located 0 bytes to the right of 2619-byte region [0x61e000001880,0x61e0000022bb) allocated by thread T0 here: #0 0x559c66da7ab7 in __interceptor_posix_memalign (/ffmpeg6-1/ffmpeg_g+0x925ab7) (BuildId: 235e8d23658b9f137a6f44e3f2d1bddad7c9bf95) #1 0x559c6a3dfa5e in av_malloc /ffmpeg6-1/libavutil/mem.c:105:9 #2 0x559c6700c565 in blurdetect_config_input /ffmpeg6-1/libavfilter/vf_blurdetect.c:112:21 SUMMARY: AddressSanitizer: heap-buffer-overflow (/ffmpeg6-1/ffmpeg_g+0x924319) (BuildId: 235e8d23658b9f137a6f44e3f2d1bddad7c9bf95) in __asan_memcpy Shadow bytes around the buggy address: 0x0c3c7fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff8420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff8430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff8440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3c7fff8450: 00 00 00 00 00 00 00[03]fa fa fa fa fa fa fa fa 0x0c3c7fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff8480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fff84a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1720809==ABORTING
ffmpeg version:
# ./ffmpeg -version ffmpeg version n6.1-3-g466799d4f5 Copyright (c) 2000-2023 the FFmpeg developers built with clang version 9.0.0 (https://github.com/llvm-mirror/llvm c62b24f070c9a4bb1a76409e623042a740cac4cd) configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan libavutil 58. 29.100 / 58. 29.100 libavcodec 60. 31.102 / 60. 31.102 libavformat 60. 16.100 / 60. 16.100 libavdevice 60. 3.100 / 60. 3.100 libavfilter 9. 12.100 / 9. 12.100 libswscale 7. 5.100 / 7. 5.100 libswresample 4. 12.100 / 4. 12.100
Credit:
Zeng Yunxiang
Thanks for your time!
Attachments (2)
Change History (4)
by , 12 months ago
Attachment: | poc5ffmpeg added |
---|
comment:1 by , 11 months ago
Hello. I also found this bug when using the edgedetect filter for fuzzing.
Command: ./ffmpeg_g -y -i poc19ffmpeg -filter_complex edgedetect tmp.mp4
The ASAN log is as follows:
================================================================= ==4079588==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x609000012a60 at pc 0x55fba344fefa bp 0x7f79beb26f90 sp 0x7f79beb26760 WRITE of size 16 at 0x609000012a60 thread T19 (fc0) #0 0x55fba344fef9 in __asan_memcpy (/ffmpeg/ffmpeg_g+0x922ef9) (BuildId: 8d6ccf457a75d047d11f9627d0b67208c2215c8c) #1 0x55fba3df4ecb in ff_gaussian_blur_8 /ffmpeg/libavfilter/edge_template.c:115:5 #2 0x55fba37f4b91 in filter_frame /ffmpeg/libavfilter/vf_edgedetect.c:194:9 #3 0x55fba35abed2 in ff_filter_frame_framed /ffmpeg/libavfilter/avfilter.c:969:11 #4 0x55fba35abed2 in ff_filter_frame_to_filter /ffmpeg/libavfilter/avfilter.c:1123:11 #5 0x55fba35abed2 in ff_filter_activate_default /ffmpeg/libavfilter/avfilter.c:1182:20 #6 0x55fba35abed2 in ff_filter_activate /ffmpeg/libavfilter/avfilter.c:1341:11 #7 0x55fba35bdf57 in push_frame /ffmpeg/libavfilter/buffersrc.c:168:15 #8 0x55fba35bdf57 in av_buffersrc_add_frame_flags /ffmpeg/libavfilter/buffersrc.c:272:15 #9 0x55fba34abd3b in send_frame /ffmpeg/fftools/ffmpeg_filter.c:2668:11 #10 0x55fba34abd3b in filter_thread /ffmpeg/fftools/ffmpeg_filter.c:2808:19 #11 0x55fba34edc18 in task_wrapper /ffmpeg/fftools/ffmpeg_sched.c:2200:21 #12 0x7f79cac06ac2 (/lib/x86_64-linux-gnu/libc.so.6+0x94ac2) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9) #13 0x7f79cac98a3f (/lib/x86_64-linux-gnu/libc.so.6+0x126a3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9) 0x609000012a60 is located 0 bytes to the right of 32-byte region [0x609000012a40,0x609000012a60) allocated by thread T19 (fc0) here: #0 0x55fba3451697 in __interceptor_posix_memalign (/ffmpeg/ffmpeg_g+0x924697) (BuildId: 8d6ccf457a75d047d11f9627d0b67208c2215c8c) #1 0x55fba6ab9abe in av_malloc /ffmpeg/libavutil/mem.c:105:9 #2 0x55fba37f5a80 in config_props /ffmpeg/libavfilter/vf_edgedetect.c:134:29 Thread T19 (fc0) created by T0 here: #0 0x55fba3439f9c in __interceptor_pthread_create (/ffmpeg/ffmpeg_g+0x90cf9c) (BuildId: 8d6ccf457a75d047d11f9627d0b67208c2215c8c) #1 0x55fba34e8161 in task_start /ffmpeg/fftools/ffmpeg_sched.c:403:11 #2 0x55fba3506e68 in transcode /ffmpeg/fftools/ffmpeg.c:922:11 #3 0x55fba3506e68 in main /ffmpeg/fftools/ffmpeg.c:1050:11 #4 0x7f79cab9bd8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9) SUMMARY: AddressSanitizer: heap-buffer-overflow (/ffmpeg/ffmpeg_g+0x922ef9) (BuildId: 8d6ccf457a75d047d11f9627d0b67208c2215c8c) in __asan_memcpy Shadow bytes around the buggy address: 0x0c127fffa4f0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c127fffa500: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c127fffa510: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c127fffa520: fa fa fa fa fa fa fa fa 00 00 00 fa fa fa fa fa 0x0c127fffa530: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 fa fa =>0x0c127fffa540: fa fa fa fa fa fa fa fa 00 00 00 00[fa]fa fa fa 0x0c127fffa550: fa fa fa fa fa fa fa fa 00 00 00 00 fa fa fa fa 0x0c127fffa560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c127fffa570: 00 00 00 00 00 04 fa fa fa fa fa fa fa fa fa fa 0x0c127fffa580: 00 00 04 fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c127fffa590: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==4079588==ABORTING
by , 11 months ago
Attachment: | poc19ffmpeg added |
---|
comment:2 by , 11 months ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
POC file