#10699 closed defect (fixed)

heap-buffer-overflow at libavfilter/edge_template.c:116:5 in ff_gaussian_blur_8 in FFmpeg

Reported by: ZengYunxiang Owned by:
Priority: important Component: avfilter
Version: git-master Keywords: bugs
Cc: ZengYunxiang Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:

Dear developers,
I found the following heap-buffer-overflow bug on FFmpeg6.1 when using blurdetect filter, please confirm.

The poc file(poc5ffmpeg) will be attached to this ticket.

How to reproduce:

git clone https://github.com/FFmpeg/FFmpeg.git ffmpeg6-1
cd ffmpeg6-1
git checkout 466799d
./configure --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan
make -j30

./ffmpeg_g -y -i poc5ffmpeg -filter_complex blurdetect tmp.mp4

ASAN Log:

=================================================================
==1720809==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e0000022bb at pc 0x559c66da631a bp 0x7fff763641f0 sp 0x7fff763639c0
WRITE of size 873 at 0x61e0000022bb thread T0
    #0 0x559c66da6319 in __asan_memcpy (/ffmpeg6-1/ffmpeg_g+0x924319) (BuildId: 235e8d23658b9f137a6f44e3f2d1bddad7c9bf95)
    #1 0x559c67729e03 in ff_gaussian_blur_8 /ffmpeg6-1/libavfilter/edge_template.c:116:5
    #2 0x559c6700a960 in blurdetect_filter_frame /ffmpeg6-1/libavfilter/vf_blurdetect.c:287:9
    #3 0x559c66ef8142 in ff_filter_frame_framed /ffmpeg6-1/libavfilter/avfilter.c:969:11
    #4 0x559c66ef8142 in ff_filter_frame_to_filter /ffmpeg6-1/libavfilter/avfilter.c:1123:11
    #5 0x559c66ef8142 in ff_filter_activate_default /ffmpeg6-1/libavfilter/avfilter.c:1172:20
    #6 0x559c66ef8142 in ff_filter_activate /ffmpeg6-1/libavfilter/avfilter.c:1331:11
    #7 0x559c66f0a137 in push_frame /ffmpeg6-1/libavfilter/buffersrc.c:167:15
    #8 0x559c66f0a137 in av_buffersrc_add_frame_flags /ffmpeg6-1/libavfilter/buffersrc.c:271:15
    #9 0x559c66e0d431 in ifilter_send_frame /ffmpeg6-1/fftools/ffmpeg_filter.c:2440:11
    #10 0x559c66de2cbe in send_frame_to_filters /ffmpeg6-1/fftools/ffmpeg_dec.c:153:15
    #11 0x559c66de2cbe in dec_packet /ffmpeg6-1/fftools/ffmpeg_dec.c:813:19
    #12 0x559c66e53f7b in process_input_packet /ffmpeg6-1/fftools/ffmpeg.c:811:15
    #13 0x559c66e51373 in process_input /ffmpeg6-1/fftools/ffmpeg.c:1115:11
    #14 0x559c66e51373 in transcode_step /ffmpeg6-1/fftools/ffmpeg.c:1142:11
    #15 0x559c66e51373 in transcode /ffmpeg6-1/fftools/ffmpeg.c:1204:15
    #16 0x559c66e51373 in main /ffmpeg6-1/fftools/ffmpeg.c:1330:11
    #17 0x7f29f0e35d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #18 0x7f29f0e35e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #19 0x559c66d240f4 in _start (/ffmpeg6-1/ffmpeg_g+0x8a20f4) (BuildId: 235e8d23658b9f137a6f44e3f2d1bddad7c9bf95)

0x61e0000022bb is located 0 bytes to the right of 2619-byte region [0x61e000001880,0x61e0000022bb)
allocated by thread T0 here:
    #0 0x559c66da7ab7 in __interceptor_posix_memalign (/ffmpeg6-1/ffmpeg_g+0x925ab7) (BuildId: 235e8d23658b9f137a6f44e3f2d1bddad7c9bf95)
    #1 0x559c6a3dfa5e in av_malloc /ffmpeg6-1/libavutil/mem.c:105:9
    #2 0x559c6700c565 in blurdetect_config_input /ffmpeg6-1/libavfilter/vf_blurdetect.c:112:21

SUMMARY: AddressSanitizer: heap-buffer-overflow (/ffmpeg6-1/ffmpeg_g+0x924319) (BuildId: 235e8d23658b9f137a6f44e3f2d1bddad7c9bf95) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c3c7fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fff8450: 00 00 00 00 00 00 00[03]fa fa fa fa fa fa fa fa
  0x0c3c7fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff84a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1720809==ABORTING

ffmpeg version:

# ./ffmpeg -version
ffmpeg version n6.1-3-g466799d4f5 Copyright (c) 2000-2023 the FFmpeg developers
built with clang version 9.0.0 (https://github.com/llvm-mirror/llvm c62b24f070c9a4bb1a76409e623042a740cac4cd)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan
libavutil      58. 29.100 / 58. 29.100
libavcodec     60. 31.102 / 60. 31.102
libavformat    60. 16.100 / 60. 16.100
libavdevice    60.  3.100 / 60.  3.100
libavfilter     9. 12.100 /  9. 12.100
libswscale      7.  5.100 /  7.  5.100
libswresample   4. 12.100 /  4. 12.100

Credit:

Zeng Yunxiang

Thanks for your time!

Attachments (2)

poc5ffmpeg (66.4 KB ) - added by ZengYunxiang 12 months ago.
POC file
poc19ffmpeg (2.3 KB ) - added by ZengYunxiang 11 months ago.

Download all attachments as: .zip

Change History (4)

by ZengYunxiang, 12 months ago

Attachment: poc5ffmpeg added

POC file

comment:1 by ZengYunxiang, 11 months ago

Hello. I also found this bug when using the edgedetect filter for fuzzing.
Command: ./ffmpeg_g -y -i poc19ffmpeg -filter_complex edgedetect tmp.mp4
The ASAN log is as follows:

=================================================================
==4079588==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x609000012a60 at pc 0x55fba344fefa bp 0x7f79beb26f90 sp 0x7f79beb26760
WRITE of size 16 at 0x609000012a60 thread T19 (fc0)
    #0 0x55fba344fef9 in __asan_memcpy (/ffmpeg/ffmpeg_g+0x922ef9) (BuildId: 8d6ccf457a75d047d11f9627d0b67208c2215c8c)
    #1 0x55fba3df4ecb in ff_gaussian_blur_8 /ffmpeg/libavfilter/edge_template.c:115:5
    #2 0x55fba37f4b91 in filter_frame /ffmpeg/libavfilter/vf_edgedetect.c:194:9
    #3 0x55fba35abed2 in ff_filter_frame_framed /ffmpeg/libavfilter/avfilter.c:969:11
    #4 0x55fba35abed2 in ff_filter_frame_to_filter /ffmpeg/libavfilter/avfilter.c:1123:11
    #5 0x55fba35abed2 in ff_filter_activate_default /ffmpeg/libavfilter/avfilter.c:1182:20
    #6 0x55fba35abed2 in ff_filter_activate /ffmpeg/libavfilter/avfilter.c:1341:11
    #7 0x55fba35bdf57 in push_frame /ffmpeg/libavfilter/buffersrc.c:168:15
    #8 0x55fba35bdf57 in av_buffersrc_add_frame_flags /ffmpeg/libavfilter/buffersrc.c:272:15
    #9 0x55fba34abd3b in send_frame /ffmpeg/fftools/ffmpeg_filter.c:2668:11
    #10 0x55fba34abd3b in filter_thread /ffmpeg/fftools/ffmpeg_filter.c:2808:19
    #11 0x55fba34edc18 in task_wrapper /ffmpeg/fftools/ffmpeg_sched.c:2200:21
    #12 0x7f79cac06ac2  (/lib/x86_64-linux-gnu/libc.so.6+0x94ac2) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #13 0x7f79cac98a3f  (/lib/x86_64-linux-gnu/libc.so.6+0x126a3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)

0x609000012a60 is located 0 bytes to the right of 32-byte region [0x609000012a40,0x609000012a60)
allocated by thread T19 (fc0) here:
    #0 0x55fba3451697 in __interceptor_posix_memalign (/ffmpeg/ffmpeg_g+0x924697) (BuildId: 8d6ccf457a75d047d11f9627d0b67208c2215c8c)
    #1 0x55fba6ab9abe in av_malloc /ffmpeg/libavutil/mem.c:105:9
    #2 0x55fba37f5a80 in config_props /ffmpeg/libavfilter/vf_edgedetect.c:134:29

Thread T19 (fc0) created by T0 here:
    #0 0x55fba3439f9c in __interceptor_pthread_create (/ffmpeg/ffmpeg_g+0x90cf9c) (BuildId: 8d6ccf457a75d047d11f9627d0b67208c2215c8c)
    #1 0x55fba34e8161 in task_start /ffmpeg/fftools/ffmpeg_sched.c:403:11
    #2 0x55fba3506e68 in transcode /ffmpeg/fftools/ffmpeg.c:922:11
    #3 0x55fba3506e68 in main /ffmpeg/fftools/ffmpeg.c:1050:11
    #4 0x7f79cab9bd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/ffmpeg/ffmpeg_g+0x922ef9) (BuildId: 8d6ccf457a75d047d11f9627d0b67208c2215c8c) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c127fffa4f0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fffa500: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fffa510: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fffa520: fa fa fa fa fa fa fa fa 00 00 00 fa fa fa fa fa
  0x0c127fffa530: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 fa fa
=>0x0c127fffa540: fa fa fa fa fa fa fa fa 00 00 00 00[fa]fa fa fa
  0x0c127fffa550: fa fa fa fa fa fa fa fa 00 00 00 00 fa fa fa fa
  0x0c127fffa560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fffa570: 00 00 00 00 00 04 fa fa fa fa fa fa fa fa fa fa
  0x0c127fffa580: 00 00 04 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fffa590: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4079588==ABORTING

by ZengYunxiang, 11 months ago

Attachment: poc19ffmpeg added

comment:2 by Michael Niedermayer, 11 months ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.