#10738 closed defect (fixed)

stack-buffer-overflow at libavcodec/jpegxl_parser.c in gen_alias_map in FFmpeg

Reported by: ZengYunxiang Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: bugs
Cc: ZengYunxiang Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:

Dear developers, hello!

We found the following stack-buffer-overflow bug on FFmpeg(version N-113007-g8d24a28d06), please confirm.

The poc file(poc9ffmpeg) will be attached to this ticket.

How to reproduce:

git clone https://github.com/FFmpeg/FFmpeg.git ffmpeg
cd ffmpeg
./configure --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan
make -j30

/ffmpeg/ffmpeg_g -y -i poc9ffmpeg tmp.mp4

ASAN Log:

=================================================================
==608884==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff63319c60 at pc 0x56121f9e08f7 bp 0x7fff633199f0 sp 0x7fff633199e8
WRITE of size 1 at 0x7fff63319c60 thread T0
    #0 0x56121f9e08f6 in gen_alias_map /ffmpeg/libavcodec/jpegxl_parser.c
    #1 0x56121f9e08f6 in read_distribution_bundle /ffmpeg/libavcodec/jpegxl_parser.c:887:19
    #2 0x56121f9ce8ee in entropy_decoder_init /ffmpeg/libavcodec/jpegxl_parser.c:912:11
    #3 0x56121f9ce8ee in parse_frame_header /ffmpeg/libavcodec/jpegxl_parser.c:1297:15
    #4 0x56121f9ce8ee in try_parse /ffmpeg/libavcodec/jpegxl_parser.c:1439:15
    #5 0x56121f9ce8ee in jpegxl_parse /ffmpeg/libavcodec/jpegxl_parser.c:1471:15
    #6 0x56121e56aa23 in av_parser_parse2 /ffmpeg/libavcodec/parser.c:163:13
    #7 0x56121d3e3e41 in parse_packet /ffmpeg/libavformat/demux.c:1154:15
    #8 0x56121d3d58d9 in read_frame_internal /ffmpeg/libavformat/demux.c:1355:24
    #9 0x56121d3dae0a in avformat_find_stream_info /ffmpeg/libavformat/demux.c:2624:15
    #10 0x56121c9abab7 in ifile_open /ffmpeg/fftools/ffmpeg_demux.c:1507:15
    #11 0x56121c9f4eb9 in open_files /ffmpeg/fftools/ffmpeg_opt.c:1288:15
    #12 0x56121c9f4eb9 in ffmpeg_parse_options /ffmpeg/fftools/ffmpeg_opt.c:1328:11
    #13 0x56121ca1df7f in main /ffmpeg/fftools/ffmpeg.c:1032:11
    #14 0x7f08f3048d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #15 0x7f08f3048e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #16 0x56121c8e5cd4 in _start (/ffmpeg/ffmpeg_g+0x8a0cd4) (BuildId: 8d6ccf457a75d047d11f9627d0b67208c2215c8c)

Address 0x7fff63319c60 is located in stack of thread T0 at offset 608 in frame
    #0 0x56121f9d5e4f in read_distribution_bundle /ffmpeg/libavcodec/jpegxl_parser.c:812

  This frame has 19 object(s):
    [32, 288) 'overfull.i' (line 555)
    [352, 608) 'underfull.i' (line 555) <== Memory access at offset 608 overflows this variable
    [672, 930) 'logcounts.i' (line 385)
    [1008, 1266) 'same.i' (line 386)
    [1344, 1348) 'lens.i.i' (line 618)
    [1360, 1368) 'symbols.i.i' (line 619)
    [1392, 1410) 'level1_lens.i' (line 674)
    [1456, 1474) 'level1_lens_s.i' (line 675)
    [1520, 1556) 'level1_syms.i' (line 676)
    [1600, 1676) 'level1_codecounts.i' (line 677)
    [1712, 1720) 'buf.i' (line 678)
    [1744, 1768) 'level1_vlc.i' (line 686)
    [1808, 1872) 'nested.i' (line 505)
    [1904, 1908) 'clust.i' (line 513)
    [1920, 2176) 'mtf.i' (line 526)
    [2240, 2256) 'constants.i284' (line 217)
    [2272, 2288) 'ubits.i285' (line 218)
    [2304, 2320) 'constants.i' (line 217)
    [2336, 2352) 'ubits.i' (line 218)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /ffmpeg/libavcodec/jpegxl_parser.c in gen_alias_map
Shadow bytes around the buggy address:
  0x10006c65b330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006c65b340: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006c65b350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006c65b360: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
  0x10006c65b370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006c65b380: 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2
  0x10006c65b390: f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10006c65b3a0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10006c65b3b0: f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2 f2 f8 f8
  0x10006c65b3c0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10006c65b3d0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==608884==ABORTING

ffmpeg version:

# ./ffmpeg -version
ffmpeg version N-113007-g8d24a28d06 Copyright (c) 2000-2023 the FFmpeg developers
built with Ubuntu clang version 14.0.0-1ubuntu1.1
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan
libavutil      58. 34.100 / 58. 34.100
libavcodec     60. 35.100 / 60. 35.100
libavformat    60. 18.100 / 60. 18.100
libavdevice    60.  4.100 / 60.  4.100
libavfilter     9. 14.100 /  9. 14.100
libswscale      7.  6.100 /  7.  6.100
libswresample   4. 13.100 /  4. 13.100

Credit:

Discovered by Zeng Yunxiang and Li Zeyuan.

Thanks for your time!

Attachments (1)

poc9ffmpeg (463 bytes ) - added by ZengYunxiang 11 months ago.
POC file

Download all attachments as: .zip

Change History (3)

by ZengYunxiang, 11 months ago

Attachment: poc9ffmpeg added

POC file

comment:2 by Michael Niedermayer, 11 months ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.