Opened 5 months ago

Closed 5 months ago

#10744 closed defect (fixed)

heap-buffer-overflow at libavfilter/af_alimiter.c:199:33 in filter_frame in FFmpeg

Reported by: ZengYunxiang Owned by:
Priority: important Component: avfilter
Version: git-master Keywords: bugs
Cc: ZengYunxiang Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:

Dear developers,

We found the following heap-buffer-overflow bug on FFmpeg(version N-113007-g8d24a28d06) when using alimiter filter, please confirm.

The poc file(poc11ffmpeg) will be attached to this ticket.

How to reproduce:

git clone https://github.com/FFmpeg/FFmpeg.git ffmpeg
cd ffmpeg
./configure --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan
make -j30

./ffmpeg_g -y -i poc11ffmpeg -filter_complex alimiter tmp.mp4

ASAN Log:

=================================================================
==3059675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d0000283f8 at pc 0x55cd091c55b4 bp 0x7fc373cfc1b0 sp 0x7fc373cfc1a8
READ of size 8 at 0x62d0000283f8 thread T2 (fc0)
    #0 0x55cd091c55b3 in filter_frame /ffmpeg/libavfilter/af_alimiter.c:199:33
    #1 0x55cd08b08ed2 in ff_filter_frame_framed /ffmpeg/libavfilter/avfilter.c:969:11
    #2 0x55cd08b08ed2 in ff_filter_frame_to_filter /ffmpeg/libavfilter/avfilter.c:1123:11
    #3 0x55cd08b08ed2 in ff_filter_activate_default /ffmpeg/libavfilter/avfilter.c:1182:20
    #4 0x55cd08b08ed2 in ff_filter_activate /ffmpeg/libavfilter/avfilter.c:1341:11
    #5 0x55cd08b1af57 in push_frame /ffmpeg/libavfilter/buffersrc.c:168:15
    #6 0x55cd08b1af57 in av_buffersrc_add_frame_flags /ffmpeg/libavfilter/buffersrc.c:272:15
    #7 0x55cd08a08d3b in send_frame /ffmpeg/fftools/ffmpeg_filter.c:2668:11
    #8 0x55cd08a08d3b in filter_thread /ffmpeg/fftools/ffmpeg_filter.c:2808:19
    #9 0x55cd08a4ac18 in task_wrapper /ffmpeg/fftools/ffmpeg_sched.c:2200:21
    #10 0x7fc3765c0ac2  (/lib/x86_64-linux-gnu/libc.so.6+0x94ac2) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #11 0x7fc376652a3f  (/lib/x86_64-linux-gnu/libc.so.6+0x126a3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)

0x62d0000283f8 is located 8 bytes to the left of 35288-byte region [0x62d000028400,0x62d000030dd8)
allocated by thread T2 (fc0) here:
    #0 0x55cd089ae697 in __interceptor_posix_memalign (/ffmpeg/ffmpeg_g+0x924697) (BuildId: 8d6ccf457a75d047d11f9627d0b67208c2215c8c)
    #1 0x55cd0c0177b3 in av_malloc /ffmpeg/libavutil/mem.c:105:9
    #2 0x55cd0c0177b3 in av_mallocz /ffmpeg/libavutil/mem.c:256:17
    #3 0x55cd0c0177b3 in av_calloc /ffmpeg/libavutil/mem.c:267:12
    #4 0x55cd091c59ac in config_input /ffmpeg/libavfilter/af_alimiter.c:367:17

Thread T2 (fc0) created by T0 here:
    #0 0x55cd08996f9c in __interceptor_pthread_create (/ffmpeg/ffmpeg_g+0x90cf9c) (BuildId: 8d6ccf457a75d047d11f9627d0b67208c2215c8c)
    #1 0x55cd08a45161 in task_start /ffmpeg/fftools/ffmpeg_sched.c:403:11
    #2 0x55cd08a63e68 in transcode /ffmpeg/fftools/ffmpeg.c:922:11
    #3 0x55cd08a63e68 in main /ffmpeg/fftools/ffmpeg.c:1050:11
    #4 0x7fc376555d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)

SUMMARY: AddressSanitizer: heap-buffer-overflow /ffmpeg/libavfilter/af_alimiter.c:199:33 in filter_frame
Shadow bytes around the buggy address:
  0x0c5a7fffd020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffd030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffd040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffd050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffd060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c5a7fffd070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c5a7fffd080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffd090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffd0a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffd0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffd0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3059675==ABORTING

ffmpeg version:

# ./ffmpeg -version
ffmpeg version N-113007-g8d24a28d06 Copyright (c) 2000-2023 the FFmpeg developers
built with Ubuntu clang version 14.0.0-1ubuntu1.1
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan
libavutil      58. 34.100 / 58. 34.100
libavcodec     60. 35.100 / 60. 35.100
libavformat    60. 18.100 / 60. 18.100
libavdevice    60.  4.100 / 60.  4.100
libavfilter     9. 14.100 /  9. 14.100
libswscale      7.  6.100 /  7.  6.100
libswresample   4. 13.100 /  4. 13.100

Credit:

Discovered by Li Zeyuan and Zeng Yunxiang.

Thanks for your time!

Attachments (1)

poc11ffmpeg (4.4 KB ) - added by ZengYunxiang 5 months ago.
POC file

Download all attachments as: .zip

Change History (2)

by ZengYunxiang, 5 months ago

Attachment: poc11ffmpeg added

POC file

comment:1 by Michael Niedermayer, 5 months ago

Resolution: fixed
Status: newclosed

Fixed by a88b06f9ee8c88f78bdd614fc25283225223e858

Note: See TracTickets for help on using tickets.