Opened 9 months ago
Closed 8 months ago
#10753 closed defect (fixed)
heap-buffer-overflow at libavfilter/f_reverse.c:269:26 in areverse_request_frame in FFmpeg
Reported by: | ZengYunxiang | Owned by: | |
---|---|---|---|
Priority: | important | Component: | avfilter |
Version: | git-master | Keywords: | bugs |
Cc: | ZengYunxiang | Blocked By: | |
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
Summary of the bug:
Dear developers,
We found the following heap-buffer-overflow bug on FFmpeg(version N-113007-g8d24a28d06) when using areverse filter, please confirm.
The poc file(poc16ffmpeg) will be attached to this ticket.
How to reproduce:
git clone https://github.com/FFmpeg/FFmpeg.git ffmpeg cd ffmpeg ./configure --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan make -j30 ./ffmpeg_g -y -i poc16ffmpeg -filter_complex areverse tmp.mp4
ASAN Log:
=================================================================x ==809032==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000017290 at pc 0x55c70e479a45 bp 0x7f58adff8e90 sp 0x7f58adff8e88 READ of size 8 at 0x61e000017290 thread T2 (fc0) #0 0x55c70e479a44 in areverse_request_frame /ffmpeg/libavfilter/f_reverse.c:269:26 #1 0x55c70e44a2f6 in ff_request_frame_to_filter /ffmpeg/libavfilter/avfilter.c:482:15 #2 0x55c70e446560 in ff_filter_activate_default /ffmpeg/libavfilter/avfilter.c:1194:20 #3 0x55c70e446560 in ff_filter_activate /ffmpeg/libavfilter/avfilter.c:1341:11 #4 0x55c70e455860 in get_frame_internal /ffmpeg/libavfilter/buffersink.c:139:19 #5 0x55c70e452ff0 in avfilter_graph_request_oldest /ffmpeg/libavfilter/avfiltergraph.c:1306:17 #6 0x55c70e350344 in read_frames /ffmpeg/fftools/ffmpeg_filter.c:2426:15 #7 0x55c70e346e28 in filter_thread /ffmpeg/fftools/ffmpeg_filter.c:2819:15 #8 0x55c70e388c18 in task_wrapper /ffmpeg/fftools/ffmpeg_sched.c:2200:21 #9 0x7f58b09e0ac2 (/lib/x86_64-linux-gnu/libc.so.6+0x94ac2) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9) #10 0x7f58b0a72a3f (/lib/x86_64-linux-gnu/libc.so.6+0x126a3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9) 0x61e000017296 is located 0 bytes to the right of 2582-byte region [0x61e000016880,0x61e000017296) allocated by thread T2 (fc0) here: #0 0x55c70e2ebf46 in __interceptor_realloc (/ffmpeg/ffmpeg_g+0x923f46) (BuildId: 8d6ccf457a75d047d11f9627d0b67208c2215c8c) #1 0x55c711958aee in av_realloc /ffmpeg/libavutil/mem.c:162:11 #2 0x55c711958aee in av_fast_realloc /ffmpeg/libavutil/mem.c:513:11 Thread T2 (fc0) created by T0 here: #0 0x55c70e2d4f9c in __interceptor_pthread_create (/ffmpeg/ffmpeg_g+0x90cf9c) (BuildId: 8d6ccf457a75d047d11f9627d0b67208c2215c8c) #1 0x55c70e383161 in task_start /ffmpeg/fftools/ffmpeg_sched.c:403:11 #2 0x55c70e3a1e68 in transcode /ffmpeg/fftools/ffmpeg.c:922:11 #3 0x55c70e3a1e68 in main /ffmpeg/fftools/ffmpeg.c:1050:11 #4 0x7f58b0975d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9) SUMMARY: AddressSanitizer: heap-buffer-overflow /ffmpeg/libavfilter/f_reverse.c:269:26 in areverse_request_frame Shadow bytes around the buggy address: 0x0c3c7fffae00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fffae10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fffae20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fffae30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fffae40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3c7fffae50: 00 00[06]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fffae60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fffae70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fffae80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c7fffae90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3c7fffaea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==809032==ABORTING
ffmpeg version:
# ./ffmpeg -version ffmpeg version N-113007-g8d24a28d06 Copyright (c) 2000-2023 the FFmpeg developers built with Ubuntu clang version 14.0.0-1ubuntu1.1 configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan libavutil 58. 34.100 / 58. 34.100 libavcodec 60. 35.100 / 60. 35.100 libavformat 60. 18.100 / 60. 18.100 libavdevice 60. 4.100 / 60. 4.100 libavfilter 9. 14.100 / 9. 14.100 libswscale 7. 6.100 / 7. 6.100 libswresample 4. 13.100 / 4. 13.100
Credit:
Discovered by Zeng Yunxiang.
Thanks for your time!
Attachments (1)
Change History (2)
by , 9 months ago
Attachment: | poc16ffmpeg added |
---|
comment:1 by , 8 months ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
POC file