Opened 8 months ago

Closed 8 months ago

#10951 closed defect (fixed)

SEGV bug at libavcodec/hevcdec.c:2947:22 in hevc_frame_end in FFmpeg7.0

Reported by: ZengYunxiang Owned by:
Priority: important Component: avcodec
Version: 7.0 Keywords: bugs
Cc: ZengYunxiang Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:

Dear developers,

We found the following SEGV bug on FFmpeg(version 7.0) , please confirm.

This bug doesn't require harsh parameter conditions to trigger.

The poc file(poc23ffmpeg) will be attached to this ticket.

How to reproduce:

tar -xvf ffmpeg-7.0.tar.xz
cd ffmpeg-7.0
./configure --cc=afl-clang-fast --cxx=afl-clang-fast++ --disable-shared
AFL_USE_ASAN=1 make -j30

./ffmpeg_g -y -i poc23ffmpeg tmp.mp4

ASAN Log:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==2083295==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55661ca3e58c bp 0x0ff32d1da6b7 sp 0x7f9968eb7620 T8)
==2083295==The signal is caused by a READ memory access.
==2083295==Hint: address points to the zero page.
    #0 0x55661ca3e58c in hevc_frame_end /ffmpeg-7.0/libavcodec/hevcdec.c:2947:22
    #1 0x55661ca34250 in decode_nal_unit /ffmpeg-7.0/libavcodec/hevcdec.c:3122:23
    #2 0x55661ca34250 in decode_nal_units /ffmpeg-7.0/libavcodec/hevcdec.c:3227:15
    #3 0x55661ca34250 in hevc_decode_frame /ffmpeg-7.0/libavcodec/hevcdec.c:3376:14
    #4 0x55661d3b6761 in frame_worker_thread /ffmpeg-7.0/libavcodec/pthread_frame.c:223:21
    #5 0x7f996ef3fac2  (/lib/x86_64-linux-gnu/libc.so.6+0x94ac2) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #6 0x7f996efd1a3f  (/lib/x86_64-linux-gnu/libc.so.6+0x126a3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /ffmpeg-7.0/libavcodec/hevcdec.c:2947:22 in hevc_frame_end
Thread T8 (av:hevc:df7) created by T0 here:
    #0 0x55661aef856c in __interceptor_pthread_create (/ffmpeg-7.0/ffmpeg_g+0x98c56c) (BuildId: 545ccc2062eaee7e775c86df925c8f1fb97035e3)
    #1 0x55661ad85de6 in init_thread /ffmpeg-7.0/libavcodec/pthread_frame.c:828:11

==2083295==ABORTING

ffmpeg version:

# ./ffmpeg -version
ffmpeg version 7.0 Copyright (c) 2000-2024 the FFmpeg developers
built with Ubuntu clang version 14.0.0-1ubuntu1.1
configuration: --cc=afl-clang-fast --cxx=afl-clang-fast++ --disable-shared
libavutil      59.  8.100 / 59.  8.100
libavcodec     61.  3.100 / 61.  3.100
libavformat    61.  1.100 / 61.  1.100
libavdevice    61.  1.100 / 61.  1.100
libavfilter    10.  1.100 / 10.  1.100
libswscale      8.  1.100 /  8.  1.100
libswresample   5.  1.100 /  5.  1.100

Credit:

Discovered by Zeng Yunxiang.

Thanks for your time!

Attachments (1)

poc23ffmpeg (27.4 KB ) - added by ZengYunxiang 8 months ago.
POC file

Download all attachments as: .zip

Change History (3)

by ZengYunxiang, 8 months ago

Attachment: poc23ffmpeg added

POC file

comment:1 by ZengYunxiang, 8 months ago

reproduce compile command:

tar -xvf ffmpeg-7.0.tar.xz
cd ffmpeg-7.0
./configure --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan
make -j30

./ffmpeg_g -y -i poc23ffmpeg tmp.mp4

comment:2 by Niklas Haas, 8 months ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.