Opened 6 months ago

Closed 5 months ago

#11133 closed defect (fixed)

heap-buffer-overflow in libavcodec/bytestream.h:99:1

Reported by: kmfl Owned by:
Priority: important Component: avcodec
Version: git-master Keywords:
Cc: kmfl Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: yes

Description

Summary of the bug:
An heap-buffer-overflow bug was found in the latest version, it may cause information leaks or arbitrary code execution

How to reproduce:

 /home/ffmpeg-debug/ffmpeg_g -i ./heap_overflow_ffmpeg test
ffmpeg version N-116549-g94165d1b79 Copyright (c) 2000-2024 the FFmpeg developers
  built with Ubuntu clang version 15.0.7
  configuration: --disable-shared --pkg-config-flags=--static --extra-libs='-lpthread -lm' --enable-gpl --enable-libass --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libx264 --enable-libx265 --enable-nonfree --enable-debug --cc=clang-15 --cxx=clang++-15 --extra-cflags='-fsanitize=address' --extra-cxxflags='-fsanitize=address' --extra-ldflags='-fsanitize=address'
  libavutil      59. 32.100 / 59. 32.100
  libavcodec     61. 11.100 / 61. 11.100
  libavformat    61.  5.101 / 61.  5.101
  libavdevice    61.  2.100 / 61.  2.100
  libavfilter    10.  2.102 / 10.  2.102
  libswscale      8.  2.100 /  8.  2.100
  libswresample   5.  2.100 /  5.  2.100
  libpostproc    58.  2.100 / 58.  2.100
Ignoring attempt to set invalid timebase 1/0 for st:0
Truncating packet of size 13303840 to 39173
[genh @ 0x617000000080] Packet corrupt (stream = 0, dts = NOPTS).
Aborted

ASAN output:

=================================================================
==21==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62e00000a6da at pc 0x55ca233d5857 bp 0x7ffe3caa63d0 sp 0x7ffe3caa63c8
READ of size 1 at 0x62e00000a6da thread T0
    #0 0x55ca233d5856 in bytestream_get_byte /home/ffmpeg-debug/libavcodec/bytestream.h:99:1
    #1 0x55ca233d5856 in bytestream2_get_byteu /home/ffmpeg-debug/libavcodec/bytestream.h:99:1
    #2 0x55ca233d5856 in adpcm_decode_frame /home/ffmpeg-debug/libavcodec/adpcm.c:2136:5
    #3 0x55ca21bbde79 in decode_simple_internal /home/ffmpeg-debug/libavcodec/decode.c:429:20
    #4 0x55ca21bbde79 in decode_simple_receive_frame /home/ffmpeg-debug/libavcodec/decode.c:600:15
    #5 0x55ca21bbde79 in decode_receive_frame_internal /home/ffmpeg-debug/libavcodec/decode.c:631:15
    #6 0x55ca21bbd73b in avcodec_send_packet /home/ffmpeg-debug/libavcodec/decode.c:721:15
    #7 0x55ca21413f0c in try_decode_frame /home/ffmpeg-debug/libavformat/demux.c:2156:19
    #8 0x55ca2140cfd0 in avformat_find_stream_info /home/ffmpeg-debug/libavformat/demux.c:2840:9
    #9 0x55ca208db180 in ifile_open /home/ffmpeg-debug/fftools/ffmpeg_demux.c:1771:15
    #10 0x55ca2092ff26 in open_files /home/ffmpeg-debug/fftools/ffmpeg_opt.c:1188:15
    #11 0x55ca2092ff26 in ffmpeg_parse_options /home/ffmpeg-debug/fftools/ffmpeg_opt.c:1228:11
    #12 0x55ca2095abff in main /home/ffmpeg-debug/fftools/ffmpeg.c:972:11
    #13 0x7fbefc6e4d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #14 0x7fbefc6e4e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #15 0x55ca2080fd64 in _start (/home/ffmpeg-debug/ffmpeg_g+0x6fbd64) (BuildId: 57eb6649ff2e46e9c688b47e4f433eb0b6bf07e4)

0x62e00000a6da is located 0 bytes to the right of 41690-byte region [0x62e000000400,0x62e00000a6da)
allocated by thread T0 here:
    #0 0x55ca20895bb6 in __interceptor_realloc (/home/ffmpeg-debug/ffmpeg_g+0x781bb6) (BuildId: 57eb6649ff2e46e9c688b47e4f433eb0b6bf07e4)
    #1 0x55ca242b9339 in av_buffer_realloc /home/ffmpeg-debug/libavutil/buffer.c:192:25
    #2 0x55ca242b9190 in av_buffer_realloc /home/ffmpeg-debug/libavutil/buffer.c:214:15
    #3 0x55ca224e1ab9 in av_grow_packet /home/ffmpeg-debug/libavcodec/packet.c:151:19

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ffmpeg-debug/libavcodec/bytestream.h:99:1 in bytestream_get_byte
Shadow bytes around the buggy address:
  0x0c5c7fff9480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c7fff9490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c7fff94a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c7fff94b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c7fff94c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5c7fff94d0: 00 00 00 00 00 00 00 00 00 00 00[02]fa fa fa fa
  0x0c5c7fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21==ABORTING

Attachments (1)

heap_overflow_ffmpeg (40.3 KB ) - added by kmfl 6 months ago.
Poc to trigger this bug

Download all attachments as: .zip

Change History (2)

by kmfl, 6 months ago

Attachment: heap_overflow_ffmpeg added

Poc to trigger this bug

comment:1 by James, 5 months ago

Analyzed by developer: set
Priority: criticalimportant
Reproduced by developer: set
Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.