Opened 6 months ago
Closed 5 months ago
#11133 closed defect (fixed)
heap-buffer-overflow in libavcodec/bytestream.h:99:1
Reported by: | kmfl | Owned by: | |
---|---|---|---|
Priority: | important | Component: | avcodec |
Version: | git-master | Keywords: | |
Cc: | kmfl | Blocked By: | |
Blocking: | Reproduced by developer: | yes | |
Analyzed by developer: | yes |
Description
Summary of the bug:
An heap-buffer-overflow bug was found in the latest version, it may cause information leaks or arbitrary code execution
How to reproduce:
/home/ffmpeg-debug/ffmpeg_g -i ./heap_overflow_ffmpeg test ffmpeg version N-116549-g94165d1b79 Copyright (c) 2000-2024 the FFmpeg developers built with Ubuntu clang version 15.0.7 configuration: --disable-shared --pkg-config-flags=--static --extra-libs='-lpthread -lm' --enable-gpl --enable-libass --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libx264 --enable-libx265 --enable-nonfree --enable-debug --cc=clang-15 --cxx=clang++-15 --extra-cflags='-fsanitize=address' --extra-cxxflags='-fsanitize=address' --extra-ldflags='-fsanitize=address' libavutil 59. 32.100 / 59. 32.100 libavcodec 61. 11.100 / 61. 11.100 libavformat 61. 5.101 / 61. 5.101 libavdevice 61. 2.100 / 61. 2.100 libavfilter 10. 2.102 / 10. 2.102 libswscale 8. 2.100 / 8. 2.100 libswresample 5. 2.100 / 5. 2.100 libpostproc 58. 2.100 / 58. 2.100 Ignoring attempt to set invalid timebase 1/0 for st:0 Truncating packet of size 13303840 to 39173 [genh @ 0x617000000080] Packet corrupt (stream = 0, dts = NOPTS). Aborted
ASAN output:
================================================================= ==21==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62e00000a6da at pc 0x55ca233d5857 bp 0x7ffe3caa63d0 sp 0x7ffe3caa63c8 READ of size 1 at 0x62e00000a6da thread T0 #0 0x55ca233d5856 in bytestream_get_byte /home/ffmpeg-debug/libavcodec/bytestream.h:99:1 #1 0x55ca233d5856 in bytestream2_get_byteu /home/ffmpeg-debug/libavcodec/bytestream.h:99:1 #2 0x55ca233d5856 in adpcm_decode_frame /home/ffmpeg-debug/libavcodec/adpcm.c:2136:5 #3 0x55ca21bbde79 in decode_simple_internal /home/ffmpeg-debug/libavcodec/decode.c:429:20 #4 0x55ca21bbde79 in decode_simple_receive_frame /home/ffmpeg-debug/libavcodec/decode.c:600:15 #5 0x55ca21bbde79 in decode_receive_frame_internal /home/ffmpeg-debug/libavcodec/decode.c:631:15 #6 0x55ca21bbd73b in avcodec_send_packet /home/ffmpeg-debug/libavcodec/decode.c:721:15 #7 0x55ca21413f0c in try_decode_frame /home/ffmpeg-debug/libavformat/demux.c:2156:19 #8 0x55ca2140cfd0 in avformat_find_stream_info /home/ffmpeg-debug/libavformat/demux.c:2840:9 #9 0x55ca208db180 in ifile_open /home/ffmpeg-debug/fftools/ffmpeg_demux.c:1771:15 #10 0x55ca2092ff26 in open_files /home/ffmpeg-debug/fftools/ffmpeg_opt.c:1188:15 #11 0x55ca2092ff26 in ffmpeg_parse_options /home/ffmpeg-debug/fftools/ffmpeg_opt.c:1228:11 #12 0x55ca2095abff in main /home/ffmpeg-debug/fftools/ffmpeg.c:972:11 #13 0x7fbefc6e4d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #14 0x7fbefc6e4e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #15 0x55ca2080fd64 in _start (/home/ffmpeg-debug/ffmpeg_g+0x6fbd64) (BuildId: 57eb6649ff2e46e9c688b47e4f433eb0b6bf07e4) 0x62e00000a6da is located 0 bytes to the right of 41690-byte region [0x62e000000400,0x62e00000a6da) allocated by thread T0 here: #0 0x55ca20895bb6 in __interceptor_realloc (/home/ffmpeg-debug/ffmpeg_g+0x781bb6) (BuildId: 57eb6649ff2e46e9c688b47e4f433eb0b6bf07e4) #1 0x55ca242b9339 in av_buffer_realloc /home/ffmpeg-debug/libavutil/buffer.c:192:25 #2 0x55ca242b9190 in av_buffer_realloc /home/ffmpeg-debug/libavutil/buffer.c:214:15 #3 0x55ca224e1ab9 in av_grow_packet /home/ffmpeg-debug/libavcodec/packet.c:151:19 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ffmpeg-debug/libavcodec/bytestream.h:99:1 in bytestream_get_byte Shadow bytes around the buggy address: 0x0c5c7fff9480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5c7fff9490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5c7fff94a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5c7fff94b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5c7fff94c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c5c7fff94d0: 00 00 00 00 00 00 00 00 00 00 00[02]fa fa fa fa 0x0c5c7fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5c7fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5c7fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5c7fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5c7fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==21==ABORTING
Attachments (1)
Change History (2)
by , 6 months ago
Attachment: | heap_overflow_ffmpeg added |
---|
comment:1 by , 5 months ago
Analyzed by developer: | set |
---|---|
Priority: | critical → important |
Reproduced by developer: | set |
Resolution: | → fixed |
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Poc to trigger this bug