Opened 2 days ago
Closed 12 hours ago
#11395 closed defect (fixed)
null pointer deref similar to https://trac.ffmpeg.org/ticket/11392 when using the aeval filter in filtergraphs
| Reported by: | somehacker | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | avfilter |
| Version: | git-master | Keywords: | |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | yes | |
| Analyzed by developer: | yes |
Description
Summary of the bug:
Hi! I found another potential null pointer deref.
How to reproduce:
% ./ffmpeg -i input -vf "aeval=:1" output ffmpeg version git-2025-01-01-df09465 Copyright (c) 2000-2024 the FFmpeg developers built with gcc 13 (Ubuntu 13.3.0-6ubuntu2~24.04) configuration: --disable-x86asm --enable-debug=3 --disable-optimizations libavutil 59. 53.100 / 59. 53.100 libavcodec 61. 28.100 / 61. 28.100 libavformat 61. 9.102 / 61. 9.102 libavdevice 61. 4.100 / 61. 4.100 libavfilter 10. 6.101 / 10. 6.101 libswscale 8. 13.100 / 8. 13.100 libswresample 5. 4.100 / 5. 4.100 built on: No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 24.04.1 LTS Release: 24.04 Codename: noble
Here is the ASAN output from the debug binary (ffmpeg_g). The contents of the input file are not important since this bug occurs with any input file. I found this bug via fuzzing and once again if you are to read you can read about it here: https://personnumber3377.github.io/projects/fuzzing_ffmpeg_avfilter_graph_parse_ptr.html
ffmpeg version git-2025-01-01-df09465 Copyright (c) 2000-2024 the FFmpeg developers
built with gcc 13 (Ubuntu 13.3.0-6ubuntu2~24.04)
configuration: --disable-x86asm --enable-debug=3 --disable-optimizations
libavutil 59. 53.100 / 59. 53.100
libavcodec 61. 28.100 / 61. 28.100
libavformat 61. 9.102 / 61. 9.102
libavdevice 61. 4.100 / 61. 4.100
libavfilter 10. 6.101 / 10. 6.101
libswscale 8. 13.100 / 8. 13.100
libswresample 5. 4.100 / 5. 4.100
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'sample.mp4':
Metadata:
major_brand : mp42
minor_version : 0
compatible_brands: mp42mp41isomavc1
creation_time : 2015-08-07T09:13:02.000000Z
Duration: 00:00:30.53, start: 0.000000, bitrate: 411 kb/s
Stream #0:0[0x1](und): Video: h264 (Constrained Baseline) (avc1 / 0x31637661), yuv420p(progressive), 480x270 [SAR 1:1 DAR 16:9], 301 kb/s, 30 fps, 30 tbr, 30 tbn (default)
Metadata:
creation_time : 2015-08-07T09:13:02.000000Z
handler_name : L-SMASH Video Handler
vendor_id : [0][0][0][0]
encoder : AVC Coding
Stream #0:1[0x2](und): Audio: aac (LC) (mp4a / 0x6134706D), 48000 Hz, stereo, fltp, 112 kb/s (default)
Metadata:
creation_time : 2015-08-07T09:13:02.000000Z
handler_name : L-SMASH Audio Handler
vendor_id : [0][0][0][0]
libavutil/eval.c:718:25: runtime error: null pointer passed as argument 1, which is declared to never be null
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3568872==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4b2f59875d bp 0x7ffebc34a090 sp 0x7ffebc349818 T0)
==3568872==The signal is caused by a READ memory access.
==3568872==Hint: address points to the zero page.
#0 0x7f4b2f59875d in __strlen_avx2 ../sysdeps/x86_64/multiarch/strlen-avx2.S:76
#1 0x7f4b302eb826 in strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389
#2 0x55fd83dc02f6 in av_expr_parse libavutil/eval.c:718
#3 0x55fd7d75f6b8 in parse_channel_expressions libavfilter/aeval.c:156
#4 0x55fd7d75fd76 in init libavfilter/aeval.c:185
#5 0x55fd7c67e25e in avfilter_init_dict libavfilter/avfilter.c:939
#6 0x55fd7c751af9 in avfilter_graph_segment_init libavfilter/graphparser.c:634
#7 0x55fd7c7558ce in avfilter_graph_segment_apply libavfilter/graphparser.c:905
#8 0x55fd7c3f65d5 in graph_parse fftools/ffmpeg_filter.c:595
#9 0x55fd7c4001b6 in fg_create fftools/ffmpeg_filter.c:1104
#10 0x55fd7c401676 in fg_create_simple fftools/ffmpeg_filter.c:1203
#11 0x55fd7c441846 in ost_bind_filter fftools/ffmpeg_mux_init.c:999
#12 0x55fd7c44c333 in ost_add fftools/ffmpeg_mux_init.c:1536
#13 0x55fd7c44e7eb in map_auto_video fftools/ffmpeg_mux_init.c:1640
#14 0x55fd7c454848 in create_streams fftools/ffmpeg_mux_init.c:1969
#15 0x55fd7c46bcde in of_open fftools/ffmpeg_mux_init.c:3335
#16 0x55fd7c47be1b in open_files fftools/ffmpeg_opt.c:1363
#17 0x55fd7c47c626 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1419
#18 0x55fd7c4db981 in main fftools/ffmpeg.c:974
#19 0x7f4b2f4371c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#20 0x7f4b2f43728a in __libc_start_main_impl ../csu/libc-start.c:360
#21 0x55fd7c397ba4 in _start (/home/oof/ffmpegfuzzerthing/myfork/backupshit/new/FFmpeg/ffmpeg_g+0xbef5ba4) (BuildId: f16d7ec11e94c65e71ebe53cf79988601733f849)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../sysdeps/x86_64/multiarch/strlen-avx2.S:76 in __strlen_avx2
==3568872==ABORTING
Thanks in advance!
Change History (1)
comment:1 by , 12 hours ago
| Keywords: | expression filters removed |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Fixed in e262411f329d63bcd36fbf4ac666629530ffec90