Opened 15 months ago

Closed 15 months ago

Last modified 13 months ago

#11417 closed defect (fixed)

libavformat/mov.c:5195 SEGV

Reported by: 0x20z Owned by:
Priority: important Component: avformat
Version: git-master Keywords:
Cc: 0x20z Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: yes

Description

Summary of the bug:

Dear developers,
I have discovered a Segmentation Fault vulnerability. The POC file is attached to the session, and the version of ffmpeg the main branch. Please confirm.

How to reproduce:

git clone https://github.com/FFmpeg/FFmpeg.git
cd FFmpeg
./configure --cc=clang --cxx=clang++ --toolchain=clang-asan --extra-cflags="-I$HOME/ffmpeg_build/include -O0 -fno-omit-frame-pointer -g"   --extra-cxxflags="-O0 -fno-omit-frame-pointer -g" --extra-ldflags="-L$HOME/ffmpeg_build/include -fsanitize=address -fsanitize=undefined -lubsan" --disable-optimizations --disable-stripping --enable-cross-compile
make -j30
./ffmpeg -y -i poc tmp.mp4

ASAN log:

=================================================================
==1470909==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x5e3e34844b3c bp 0x7ffe336763a0 sp 0x7ffe33676330 T0)
==1470909==The signal is caused by a READ memory access.
==1470909==Hint: address points to the zero page.
    #0 0x5e3e34844b3c in mov_read_trak libavformat/mov.c:5195
    #1 0x5e3e3489052e in mov_read_default libavformat/mov.c:9406
    #2 0x5e3e347fcbc4 in mov_read_moov libavformat/mov.c:1565
    #3 0x5e3e3489052e in mov_read_default libavformat/mov.c:9406
    #4 0x5e3e348a3cd9 in mov_read_header libavformat/mov.c:10449
    #5 0x5e3e34472bff in avformat_open_input libavformat/demux.c:308
    #6 0x5e3e32eb995b in ifile_open fftools/ffmpeg_demux.c:1727
    #7 0x5e3e32f762bc in open_files fftools/ffmpeg_opt.c:1363
    #8 0x5e3e32f76e87 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1412
    #9 0x5e3e32ff6cdc in main fftools/ffmpeg.c:974
    #10 0x7dbbbb829d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x7dbbbb829e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #12 0x5e3e32e76924 in _start (/home/swift/workstation/FFmpeg-master/ffmpeg+0x564924)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV libavformat/mov.c:5195 in mov_read_trak
==1470909==ABORTING

Found by:

Found by 0x20z

Thank you for your time and attention

Attachments (1)

poc1 (14.4 KB ) - added by 0x20z 15 months ago.

Download all attachments as: .zip

Change History (4)

by 0x20z, 15 months ago

Attachment: poc1 added

comment:1 by James, 15 months ago

Analyzed by developer: set
Reproduced by developer: set
Resolution: → fixed
Status: new → closed

Should be fixed in fd1772b7475d0d5673a5dd314ee78443d0be4cf1

comment:2 by Dominik Mierzejewski, 13 months ago

FWIW, this was assigned CVE-2025-25471. I can't reproduce this with 7.1.1 or 6.1.2, though. Is this applicable to other branches than master?

comment:3 by James, 13 months ago

No, this was present in master only, and for a very short time. I don't know why would it get assigned a CVE...

Note: See TracTickets for help on using tickets.