Opened 12 hours ago
#11418 new defect
stack-buffer-overflow on libavcodec/aacenc_tns.c
| Reported by: | 0x20z | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | undetermined |
| Version: | git-master | Keywords: | |
| Cc: | 0x20z | Blocked By: | |
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Summary of the bug:
I have discovered a stack-buffer-overflow vulnerability. The POC file is attached to the session, and the version of ffmpeg is the main branch. Please confirm.
How to reproduce:
git clone https://github.com/FFmpeg/FFmpeg.git cd FFmpeg ./configure --cc=clang --cxx=clang++ --toolchain=clang-asan --extra-cflags="-I$HOME/ffmpeg_build/include -O0 -fno-omit-frame-pointer -g" --extra-cxxflags="-O0 -fno-omit-frame-pointer -g" --extra-ldflags="-L$HOME/ffmpeg_build/include -fsanitize=address -fsanitize=undefined -lubsan" --disable-optimizations --disable-stripping --enable-cross-compile make -j30 ./ffmpeg -i poc -aac_pred true -profile:a aac_low output.mpd
log:
=================================================================
==1108156==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f286b5fe998 at pc 0x572aadc11f35 bp 0x7f286b5fe8e0 sp 0x7f286b5fe8d0
READ of size 4 at 0x7f286b5fe998 thread T1 (enc0:0:aac)
#0 0x572aadc11f34 in ff_aac_search_for_tns libavcodec/aacenc_tns.c:204
#1 0x572aacede67e in aac_encode_frame libavcodec/aacenc.c:1020
#2 0x572aaaa197e2 in ff_encode_encode_cb libavcodec/encode.c:254
#3 0x572aaaa1b896 in encode_simple_internal libavcodec/encode.c:340
#4 0x572aaaa1bbfb in encode_simple_receive_packet libavcodec/encode.c:354
#5 0x572aaaa1cb13 in encode_receive_packet_internal libavcodec/encode.c:388
#6 0x572aaaa1e97e in avcodec_send_frame libavcodec/encode.c:531
#7 0x572aa7edbe65 in encode_frame fftools/ffmpeg_enc.c:643
#8 0x572aa7edf861 in frame_encode fftools/ffmpeg_enc.c:812
#9 0x572aa7ee0a09 in encoder_thread fftools/ffmpeg_enc.c:899
#10 0x572aa7fb17b2 in task_wrapper fftools/ffmpeg_sched.c:2534
#11 0x7f286f094ac2 in start_thread nptl/pthread_create.c:442
#12 0x7f286f12684f (/usr/lib/x86_64-linux-gnu/libc.so.6+0x12684f)
Address 0x7f286b5fe998 is located in stack of thread T1 (enc0:0:aac) at offset 40 in frame
#0 0x572aadc1038a in ff_aac_search_for_tns libavcodec/aacenc_tns.c:162
This frame has 2 object(s):
[32, 40) 'en' (line 183) <== Memory access at offset 40 overflows this variable
[64, 320) 'coefs' (line 165)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
Thread T1 (enc0:0:aac) created by T0 here:
#0 0x7f286fc58685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x572aa7f8ad4b in task_start fftools/ffmpeg_sched.c:414
#2 0x572aa7fa09d7 in sch_start fftools/ffmpeg_sched.c:1615
#3 0x572aa8006dea in transcode fftools/ffmpeg.c:864
#4 0x572aa80081a8 in main fftools/ffmpeg.c:992
#5 0x7f286f029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: stack-buffer-overflow libavcodec/aacenc_tns.c:204 in ff_aac_search_for_tns
Found by:
0x20z
Thank you for your time and attention
Attachments (1)
Note:
See TracTickets
for help on using tickets.
