Opened 11 months ago

Last modified 10 months ago

#11639 new defect

[security] libavcodec/aac/aacdec.c:195:27 SEGV in frame_configure_elements

Reported by: sigdevel Owned by:
Priority: normal Component: ffmpeg
Version: 7.1 Keywords: SIGSEGV
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:
Crafted MP4 file containing invalid metadata (negative time scales in mvhd/mdhd atoms, excessive sample size of 4294966935 and zero-duration smples) triggers a SEGV in the AAC decoder during USAC initialization, where frame_configure_elements attempts a WRITE memory access at address 0x70 due to an uninitialized/invalid Channel element pointer when processing the malformed audio configuration

How to reproduce:

./ffmpeg -i ./2_poc_libavcodec_aac_aacdec_c_195 -f null

ENV:

ffmpeg OS version: 7.1.1-1+b1 ;
ffmpeg debug version: N-119918-gee1f79b0fa (ffmpeg commit hash ee1f79b0fa4c82da9c19328b049b593c71611402) ;
built on: 6.12.25-amd64 ;
build opts debug: --disable-shared --enable-static --disable-doc --enable-gpl --enable-libass --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libx264 --enable-libx265 --enable-nonfree --toolchain=clang-asan --enable-debug=3 --disable-optimizations --disable-stripping ;

Asan output:

== ffmpeg version N-119886-g52441bd4cd Copyright (c) 2000-2025 the FFmpeg developers
  built with Debian clang version 19.1.7 (1+b1)
  configuration: --disable-shared --enable-static --disable-doc --enable-gpl --enable-libass --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libx264 --enable-libx265 --enable-nonfree --toolchain=clang-asan --enable-debug=3 --disable-optimizations --disable-stripping
  libavutil      60.  3.100 / 60.  3.100
  libavcodec     62.  3.101 / 62.  3.101
  libavformat    62.  1.100 / 62.  1.100
  libavdevice    62.  0.100 / 62.  0.100
  libavfilter    11.  0.100 / 11.  0.100
  libswscale      9.  0.100 /  9.  0.100
  libswresample   6.  0.100 /  6.  0.100
Trailing option(s) found in the command: may be ignored.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x517000000080] Invalid mvhd time scale -956300712, defaulting to 1                                                                                                                                              
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x517000000080] Invalid mdhd time scale -1761563580, defaulting to 1                                                                                                                                             
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x517000000080] Sample size 4294966935 is too large                                                                                                                                                              
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x517000000080] All samples in data stream index:id [3:4] have zero duration, stream set to be discarded by default. Override using AVStream->discard or -discard for ffmpeg command.                            
AddressSanitizer:DEADLYSIGNAL                                                                                                                                                                                                               
=================================================================
==88932==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000070 (pc 0x55bcf83bbc74 bp 0x7ffd58251870 sp 0x7ffd58251770 T0)
==88932==The signal is caused by a WRITE memory access.                                                                                                                                                                                     
==88932==Hint: address points to the zero page.
    #0 0x55bcf83bbc74 in frame_configure_elements /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec.c:195:27
    #1 0x55bcf83ba731 in ff_aac_output_configure /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec.c:518:20
    #2 0x55bcf83bc848 in ff_aac_get_che /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec.c:632:13
    #3 0x55bcf83f3ad2 in ff_aac_usac_reset_state /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec_usac.c:308:15
    #4 0x55bcf83f5980 in ff_aac_usac_config_decode /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec_usac.c:553:11
    #5 0x55bcf83c8a93 in decode_audio_specific_config_gb /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec.c:1053:20
    #6 0x55bcf83bed97 in decode_audio_specific_config /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec.c:1097:12
    #7 0x55bcf83be4d6 in ff_aac_decode_init /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec.c:1193:20
    #8 0x55bcf83e3a66 in ff_aac_decode_init_float /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec_float.c:181:12
    #9 0x55bcf671b34f in avcodec_open2 /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/avcodec.c:336:19
    #10 0x55bcf5fea1de in avformat_find_stream_info /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavformat/demux.c:2592:21
    #11 0x55bcf51527d0 in ifile_open /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/fftools/ffmpeg_demux.c:1814:15
    #12 0x55bcf51b6f94 in open_files /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/fftools/ffmpeg_opt.c:1366:15
    #13 0x55bcf51b69d8 in ffmpeg_parse_options /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/fftools/ffmpeg_opt.c:1415:11
    #14 0x55bcf51fa099 in main /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/fftools/ffmpeg.c:991:11
    #15 0x7ffa2c433ca7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #16 0x7ffa2c433d64 in __libc_start_main csu/../csu/libc-start.c:360:3
    #17 0x55bcf505b710 in _start (/media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/ffmpeg+0x521710) (BuildId: d2246b878abfa9a260cfb4c2c78620ba94243a83)

==88932==Register values:
rax = 0x0000000000000070  rbx = 0x00007ffd58251880  rcx = 0x00000000000001f8  rdx = 0x0000000000000018  
rdi = 0x0000000000000000  rsi = 0x000052d000023f10  rbp = 0x00007ffd58251870  rsp = 0x00007ffd58251770  
 r8 = 0x00000a32000003fc   r9 = 0x0000519000001ff7  r10 = 0x00000a32000003fe  r11 = 0x00000a327fff83f8  
r12 = 0x0000000000000000  r13 = 0x00007ffd58255908  r14 = 0x00007ffa2e5af000  r15 = 0x000055bcf9ccb1b0  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/aac/aacdec.c:195:27 in frame_configure_elements
==88932==ABORTING

https://github.com/sigdevel/pocs/blob/d65a0c4ece90b07878ae098f93d925c1301ce676/res/FFmpeg/ffmpeg/2/ffmpeg_2_asan_2025-06-15_17-20.png

Poc-sample was uploaded to https://streams.videolan.org/upload/

Attachments (2)

ffmpeg_2_clean_2025-06-15_17-20.png (344.6 KB ) - added by sigdevel 11 months ago.
2_poc_libavcodec_aac_aacdec_c_195 (6.0 KB ) - added by sigdevel 10 months ago.

Download all attachments as: .zip

Change History (6)

by sigdevel, 11 months ago

Attachment: ffmpeg_2_clean_2025-06-15_17-20.png added

comment:1 by sigdevel, 11 months ago

Summary: libavcodec/aac/aacdec.c:195:27 SEGV in frame_configure_elements[security] libavcodec/aac/aacdec.c:195:27 SEGV in frame_configure_elements

comment:2 by sigdevel, 11 months ago

Cc: sigdevel removed

comment:3 by emmastrck, 10 months ago

Would you mind attaching the video?

by sigdevel, 10 months ago

Attachment: 2_poc_libavcodec_aac_aacdec_c_195 added

in reply to:  3 comment:4 by sigdevel, 10 months ago

Replying to emmastrck:

Would you mind attaching the video?

Also added crash-sample to attachment

Note: See TracTickets for help on using tickets.