#11652 closed defect (fixed)
[security] libavcodec/hevc/hevcdec.c:2147:16 SEGV in hls_prediction_unit
| Reported by: | sigdevel | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | ffmpeg |
| Version: | git-master | Keywords: | libavcodec, SIGSEGV, hevc |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Summary of the bug:
When processing specially crafted HEVC-video streams, the HEVC decoder fails to validate the decoding context pointer (s->HEVClc) before accessing its substructures. This leads to a NULL pointer dereference when accessing s->HEVClc->pu.merge_flag, causing a segmentation fault and denial-of-service
How to reproduce:
./ffmpeg -i ./3_poc_libavcodec_hevc_hevcdec_c_2147 -f null
ENV:
ffmpeg debug version: N-120056-g6e8bd5dd25 (ffmpeg commit hash 6e8bd5dd2588f892cde308022a8a1e6ee82b9fa0) ; ffmpeg latest autobuild version: ffmpeg version N-120054-g18c62245d7-20250627 ; built on: 6.12.25-amd64 ; build opts debug: --disable-shared --enable-static --disable-doc --enable-gpl --enable-libass --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libx264 --enable-libx265 --enable-nonfree --toolchain=clang-asan --enable-debug=3 --disable-optimizations --disable-stripping ; build opts default: --prefix=/ffbuild/prefix --pkg-config-flags=--static --pkg-config=pkg-config --cross-prefix=x86_64-ffbuild-linux-gnu- --arch=x86_64 --target-os=linux --enable-gpl --enable-version3 --disable-debug --enable-iconv --enable-zlib --enable-libfribidi --enable-gmp --enable-libxml2 --enable-openssl --enable-lzma --enable-fontconfig --enable-libharfbuzz --enable-libfreetype --enable-libvorbis --enable-opencl --enable-libpulse --enable-libvmaf --enable-libxcb --enable-xlib --enable-amf --enable-libaom --enable-libaribb24 --enable-avisynth --enable-chromaprint --enable-libdav1d --enable-libdavs2 --enable-libdvdread --enable-libdvdnav --disable-libfdk-aac --enable-ffnvcodec --enable-cuda-llvm --enable-frei0r --enable-libgme --enable-libkvazaar --enable-libaribcaption --enable-libass --enable-libbluray --enable-libjxl --enable-libmp3lame --enable-libopus --enable-librist --enable-libssh --enable-libtheora --enable-libvpx --enable-libwebp --enable-libzmq --enable-lv2 --enable-libvpl --enable-openal --enable-liboapv --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-libopenh264 --enable-libopenjpeg --enable-libopenmpt --enable-librav1e --enable-librubberband --disable-schannel --enable-sdl2 --enable-libsnappy --enable-libsoxr --enable-libsrt --enable-libsvtav1 --enable-libtwolame --enable-libuavs3d --enable-libdrm --enable-vaapi --enable-libvidstab --enable-vulkan --enable-libshaderc --enable-libplacebo --enable-libvvenc --enable-libx264 --enable-libx265 --enable-libxavs2 --enable-libxvid --enable-libzimg --enable-libzvbi --extra-cflags=-DLIBTWOLAME_STATIC --extra-cxxflags= --extra-libs='-ldl -lgomp' --extra-ldflags=-pthread --extra-ldexeflags=-pie --cc=x86_64-ffbuild-linux-gnu-gcc --cxx=x86_64-ffbuild-linux-gnu-g++ --ar=x86_64-ffbuild-linux-gnu-gcc-ar --ranlib=x86_64-ffbuild-linux-gnu-gcc-ranlib --nm=x86_64-ffbuild-linux-gnu-gcc-nm --extra-version=20250627
Asan output:
ffmpeg version N-120001-gf789d60e11 Copyright (c) 2000-2025 the FFmpeg developers
built with Debian clang version 19.1.7 (1+b1)
configuration: --disable-shared --enable-static --disable-doc --enable-gpl --enable-libass --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libx264 --enable-libx265 --enable-nonfree --toolchain=clang-asan --enable-debug=3 --disable-optimizations --disable-stripping
libavutil 60. 3.100 / 60. 3.100
libavcodec 62. 3.101 / 62. 3.101
libavformat 62. 1.100 / 62. 1.100
libavdevice 62. 0.100 / 62. 0.100
libavfilter 11. 0.100 / 11. 0.100
libswscale 9. 0.100 / 9. 0.100
libswresample 6. 0.100 / 6. 0.100
[kux @ 0x517000000080] Read FLV header error, input file is not a standard flv format, first PreviousTagSize0 always is 0
[kux @ 0x517000000080] Negative cts, previous timestamps might be wrong.
Truncating packet of size 6514015 to 571
[kux @ 0x517000000080] Packet corrupt (stream = 0, dts = 6255619).
[kux @ 0x517000000080] Track size mismatch: 6513444!
[extract_extradata @ 0x50e000000100] Failed to parse header of NALU (type 0): "Invalid data found when processing input". Skipping NALU.
Last message repeated 1 times
[NULL @ 0x519000000f80] VPS 7 does not exist
[NULL @ 0x519000000f80] Failed to parse header of NALU (type 0): "Invalid data found when processing input". Skipping NALU.
Last message repeated 1 times
[NULL @ 0x519000000f80] VPS 7 does not exist
[NULL @ 0x519000000f80] PPS id out of range: 2
[extract_extradata @ 0x50e000000100] Failed to parse header of NALU (type 0): "Invalid data found when processing input". Skipping NALU.
Last message repeated 1 times
[hevc @ 0x519000000f80] VPS 7 does not exist
[hevc @ 0x519000000f80] Failed to parse header of NALU (type 0): "Invalid data found when processing input". Skipping NALU.
Last message repeated 1 times
[hevc @ 0x519000000f80] VPS 7 does not exist
[hevc @ 0x519000000f80] Skipping invalid undecodable NALU: 33
[hevc @ 0x519000000f80] Unknown profile bitstream
Last message repeated 1 times
[hevc @ 0x519000000f80] sps_max_num_reorder_pics out of range: 2
[hevc @ 0x519000000f80] Overread PPS by 8 bits
[hevc @ 0x519000000f80] Overread slice header by 8 bits
[hevc @ 0x519000000f80] Skipping invalid undecodable NALU: 0
[hevc @ 0x519000000f80] Unknown profile bitstream
[hevc @ 0x519000000f80] SPS id out of range: 32
[hevc @ 0x519000000f80] Skipping invalid undecodable NALU: 33
[hevc @ 0x519000000f80] VPS 0 does not exist
[hevc @ 0x519000000f80] Skipping invalid undecodable NALU: 33
[hevc @ 0x519000000f80] Overread slice header by 8 bits
[hevc @ 0x519000000f80] Skipping invalid undecodable NALU: 0
[hevc @ 0x519000000f80] Could not find ref with POC -30
[hevc @ 0x519000000f80] Could not find ref with POC 127
[hevc @ 0x519000000f80] Could not find ref with POC 130
[hevc @ 0x519000000f80] Could not find ref with POC 135
[hevc @ 0x519000000f80] Could not find ref with POC 146
[hevc @ 0x519000000f80] Could not find ref with POC 148
[hevc @ 0x519000000f80] Could not find ref with POC 150
[hevc @ 0x519000000f80] Could not find ref with POC 152
[hevc @ 0x519000000f80] Could not find ref with POC 174
[hevc @ 0x519000000f80] Could not find ref with POC 176
[hevc @ 0x519000000f80] Could not find ref with POC 1
[hevc @ 0x519000000f80] Could not find ref with POC 2
[hevc @ 0x519000000f80] Could not find ref with POC 13
[hevc @ 0x519000000f80] PTL information too short
[hevc @ 0x519000000f80] Skipping invalid undecodable NALU: 32
[hevc @ 0x519000000f80] Two slices reporting being the first in the same frame.
[hevc @ 0x519000000f80] Skipping invalid undecodable NALU: 0
[hevc @ 0x519000000f80] PTL information too short
[hevc @ 0x519000000f80] Skipping invalid undecodable NALU: 32
AddressSanitizer:DEADLYSIGNAL
=================================================================
==10759==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55b9d2cdc5fc bp 0x7ffcb77398e0 sp 0x7ffcb7738f60 T0)
==10759==The signal is caused by a READ memory access.
==10759==Hint: address points to the zero page.
#0 0x55b9d2cdc5fc in hls_prediction_unit /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:2147:16
#1 0x55b9d2cd9797 in hls_coding_unit /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:2469:9
#2 0x55b9d2cd8a2c in hls_coding_quadtree /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:2677:15
#3 0x55b9d2cd8549 in hls_coding_quadtree /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:2642:21
#4 0x55b9d2cd2691 in hls_decode_entry /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:2782:21
#5 0x55b9d2cc9a33 in decode_slice_data /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:3075:12
#6 0x55b9d2cbf0b4 in decode_slice /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:3589:11
#7 0x55b9d2cbd916 in decode_nal_unit /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:3657:15
#8 0x55b9d2cbca67 in decode_nal_units /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:3770:15
#9 0x55b9d2cb69d8 in hevc_receive_frame /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:3872:14
#10 0x55b9d2950998 in ff_decode_receive_frame_internal /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/decode.c:618:19
#11 0x55b9d29530b4 in decode_receive_frame_internal /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/decode.c:650:15
#12 0x55b9d2952fad in avcodec_send_packet /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/decode.c:726:15
#13 0x55b9d1ead07b in try_decode_frame /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavformat/demux.c:2146:19
#14 0x55b9d1ea75c5 in avformat_find_stream_info /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavformat/demux.c:2828:9
#15 0x55b9d100f7d0 in ifile_open /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/fftools/ffmpeg_demux.c:1814:15
#16 0x55b9d1073ee4 in open_files /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/fftools/ffmpeg_opt.c:1366:15
#17 0x55b9d1073928 in ffmpeg_parse_options /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/fftools/ffmpeg_opt.c:1415:11
#18 0x55b9d10b6fd9 in main /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/fftools/ffmpeg.c:991:11
#19 0x7fb6b3a33ca7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#20 0x7fb6b3a33d64 in __libc_start_main csu/../csu/libc-start.c:360:3
#21 0x55b9d0f18710 in _start (/media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/ffmpeg+0x521710) (BuildId: 379ac85827c85a62a3da71cc682c7649d933e230)
==10759==Register values:
rax = 0x0000000000000000 rbx = 0x00007ffcb7738f60 rcx = 0x0000000000000000 rdx = 0x0000000000000002
rdi = 0x00007fb6b27c8dec rsi = 0x0000000000000000 rbp = 0x00007ffcb77398e0 rsp = 0x00007ffcb7738f60
r8 = 0x00000ff6d64f91bd r9 = 0x00007fb6b27c8df7 r10 = 0x00000ff6d64f91be r11 = 0x00000ff7564f11b8
r12 = 0x0000000000000000 r13 = 0x00007ffcb773e318 r14 = 0x0000000000000003 r15 = 0x000055b9d5b831b0
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /media/user/6d3eeb8a-a93b-4220-bb13-a4e488ce0ce2/gpac/runtime/ffmpeg_asan/libavcodec/hevc/hevcdec.c:2147:16 in hls_prediction_unit
==10759==ABORTING
Poc-sample was uploaded to https://streams.videolan.org/upload/
Attachments (1)
Change History (5)
comment:1 by , 11 months ago
| Cc: | removed |
|---|
by , 10 months ago
| Attachment: | 3_poc_libavcodec_hevc_hevcdec_c_2147 added |
|---|
comment:2 by , 6 months ago
comment:3 by , 6 months ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20869