Opened 11 months ago
Last modified 6 weeks ago
#11687 new defect
[Security] Null pointer dereference on libswscale/slice.c
| Reported by: | flyfish101 | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | swscale |
| Version: | git-master | Keywords: | scale |
| Cc: | Niklas Haas | Blocked By: | |
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description (last modified by )
Summary of the bug:
fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz$ ./target_sws_fuzzer1051 /home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1051/default/crashes/id:000128,sig:11,src:000545+000155_time:144463_execs:66025_op:splice_rep:8
Reading 181 bytes from /home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1051/default/crashes/id:000128,sig:11,src:000545+000155_time:144463_execs:66025_op:splice_rep:8
1 x 10216 yuva420p10le -> 127 x 1 nv16
libswscale/slice.c:233:25: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/slice.c:233:25 in
libswscale/slice.c:233:25: runtime error: load of null pointer of type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/slice.c:233:25 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2824107==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x555556091215 bp 0x7fffffffc890 sp 0x7fffffffc7a0 T0)
==2824107==The signal is caused by a READ memory access.
==2824107==Hint: address points to the zero page.
#0 0x555556091215 in get_min_buffer_size /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/slice.c:233:25
#1 0x5555560878ca in ff_init_filters /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/slice.c:265:5
#2 0x5555557b93f9 in ff_sws_init_single_context /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/utils.c:1452:20
#3 0x5555559689db in LLVMFuzzerTestOneInput /home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1051.c:178:11
#4 0x55555595f37d in ExecuteFilesOnyByOne /home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
#5 0x55555595f188 in LLVMFuzzerRunDriver /home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c
#6 0x55555595ed48 in main /home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
#7 0x7ffff7c3b082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16
#8 0x555555869fdd in _start (/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/target_sws_fuzzer1051+0x315fdd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/slice.c:233:25 in get_min_buffer_size
==2824107==ABORTING
Attachments (2)
Change History (7)
by , 11 months ago
| Attachment: | poc_slice_c_233 added |
|---|
comment:1 by , 11 months ago
| Description: | modified (diff) |
|---|
comment:2 by , 11 months ago
| Summary: | [Security] Null pointer deference on libswscale/slice.c → [Security] Null pointer dereference on libswscale/slice.c |
|---|
comment:3 by , 11 months ago
| Version: | unspecified → git-master |
|---|
comment:4 by , 11 months ago
| Cc: | added |
|---|
comment:5 by , 6 weeks ago
I may have just hit this code path on accident.
To reproduce:
ffplay -f lavfi -i nullsrc=s=400x400 -vf "scale=5:5:flags=lanczos:gamma=1
Version 0, edited 6 weeks ago by (next)
by , 6 weeks ago
Note:
See TracTickets
for help on using tickets.
poc file