Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#7980 closed defect (fixed)

heap-buffer-overflow at ffmpeg/libavcodec/zmbvenc.c:97:30 in block_cmp by null pointer or undefined-behavior libavformat/nutenc.c:794:27

Reported by: Suhwan Owned by:
Priority: important Component: avcodec
Version: git-master Keywords: zmbv nut ubsan asan regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Summary of the bug:
There's a heap-buffer-overflow ffmpeg/libavcodec/zmbvenc.c:97:30 in block_cmp due to null pointer or undefined-behavior at libavformat/nutenc.c:794:27.

How to reproduce:

input file: tmp.webm , output file: tmp_.nut
% ffmpeg_g  -y -r 3 -i tmp.webm -map 0 -c:v zmbv -c:s adpcm_ms -disposition:a:86 vc2 -disposition:s prores_ks -vframes 52 -r 8 -ar 22050 -b:v 928 -strict 2 tmp_.nut

ffmpeg version : N-94137-g89b96900fa Copyright (c) 2000-2019 the FFmpeg developers

built with clang-9, clang-asan option.

Here's ASAN log below.

  libavutil      56. 30.100 / 56. 30.100
  libavcodec     58. 53.100 / 58. 53.100
  libavformat    58. 28.101 / 58. 28.101
  libavdevice    58.  7.100 / 58.  7.100
  libavfilter     7. 55.100 /  7. 55.100
  libswscale      5.  4.101 /  5.  4.101
  libswresample   3.  4.100 /  3.  4.100
Input #0, matroska,webm, from 'tmp.webm':
  Metadata:
    encoder         : Lavf53.17.0
  Duration: 00:00:05.57, start: 0.000000, bitrate: 329 kb/s
    Stream #0:0: Video: vp8, yuv420p(progressive), 560x320, SAR 1:1 DAR 7:4, 30 fps, 30 tbr, 1k tbn, 1k tbc (default)
    Stream #0:1(eng): Audio: vorbis, 48000 Hz, mono, fltp (default)
[New Thread 0x7ffff025b700 (LWP 8902)]
[New Thread 0x7fffefa5a700 (LWP 8903)]
[New Thread 0x7fffef259700 (LWP 8904)]
[New Thread 0x7fffeea58700 (LWP 8905)]
[New Thread 0x7fffee257700 (LWP 8906)]
[New Thread 0x7fffeda56700 (LWP 8907)]
[New Thread 0x7fffed255700 (LWP 8908)]
[New Thread 0x7fffeca54700 (LWP 8909)]
[New Thread 0x7fffec253700 (LWP 8910)]
[New Thread 0x7fffeba52700 (LWP 8911)]
[New Thread 0x7fffeb251700 (LWP 8912)]
[New Thread 0x7fffeaa50700 (LWP 8913)]
[New Thread 0x7fffea24f700 (LWP 8914)]
Stream mapping:
  Stream #0:0 -> #0:0 (vp8 (native) -> zmbv (native))
  Stream #0:1 -> #0:1 (vorbis (native) -> mp2 (native))
Press [q] to stop, [?] for help
[New Thread 0x7fffe9a4e700 (LWP 8916)]
[New Thread 0x7fffe924d700 (LWP 8917)]
[New Thread 0x7fffe8a4c700 (LWP 8918)]
[New Thread 0x7fffe824b700 (LWP 8919)]
[New Thread 0x7fffe7a4a700 (LWP 8920)]
[New Thread 0x7fffe7249700 (LWP 8921)]
[New Thread 0x7fffe6a32700 (LWP 8922)]
[New Thread 0x7fffe621b700 (LWP 8923)]
[New Thread 0x7fffe5a04700 (LWP 8924)]
[New Thread 0x7fffe51ed700 (LWP 8925)]
[New Thread 0x7fffe49d6700 (LWP 8926)]
[New Thread 0x7fffe41bf700 (LWP 8927)]
[New Thread 0x7fffe372c700 (LWP 8930)]
[New Thread 0x7fffe2f15700 (LWP 8931)]
[New Thread 0x7fffe26fe700 (LWP 8932)]
[New Thread 0x7fffe1ee7700 (LWP 8933)]
[New Thread 0x7fffe16d0700 (LWP 8934)]
[New Thread 0x7fffe0eb9700 (LWP 8935)]
[New Thread 0x7fffe06a2700 (LWP 8936)]
[New Thread 0x7fffdfe8b700 (LWP 8937)]
[New Thread 0x7fffdf674700 (LWP 8938)]
[New Thread 0x7fffdee5d700 (LWP 8939)]
[New Thread 0x7fffde646700 (LWP 8940)]
[New Thread 0x7fffdde2f700 (LWP 8941)]
[zmbv @ 0x619000015480] Bitrate 928 is extremely low, maybe you mean 928k
The bitrate parameter is set too low. It takes bits/s as argument, not kbits/s
Output #0, nut, to 'tmp/tmp_.nut':
  Metadata:
    encoder         : Lavf58.28.101
    Stream #0:0: Video: zmbv (ZMBV / 0x56424D5A), bgr0, 560x320 [SAR 1:1 DAR 7:4], q=2-31, 0 kb/s, 8 fps, 65536 tbn, 8 tbc (default)
    Metadata:
      encoder         : Lavc58.53.100 zmbv
    Stream #0:1: Audio: mp2 (P[0][0][0] / 0x0050), 22050 Hz, mono, s16, 160 kb/s (default)
    Metadata:
      X-Language      : eng
      encoder         : Lavc58.53.100 mp2
libavformat/nutenc.c:794:27: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:64:33: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavformat/nutenc.c:794:27 in 
=================================================================
==8843==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fffdd32e7f0 at pc 0x00000632b075 bp 0x7fffffffa2d0 sp 0x7fffffffa2c8
READ of size 1 at 0x7fffdd32e7f0 thread T0
    #0 0x632b074 in block_cmp ffmpeg/libavcodec/zmbvenc.c:97:30
    #1 0x63249cb in zmbv_me ffmpeg/libavcodec/zmbvenc.c:153:18
    #2 0x63249cb in encode_frame ffmpeg/libavcodec/zmbvenc.c:242
    #3 0x3036600 in avcodec_encode_video2 ffmpeg/libavcodec/encode.c:296:11
    #4 0x303979e in do_encode ffmpeg/libavcodec/encode.c:365:15
    #5 0x3038e7a in avcodec_send_frame ffmpeg/libavcodec/encode.c:414:12
    #6 0x631f2a in do_video_out ffmpeg/fftools/ffmpeg.c:1287:15
    #7 0x629ae0 in reap_filters ffmpeg/fftools/ffmpeg.c:1504:17
    #8 0x5bd503 in transcode_step ffmpeg/fftools/ffmpeg.c:4648:12
    #9 0x5bd503 in transcode ffmpeg/fftools/ffmpeg.c:4692
    #10 0x5b2c0b in main ffmpeg/fftools/ffmpeg.c:4894:9
    #11 0x7ffff4fb2b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x41fb39 in _start (ffmpeg/ffmpeg_g+0x41fb39)

0x7fffdd32e7f0 is located 16 bytes to the left of 763424-byte region [0x7fffdd32e800,0x7fffdd3e8e20)
allocated by thread T0 here:
    #0 0x4ad2ad in posix_memalign opt/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cc:226
    #1 0x8334fc5 in av_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0x8334fc5 in av_mallocz ffmpeg/libavutil/mem.c:238
    #3 0x6320250 in encode_init ffmpeg/libavcodec/zmbvenc.c:413:25

SUMMARY: AddressSanitizer: heap-buffer-overflow ffmpeg/libavcodec/zmbvenc.c:97:30 in block_cmp

Attachments (2)

gdb_log_7980 (9.1 KB ) - added by Suhwan 5 years ago.
tmp.webm (224.1 KB ) - added by Suhwan 5 years ago.

Download all attachments as: .zip

Change History (10)

by Suhwan, 5 years ago

Attachment: gdb_log_7980 added

by Suhwan, 5 years ago

Attachment: tmp.webm added

comment:1 by Suhwan, 5 years ago

Keywords: avcodec added

comment:2 by Carl Eugen Hoyos, 5 years ago

Component: ffmpegavcodec
Keywords: zmbv ubsan added; Heap buffer overflow ASAN Null pointer avformat avcodec removed
Priority: criticalimportant

I only see the following error, patch sent:

$ ffmpeg_g -i tmp.webm -c:v zmbv -f null -
ffmpeg version N-94142-g3b2082c663 Copyright (c) 2000-2019 the FFmpeg developers
  built with clang version 8.0.0 (tags/RELEASE_800/final 356365)
  configuration: --enable-gpl --toolchain=clang-usan
  libavutil      56. 30.100 / 56. 30.100
  libavcodec     58. 53.100 / 58. 53.100
  libavformat    58. 28.101 / 58. 28.101
  libavdevice    58.  7.100 / 58.  7.100
  libavfilter     7. 55.100 /  7. 55.100
  libswscale      5.  4.101 /  5.  4.101
  libswresample   3.  4.100 /  3.  4.100
  libpostproc    55.  4.100 / 55.  4.100
Input #0, matroska,webm, from 'tmp.webm':
  Metadata:
    encoder         : Lavf53.17.0
  Duration: 00:00:05.57, start: 0.000000, bitrate: 329 kb/s
    Stream #0:0: Video: vp8, yuv420p(progressive), 560x320, SAR 1:1 DAR 7:4, 30 fps, 30 tbr, 1k tbn, 1k tbc (default)
    Stream #0:1(eng): Audio: vorbis, 48000 Hz, mono, fltp (default)
Stream mapping:
  Stream #0:0 -> #0:0 (vp8 (native) -> zmbv (native))
  Stream #0:1 -> #0:1 (vorbis (native) -> pcm_s16le (native))
Press [q] to stop, [?] for help
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf58.28.101
    Stream #0:0: Video: zmbv, bgr0, 560x320 [SAR 1:1 DAR 7:4], q=2-31, 200 kb/s, 30 fps, 30 tbn, 30 tbc (default)
    Metadata:
      encoder         : Lavc58.53.100 zmbv
    Stream #0:1(eng): Audio: pcm_s16le, 48000 Hz, mono, s16, 768 kb/s (default)
    Metadata:
      encoder         : Lavc58.53.100 pcm_s16le
src/libavcodec/zmbvenc.c:243:29: runtime error: left shift of negative value -4
src/libavcodec/zmbvenc.c:244:28: runtime error: left shift of negative value -2  
[matroska,webm @ 0x9884740] Element at 0x38041 ending at 0x3804f exceeds containing master element ending at 0x38035
frame=  166 fps=3.4 q=-0.0 Lsize=N/A time=00:00:05.58 bitrate=N/A speed=0.113x    
video:12130kB audio:522kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: unknown

comment:3 by Suhwan, 5 years ago

Thanks for Patching.

To check heap buffer overflow in the program is needed to be compiled with clang-asan.
usan option is for checking undefined behaviours.
so I think asan option will reproduce the same log that I reported.

comment:4 by Carl Eugen Hoyos, 5 years ago

Keywords: asan regression added
Reproduced by developer: set
Status: newopen

The buffer overflow is a regression since 0321370601833f4ae47e8e11c44570ea4bd382a4

$ ffmpeg -i tmp.webm -vcodec zmbv -f null -
ffmpeg version N-94148-g4877b5869e Copyright (c) 2000-2019 the FFmpeg developers
  built with gcc 9 (SUSE Linux)
  configuration: --toolchain=gcc-asan
  libavutil      56. 30.100 / 56. 30.100
  libavcodec     58. 53.101 / 58. 53.101
  libavformat    58. 28.101 / 58. 28.101
  libavdevice    58.  7.100 / 58.  7.100
  libavfilter     7. 55.100 /  7. 55.100
  libswscale      5.  4.101 /  5.  4.101
  libswresample   3.  4.100 /  3.  4.100
Input #0, matroska,webm, from 'tmp.webm':
  Metadata:
    encoder         : Lavf53.17.0
  Duration: 00:00:05.57, start: 0.000000, bitrate: 329 kb/s
    Stream #0:0: Video: vp8, yuv420p(progressive), 560x320, SAR 1:1 DAR 7:4, 30 fps, 30 tbr, 1k tbn, 1k tbc (default)
    Stream #0:1(eng): Audio: vorbis, 48000 Hz, mono, fltp (default)
Stream mapping:
  Stream #0:0 -> #0:0 (vp8 (native) -> zmbv (native))
  Stream #0:1 -> #0:1 (vorbis (native) -> pcm_s16le (native))
Press [q] to stop, [?] for help
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf58.28.101
    Stream #0:0: Video: zmbv, bgr0, 560x320 [SAR 1:1 DAR 7:4], q=2-31, 200 kb/s, 30 fps, 30 tbn, 30 tbc (default)
    Metadata:
      encoder         : Lavc58.53.101 zmbv
    Stream #0:1(eng): Audio: pcm_s16le, 48000 Hz, mono, s16, 768 kb/s (default)
    Metadata:
      encoder         : Lavc58.53.101 pcm_s16le
=================================================================
==24243==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1cc348e7f0 at pc 0x000001fa74f1 bp 0x7fff41dee710 sp 0x7fff41dee708
READ of size 1 at 0x7f1cc348e7f0 thread T0
    #0 0x1fa74f0 in block_cmp src/libavcodec/zmbvenc.c:97
    #1 0x1fa871b in zmbv_me src/libavcodec/zmbvenc.c:153
    #2 0x1fa871b in encode_frame src/libavcodec/zmbvenc.c:242
    #3 0x104c9b5 in avcodec_encode_video2 src/libavcodec/encode.c:296
    #4 0x104d250 in do_encode src/libavcodec/encode.c:365
    #5 0x104d65a in avcodec_send_frame src/libavcodec/encode.c:414
    #6 0x5d9dfb in do_video_out src/fftools/ffmpeg.c:1287
    #7 0x5dc553 in reap_filters src/fftools/ffmpeg.c:1504
    #8 0x5ea71a in transcode_step src/fftools/ffmpeg.c:4648
    #9 0x5ea71a in transcode src/fftools/ffmpeg.c:4692
    #10 0x57df6b in main src/fftools/ffmpeg.c:4894
    #11 0x7f1cd3812bca in __libc_start_main (/lib64/libc.so.6+0x26bca)
    #12 0x592719 in _start (/mnt/sdb6/cehoyos/android/linux64/ffmpeg_g+0x592719)

0x7f1cc348e7f0 is located 16 bytes to the left of 763424-byte region [0x7f1cc348e800,0x7f1cc3548e20)
allocated by thread T0 here:
    #0 0x7f1cd40944a5 in __interceptor_posix_memalign (/usr/lib64/libasan.so.5+0x10b4a5)
    #1 0x29c4074 in av_malloc src/libavutil/mem.c:87
    #2 0x29c4074 in av_mallocz src/libavutil/mem.c:238

SUMMARY: AddressSanitizer: heap-buffer-overflow src/libavcodec/zmbvenc.c:97 in block_cmp
Shadow bytes around the buggy address:
  0x0fe418689ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe418689cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe418689cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe418689cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe418689ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0fe418689cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
  0x0fe418689d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe418689d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe418689d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe418689d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe418689d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==24243==ABORTING

comment:5 by Kamalalochana Subbaiah, 5 years ago

Please confirm if version 4.0.0 is impacted due to the above vulnerability?

comment:6 by mkver, 5 years ago

The zmbvenc bug has been fixed in def04022f4a7058f99e669bfd978d431d79aec18.
@kamasubb: Only the release 4.2 has been affected by this.

comment:7 by Carl Eugen Hoyos, 5 years ago

Resolution: fixed
Status: openclosed

The ubsan issue in the nut muxer was fixed by Michael in e4fdeb3fcefeb98f2225f7ccded156fb175959c5

comment:8 by Carl Eugen Hoyos, 5 years ago

Keywords: nut added
Note: See TracTickets for help on using tickets.