#7980 closed defect (fixed)
heap-buffer-overflow at ffmpeg/libavcodec/zmbvenc.c:97:30 in block_cmp by null pointer or undefined-behavior libavformat/nutenc.c:794:27
Reported by: | Suhwan | Owned by: | |
---|---|---|---|
Priority: | important | Component: | avcodec |
Version: | git-master | Keywords: | zmbv nut ubsan asan regression |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | yes | |
Analyzed by developer: | no |
Description
Summary of the bug:
There's a heap-buffer-overflow ffmpeg/libavcodec/zmbvenc.c:97:30 in block_cmp due to null pointer or undefined-behavior at libavformat/nutenc.c:794:27.
How to reproduce:
input file: tmp.webm , output file: tmp_.nut % ffmpeg_g -y -r 3 -i tmp.webm -map 0 -c:v zmbv -c:s adpcm_ms -disposition:a:86 vc2 -disposition:s prores_ks -vframes 52 -r 8 -ar 22050 -b:v 928 -strict 2 tmp_.nut ffmpeg version : N-94137-g89b96900fa Copyright (c) 2000-2019 the FFmpeg developers built with clang-9, clang-asan option.
Here's ASAN log below.
libavutil 56. 30.100 / 56. 30.100 libavcodec 58. 53.100 / 58. 53.100 libavformat 58. 28.101 / 58. 28.101 libavdevice 58. 7.100 / 58. 7.100 libavfilter 7. 55.100 / 7. 55.100 libswscale 5. 4.101 / 5. 4.101 libswresample 3. 4.100 / 3. 4.100 Input #0, matroska,webm, from 'tmp.webm': Metadata: encoder : Lavf53.17.0 Duration: 00:00:05.57, start: 0.000000, bitrate: 329 kb/s Stream #0:0: Video: vp8, yuv420p(progressive), 560x320, SAR 1:1 DAR 7:4, 30 fps, 30 tbr, 1k tbn, 1k tbc (default) Stream #0:1(eng): Audio: vorbis, 48000 Hz, mono, fltp (default) [New Thread 0x7ffff025b700 (LWP 8902)] [New Thread 0x7fffefa5a700 (LWP 8903)] [New Thread 0x7fffef259700 (LWP 8904)] [New Thread 0x7fffeea58700 (LWP 8905)] [New Thread 0x7fffee257700 (LWP 8906)] [New Thread 0x7fffeda56700 (LWP 8907)] [New Thread 0x7fffed255700 (LWP 8908)] [New Thread 0x7fffeca54700 (LWP 8909)] [New Thread 0x7fffec253700 (LWP 8910)] [New Thread 0x7fffeba52700 (LWP 8911)] [New Thread 0x7fffeb251700 (LWP 8912)] [New Thread 0x7fffeaa50700 (LWP 8913)] [New Thread 0x7fffea24f700 (LWP 8914)] Stream mapping: Stream #0:0 -> #0:0 (vp8 (native) -> zmbv (native)) Stream #0:1 -> #0:1 (vorbis (native) -> mp2 (native)) Press [q] to stop, [?] for help [New Thread 0x7fffe9a4e700 (LWP 8916)] [New Thread 0x7fffe924d700 (LWP 8917)] [New Thread 0x7fffe8a4c700 (LWP 8918)] [New Thread 0x7fffe824b700 (LWP 8919)] [New Thread 0x7fffe7a4a700 (LWP 8920)] [New Thread 0x7fffe7249700 (LWP 8921)] [New Thread 0x7fffe6a32700 (LWP 8922)] [New Thread 0x7fffe621b700 (LWP 8923)] [New Thread 0x7fffe5a04700 (LWP 8924)] [New Thread 0x7fffe51ed700 (LWP 8925)] [New Thread 0x7fffe49d6700 (LWP 8926)] [New Thread 0x7fffe41bf700 (LWP 8927)] [New Thread 0x7fffe372c700 (LWP 8930)] [New Thread 0x7fffe2f15700 (LWP 8931)] [New Thread 0x7fffe26fe700 (LWP 8932)] [New Thread 0x7fffe1ee7700 (LWP 8933)] [New Thread 0x7fffe16d0700 (LWP 8934)] [New Thread 0x7fffe0eb9700 (LWP 8935)] [New Thread 0x7fffe06a2700 (LWP 8936)] [New Thread 0x7fffdfe8b700 (LWP 8937)] [New Thread 0x7fffdf674700 (LWP 8938)] [New Thread 0x7fffdee5d700 (LWP 8939)] [New Thread 0x7fffde646700 (LWP 8940)] [New Thread 0x7fffdde2f700 (LWP 8941)] [zmbv @ 0x619000015480] Bitrate 928 is extremely low, maybe you mean 928k The bitrate parameter is set too low. It takes bits/s as argument, not kbits/s Output #0, nut, to 'tmp/tmp_.nut': Metadata: encoder : Lavf58.28.101 Stream #0:0: Video: zmbv (ZMBV / 0x56424D5A), bgr0, 560x320 [SAR 1:1 DAR 7:4], q=2-31, 0 kb/s, 8 fps, 65536 tbn, 8 tbc (default) Metadata: encoder : Lavc58.53.100 zmbv Stream #0:1: Audio: mp2 (P[0][0][0] / 0x0050), 22050 Hz, mono, s16, 160 kb/s (default) Metadata: X-Language : eng encoder : Lavc58.53.100 mp2 libavformat/nutenc.c:794:27: runtime error: null pointer passed as argument 2, which is declared to never be null /usr/include/string.h:64:33: note: nonnull attribute specified here SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavformat/nutenc.c:794:27 in ================================================================= ==8843==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fffdd32e7f0 at pc 0x00000632b075 bp 0x7fffffffa2d0 sp 0x7fffffffa2c8 READ of size 1 at 0x7fffdd32e7f0 thread T0 #0 0x632b074 in block_cmp ffmpeg/libavcodec/zmbvenc.c:97:30 #1 0x63249cb in zmbv_me ffmpeg/libavcodec/zmbvenc.c:153:18 #2 0x63249cb in encode_frame ffmpeg/libavcodec/zmbvenc.c:242 #3 0x3036600 in avcodec_encode_video2 ffmpeg/libavcodec/encode.c:296:11 #4 0x303979e in do_encode ffmpeg/libavcodec/encode.c:365:15 #5 0x3038e7a in avcodec_send_frame ffmpeg/libavcodec/encode.c:414:12 #6 0x631f2a in do_video_out ffmpeg/fftools/ffmpeg.c:1287:15 #7 0x629ae0 in reap_filters ffmpeg/fftools/ffmpeg.c:1504:17 #8 0x5bd503 in transcode_step ffmpeg/fftools/ffmpeg.c:4648:12 #9 0x5bd503 in transcode ffmpeg/fftools/ffmpeg.c:4692 #10 0x5b2c0b in main ffmpeg/fftools/ffmpeg.c:4894:9 #11 0x7ffff4fb2b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #12 0x41fb39 in _start (ffmpeg/ffmpeg_g+0x41fb39) 0x7fffdd32e7f0 is located 16 bytes to the left of 763424-byte region [0x7fffdd32e800,0x7fffdd3e8e20) allocated by thread T0 here: #0 0x4ad2ad in posix_memalign opt/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cc:226 #1 0x8334fc5 in av_malloc ffmpeg/libavutil/mem.c:87:9 #2 0x8334fc5 in av_mallocz ffmpeg/libavutil/mem.c:238 #3 0x6320250 in encode_init ffmpeg/libavcodec/zmbvenc.c:413:25 SUMMARY: AddressSanitizer: heap-buffer-overflow ffmpeg/libavcodec/zmbvenc.c:97:30 in block_cmp
Attachments (2)
Change History (10)
by , 5 years ago
Attachment: | gdb_log_7980 added |
---|
by , 5 years ago
comment:1 by , 5 years ago
Keywords: | avcodec added |
---|
comment:2 by , 5 years ago
Component: | ffmpeg → avcodec |
---|---|
Keywords: | zmbv ubsan added; Heap buffer overflow ASAN Null pointer avformat avcodec removed |
Priority: | critical → important |
comment:3 by , 5 years ago
Thanks for Patching.
To check heap buffer overflow in the program is needed to be compiled with clang-asan.
usan option is for checking undefined behaviours.
so I think asan option will reproduce the same log that I reported.
comment:4 by , 5 years ago
Keywords: | asan regression added |
---|---|
Reproduced by developer: | set |
Status: | new → open |
The buffer overflow is a regression since 0321370601833f4ae47e8e11c44570ea4bd382a4
$ ffmpeg -i tmp.webm -vcodec zmbv -f null - ffmpeg version N-94148-g4877b5869e Copyright (c) 2000-2019 the FFmpeg developers built with gcc 9 (SUSE Linux) configuration: --toolchain=gcc-asan libavutil 56. 30.100 / 56. 30.100 libavcodec 58. 53.101 / 58. 53.101 libavformat 58. 28.101 / 58. 28.101 libavdevice 58. 7.100 / 58. 7.100 libavfilter 7. 55.100 / 7. 55.100 libswscale 5. 4.101 / 5. 4.101 libswresample 3. 4.100 / 3. 4.100 Input #0, matroska,webm, from 'tmp.webm': Metadata: encoder : Lavf53.17.0 Duration: 00:00:05.57, start: 0.000000, bitrate: 329 kb/s Stream #0:0: Video: vp8, yuv420p(progressive), 560x320, SAR 1:1 DAR 7:4, 30 fps, 30 tbr, 1k tbn, 1k tbc (default) Stream #0:1(eng): Audio: vorbis, 48000 Hz, mono, fltp (default) Stream mapping: Stream #0:0 -> #0:0 (vp8 (native) -> zmbv (native)) Stream #0:1 -> #0:1 (vorbis (native) -> pcm_s16le (native)) Press [q] to stop, [?] for help Output #0, null, to 'pipe:': Metadata: encoder : Lavf58.28.101 Stream #0:0: Video: zmbv, bgr0, 560x320 [SAR 1:1 DAR 7:4], q=2-31, 200 kb/s, 30 fps, 30 tbn, 30 tbc (default) Metadata: encoder : Lavc58.53.101 zmbv Stream #0:1(eng): Audio: pcm_s16le, 48000 Hz, mono, s16, 768 kb/s (default) Metadata: encoder : Lavc58.53.101 pcm_s16le ================================================================= ==24243==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1cc348e7f0 at pc 0x000001fa74f1 bp 0x7fff41dee710 sp 0x7fff41dee708 READ of size 1 at 0x7f1cc348e7f0 thread T0 #0 0x1fa74f0 in block_cmp src/libavcodec/zmbvenc.c:97 #1 0x1fa871b in zmbv_me src/libavcodec/zmbvenc.c:153 #2 0x1fa871b in encode_frame src/libavcodec/zmbvenc.c:242 #3 0x104c9b5 in avcodec_encode_video2 src/libavcodec/encode.c:296 #4 0x104d250 in do_encode src/libavcodec/encode.c:365 #5 0x104d65a in avcodec_send_frame src/libavcodec/encode.c:414 #6 0x5d9dfb in do_video_out src/fftools/ffmpeg.c:1287 #7 0x5dc553 in reap_filters src/fftools/ffmpeg.c:1504 #8 0x5ea71a in transcode_step src/fftools/ffmpeg.c:4648 #9 0x5ea71a in transcode src/fftools/ffmpeg.c:4692 #10 0x57df6b in main src/fftools/ffmpeg.c:4894 #11 0x7f1cd3812bca in __libc_start_main (/lib64/libc.so.6+0x26bca) #12 0x592719 in _start (/mnt/sdb6/cehoyos/android/linux64/ffmpeg_g+0x592719) 0x7f1cc348e7f0 is located 16 bytes to the left of 763424-byte region [0x7f1cc348e800,0x7f1cc3548e20) allocated by thread T0 here: #0 0x7f1cd40944a5 in __interceptor_posix_memalign (/usr/lib64/libasan.so.5+0x10b4a5) #1 0x29c4074 in av_malloc src/libavutil/mem.c:87 #2 0x29c4074 in av_mallocz src/libavutil/mem.c:238 SUMMARY: AddressSanitizer: heap-buffer-overflow src/libavcodec/zmbvenc.c:97 in block_cmp Shadow bytes around the buggy address: 0x0fe418689ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe418689cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe418689cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe418689cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe418689ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0fe418689cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa 0x0fe418689d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe418689d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe418689d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe418689d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe418689d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==24243==ABORTING
comment:5 by , 5 years ago
Please confirm if version 4.0.0 is impacted due to the above vulnerability?
comment:6 by , 5 years ago
The zmbvenc bug has been fixed in def04022f4a7058f99e669bfd978d431d79aec18.
@kamasubb: Only the release 4.2 has been affected by this.
comment:7 by , 5 years ago
Resolution: | → fixed |
---|---|
Status: | open → closed |
The ubsan issue in the nut muxer was fixed by Michael in e4fdeb3fcefeb98f2225f7ccded156fb175959c5
comment:8 by , 5 years ago
Keywords: | nut added |
---|
I only see the following error, patch sent: