Opened 3 months ago

Closed 3 months ago

Last modified 3 months ago

#8093 closed defect (fixed)

Uninitialized use in h2645_parse

Reported by: bwang Owned by:
Priority: important Component: avcodec
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: yes

Description

This bug is found in git commit 434588596fef6bd2cef17f8c9c2979a010153edd.

To trigger the bug:
valgrind ./ffmpeg -threads 1 -i test-input -f null /dev/null

Part of the Valgrind output:
==11496==
==11496== Conditional jump or move depends on uninitialised value(s)
==11496== at 0xCB9804: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x6B141F: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x5FF30F: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x60001F: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x5616B2: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x569744: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x275BE7: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x277682: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x26FC91: main (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496==
==11496== Conditional jump or move depends on uninitialised value(s)
==11496== at 0xCB98CA: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x6B141F: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x5FF30F: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x60001F: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x5616B2: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x569744: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x275BE7: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x277682: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x26FC91: main (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496==

==11496==
==11496== HEAP SUMMARY:
==11496== in use at exit: 0 bytes in 0 blocks
==11496== total heap usage: 2,195 allocs, 2,195 frees, 1,924,470 bytes allocated
==11496==
==11496== All heap blocks were freed -- no leaks are possible
==11496==
==11496== For counts of detected and suppressed errors, rerun with: -v
==11496== Use --track-origins=yes to see where uninitialised values come from
==11496== ERROR SUMMARY: 4352 errors from 32 contexts (suppressed: 0 from 0)

Attachments (1)

input.3497 (1.2 KB) - added by bwang 3 months ago.
PoC input to trigger the bug

Download all attachments as: .zip

Change History (4)

Changed 3 months ago by bwang

PoC input to trigger the bug

comment:1 Changed 3 months ago by jamrial

  • Analyzed by developer set
  • Component changed from undetermined to avcodec
  • Priority changed from normal to important
  • Reproduced by developer set
  • Status changed from new to open
  • Summary changed from Uninitialized use in ffmpeg to Uninitialized use in h2645_parse
  • Version changed from unspecified to git-master

comment:2 Changed 3 months ago by jamrial

  • Resolution set to fixed
  • Status changed from open to closed

comment:3 Changed 3 months ago by bwang

This bug is CVE-2019-15942.

Note: See TracTickets for help on using tickets.