Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#8093 closed defect (fixed)

Uninitialized use in h2645_parse

Reported by: Bowen Wang Owned by:
Priority: important Component: avcodec
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: yes

Description

This bug is found in git commit 434588596fef6bd2cef17f8c9c2979a010153edd.

To trigger the bug:
valgrind ./ffmpeg -threads 1 -i test-input -f null /dev/null

Part of the Valgrind output:
==11496==
==11496== Conditional jump or move depends on uninitialised value(s)
==11496== at 0xCB9804: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x6B141F: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x5FF30F: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x60001F: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x5616B2: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x569744: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x275BE7: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x277682: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x26FC91: main (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496==
==11496== Conditional jump or move depends on uninitialised value(s)
==11496== at 0xCB98CA: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x6B141F: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x5FF30F: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x60001F: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x5616B2: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x569744: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x275BE7: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x277682: ??? (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496== by 0x26FC91: main (in /home/bwang/Bowen/gitrepo/aflpp-target/ffmpeg/ffmpeg-vanilla/ffmpeg)
==11496==

==11496==
==11496== HEAP SUMMARY:
==11496== in use at exit: 0 bytes in 0 blocks
==11496== total heap usage: 2,195 allocs, 2,195 frees, 1,924,470 bytes allocated
==11496==
==11496== All heap blocks were freed -- no leaks are possible
==11496==
==11496== For counts of detected and suppressed errors, rerun with: -v
==11496== Use --track-origins=yes to see where uninitialised values come from
==11496== ERROR SUMMARY: 4352 errors from 32 contexts (suppressed: 0 from 0)

Attachments (1)

input.3497 (1.2 KB ) - added by Bowen Wang 2 years ago.
PoC input to trigger the bug

Download all attachments as: .zip

Change History (4)

by Bowen Wang, 2 years ago

Attachment: input.3497 added

PoC input to trigger the bug

comment:1 by James, 2 years ago

Analyzed by developer: set
Component: undeterminedavcodec
Priority: normalimportant
Reproduced by developer: set
Status: newopen
Summary: Uninitialized use in ffmpegUninitialized use in h2645_parse
Version: unspecifiedgit-master

comment:2 by James, 2 years ago

Resolution: fixed
Status: openclosed

comment:3 by Bowen Wang, 2 years ago

This bug is CVE-2019-15942.

Note: See TracTickets for help on using tickets.