Opened 5 years ago
Closed 5 years ago
#8249 closed defect (fixed)
stack-buffer-overflow at libavfilter/vf_signalstats.c:634
Reported by: | Suhwan | Owned by: | |
---|---|---|---|
Priority: | normal | Component: | undetermined |
Version: | git-master | Keywords: | asan |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
Summary of the bug:
There is a stack-buffer-overflow at libavfilter/vf_signalstats.c:634 in filter_frame8
I compiled ffmpeg with "--toolchain=clang-asan" to check the heap buffer overflow and attached log file.
How to reproduce:
% ffmpeg_g -t 1 -stream_loop 7 -y -r 120 -i $PoC -filter_complex signalstats -target dvd -loglevel 99 -c:a:112 y41p -c:v:143 vorbis -disposition:s:2 pcm_s8_planar -disposition:v:61 prores_aw -r 44 -ab 633k -strict 3 tmp.aac ffmpeg version N-95314-g1331e00179 Copyright (c) 2000-2019 the FFmpeg developers built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final) configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan
Here's ASAN log
================================================================= ==14934==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffa020 at pc 0x000001294ae2 bp 0x7fffffff8c10 sp 0x7fffffff8c08 READ of size 4 at 0x7fffffffa020 thread T0 #0 0x1294ae1 in filter_frame8 ffmpeg/libavfilter/vf_signalstats.c:634:42 #1 0x827289 in ff_filter_activate_default ffmpeg/libavfilter/avfilter.c:1071:11 #2 0x827289 in ff_filter_activate ffmpeg/libavfilter/avfilter.c:1430 #3 0x870182 in push_frame ffmpeg/libavfilter/buffersrc.c:187:15 #4 0x870182 in av_buffersrc_add_frame_internal ffmpeg/libavfilter/buffersrc.c:261 #5 0x86ebc2 in av_buffersrc_add_frame_flags ffmpeg/libavfilter/buffersrc.c:170:16 #6 0x666867 in ifilter_send_frame ffmpeg/fftools/ffmpeg.c:2196:11 #7 0x666867 in send_frame_to_filters ffmpeg/fftools/ffmpeg.c:2270 #8 0x6075f7 in decode_video ffmpeg/fftools/ffmpeg.c:2469:11 #9 0x6075f7 in process_input_packet ffmpeg/fftools/ffmpeg.c:2623 #10 0x64ab67 in process_input ffmpeg/fftools/ffmpeg.c:4518:5 #11 0x5e7157 in transcode_step ffmpeg/fftools/ffmpeg.c:4638:11 #12 0x5e7157 in transcode ffmpeg/fftools/ffmpeg.c:4692 #13 0x5db65b in main ffmpeg/fftools/ffmpeg.c:4894:9 #14 0x7ffff5c93b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #15 0x41def9 in _start (ffmpeg/ffmpeg_g+0x41def9) Address 0x7fffffffa020 is located in stack of thread T0 at offset 5120 in frame #0 0x128d7ef in filter_frame8 ffmpeg/libavfilter/vf_signalstats.c:550 This frame has 11 object(s): [32, 40) 'in.addr' [64, 192) 'metabuf' (line 559) [224, 1248) 'histy' (line 560) [1376, 2400) 'histu' (line 560) [2528, 3552) 'histv' (line 560) [3680, 5120) 'histhue' (line 560) <== Memory access at offset 5120 overflows this variable [5248, 6272) 'histsat' (line 560) [6400, 6412) 'filtot' (line 579) [6432, 6456) 'td_huesat' (line 588) [6496, 6512) 'td' (line 644) [6528, 6656) 'metaname' (line 755) HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow ffmpeg/libavfilter/vf_signalstats.c:634:42 in filter_frame8
Please confirm.
Thanks
Attachments (2)
Change History (3)
by , 5 years ago
Attachment: | gdb-vf_signalstats_634 added |
---|
by , 5 years ago
Attachment: | PoC_vf_signalstats_634.jpg added |
---|
comment:1 by , 5 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
poc