Opened 5 years ago
Closed 5 years ago
#8249 closed defect (fixed)
stack-buffer-overflow at libavfilter/vf_signalstats.c:634
| Reported by: | Suhwan | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | undetermined |
| Version: | git-master | Keywords: | asan |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Summary of the bug:
There is a stack-buffer-overflow at libavfilter/vf_signalstats.c:634 in filter_frame8
I compiled ffmpeg with "--toolchain=clang-asan" to check the heap buffer overflow and attached log file.
How to reproduce:
% ffmpeg_g -t 1 -stream_loop 7 -y -r 120 -i $PoC -filter_complex signalstats -target dvd -loglevel 99 -c:a:112 y41p -c:v:143 vorbis -disposition:s:2 pcm_s8_planar -disposition:v:61 prores_aw -r 44 -ab 633k -strict 3 tmp.aac ffmpeg version N-95314-g1331e00179 Copyright (c) 2000-2019 the FFmpeg developers built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final) configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan
Here's ASAN log
=================================================================
==14934==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffa020 at pc 0x000001294ae2 bp 0x7fffffff8c10 sp 0x7fffffff8c08
READ of size 4 at 0x7fffffffa020 thread T0
#0 0x1294ae1 in filter_frame8 ffmpeg/libavfilter/vf_signalstats.c:634:42
#1 0x827289 in ff_filter_activate_default ffmpeg/libavfilter/avfilter.c:1071:11
#2 0x827289 in ff_filter_activate ffmpeg/libavfilter/avfilter.c:1430
#3 0x870182 in push_frame ffmpeg/libavfilter/buffersrc.c:187:15
#4 0x870182 in av_buffersrc_add_frame_internal ffmpeg/libavfilter/buffersrc.c:261
#5 0x86ebc2 in av_buffersrc_add_frame_flags ffmpeg/libavfilter/buffersrc.c:170:16
#6 0x666867 in ifilter_send_frame ffmpeg/fftools/ffmpeg.c:2196:11
#7 0x666867 in send_frame_to_filters ffmpeg/fftools/ffmpeg.c:2270
#8 0x6075f7 in decode_video ffmpeg/fftools/ffmpeg.c:2469:11
#9 0x6075f7 in process_input_packet ffmpeg/fftools/ffmpeg.c:2623
#10 0x64ab67 in process_input ffmpeg/fftools/ffmpeg.c:4518:5
#11 0x5e7157 in transcode_step ffmpeg/fftools/ffmpeg.c:4638:11
#12 0x5e7157 in transcode ffmpeg/fftools/ffmpeg.c:4692
#13 0x5db65b in main ffmpeg/fftools/ffmpeg.c:4894:9
#14 0x7ffff5c93b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#15 0x41def9 in _start (ffmpeg/ffmpeg_g+0x41def9)
Address 0x7fffffffa020 is located in stack of thread T0 at offset 5120 in frame
#0 0x128d7ef in filter_frame8 ffmpeg/libavfilter/vf_signalstats.c:550
This frame has 11 object(s):
[32, 40) 'in.addr'
[64, 192) 'metabuf' (line 559)
[224, 1248) 'histy' (line 560)
[1376, 2400) 'histu' (line 560)
[2528, 3552) 'histv' (line 560)
[3680, 5120) 'histhue' (line 560) <== Memory access at offset 5120 overflows this variable
[5248, 6272) 'histsat' (line 560)
[6400, 6412) 'filtot' (line 579)
[6432, 6456) 'td_huesat' (line 588)
[6496, 6512) 'td' (line 644)
[6528, 6656) 'metaname' (line 755)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ffmpeg/libavfilter/vf_signalstats.c:634:42 in filter_frame8
Please confirm.
Thanks
Attachments (2)
Change History (3)
by , 5 years ago
| Attachment: | gdb-vf_signalstats_634 added |
|---|
by , 5 years ago
| Attachment: | PoC_vf_signalstats_634.jpg added |
|---|
comment:1 by , 5 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
poc