Opened 2 years ago

Closed 2 years ago

#8249 closed defect (fixed)

stack-buffer-overflow at libavfilter/vf_signalstats.c:634

Reported by: Suhwan Owned by:
Priority: normal Component: undetermined
Version: git-master Keywords: asan
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:
There is a stack-buffer-overflow at libavfilter/vf_signalstats.c:634 in filter_frame8
I compiled ffmpeg with "--toolchain=clang-asan" to check the heap buffer overflow and attached log file.

How to reproduce:

% ffmpeg_g -t 1 -stream_loop 7 -y -r 120 -i $PoC -filter_complex signalstats -target dvd -loglevel 99 -c:a:112 y41p -c:v:143 vorbis -disposition:s:2 pcm_s8_planar -disposition:v:61 prores_aw -r 44 -ab 633k -strict 3 tmp.aac

ffmpeg version N-95314-g1331e00179 Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan

Here's ASAN log

=================================================================
==14934==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffa020 at pc 0x000001294ae2 bp 0x7fffffff8c10 sp 0x7fffffff8c08
READ of size 4 at 0x7fffffffa020 thread T0
    #0 0x1294ae1 in filter_frame8 ffmpeg/libavfilter/vf_signalstats.c:634:42
    #1 0x827289 in ff_filter_activate_default ffmpeg/libavfilter/avfilter.c:1071:11
    #2 0x827289 in ff_filter_activate ffmpeg/libavfilter/avfilter.c:1430
    #3 0x870182 in push_frame ffmpeg/libavfilter/buffersrc.c:187:15
    #4 0x870182 in av_buffersrc_add_frame_internal ffmpeg/libavfilter/buffersrc.c:261
    #5 0x86ebc2 in av_buffersrc_add_frame_flags ffmpeg/libavfilter/buffersrc.c:170:16
    #6 0x666867 in ifilter_send_frame ffmpeg/fftools/ffmpeg.c:2196:11
    #7 0x666867 in send_frame_to_filters ffmpeg/fftools/ffmpeg.c:2270
    #8 0x6075f7 in decode_video ffmpeg/fftools/ffmpeg.c:2469:11
    #9 0x6075f7 in process_input_packet ffmpeg/fftools/ffmpeg.c:2623
    #10 0x64ab67 in process_input ffmpeg/fftools/ffmpeg.c:4518:5
    #11 0x5e7157 in transcode_step ffmpeg/fftools/ffmpeg.c:4638:11
    #12 0x5e7157 in transcode ffmpeg/fftools/ffmpeg.c:4692
    #13 0x5db65b in main ffmpeg/fftools/ffmpeg.c:4894:9
    #14 0x7ffff5c93b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #15 0x41def9 in _start (ffmpeg/ffmpeg_g+0x41def9)

Address 0x7fffffffa020 is located in stack of thread T0 at offset 5120 in frame
    #0 0x128d7ef in filter_frame8 ffmpeg/libavfilter/vf_signalstats.c:550

  This frame has 11 object(s):
    [32, 40) 'in.addr'
    [64, 192) 'metabuf' (line 559)
    [224, 1248) 'histy' (line 560)
    [1376, 2400) 'histu' (line 560)
    [2528, 3552) 'histv' (line 560)
    [3680, 5120) 'histhue' (line 560) <== Memory access at offset 5120 overflows this variable
    [5248, 6272) 'histsat' (line 560)
    [6400, 6412) 'filtot' (line 579)
    [6432, 6456) 'td_huesat' (line 588)
    [6496, 6512) 'td' (line 644)
    [6528, 6656) 'metaname' (line 755)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ffmpeg/libavfilter/vf_signalstats.c:634:42 in filter_frame8

Please confirm.
Thanks

Attachments (2)

gdb-vf_signalstats_634 (18.6 KB ) - added by Suhwan 2 years ago.
PoC_vf_signalstats_634.jpg (134.8 KB ) - added by Suhwan 2 years ago.
poc

Download all attachments as: .zip

Change History (3)

by Suhwan, 2 years ago

Attachment: gdb-vf_signalstats_634 added

by Suhwan, 2 years ago

Attachment: PoC_vf_signalstats_634.jpg added

poc

comment:1 by Elon Musk, 2 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.