Opened 5 years ago

Closed 5 years ago

#8260 closed defect (fixed)

heap-buffer-overflow at libavfilter/vf_edgedetect.c:153

Reported by: Suhwan Owned by:
Priority: normal Component: undetermined
Version: git-master Keywords: asan
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no


Summary of the bug:
There is a heap-buffer-overflow at libavfilter/vf_edgedetect.c:153 in gaussian_blur.

I compiled ffmpeg with "--toolchain=clang-asan" to check the memory corruption and attached log file.
How to reproduce:

% ffmpeg_g -y -i $PoC -filter_complex edgedetect -target dvd -loglevel 99 tmp.u32le

ffmpeg version N-95336-g4f4334bcbc Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan

Here's ASAN log

==24040==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60900000b681 at pc 0x0000004dcadc bp 0x7fffffffa750 sp 0x7fffffff9f00
WRITE of size 1 at 0x60900000b681 thread T0
    #0 0x4dcadb in __asan_memcpy (ffmpeg_asan+0x4dcadb)
    #1 0xcd16cd in gaussian_blur ffmpeg/libavfilter/vf_edgedetect.c:153:5
    #2 0xcd16cd in filter_frame ffmpeg/libavfilter/vf_edgedetect.c:359
    #3 0x826e29 in ff_filter_activate_default ffmpeg/libavfilter/avfilter.c:1071:11
    #4 0x826e29 in ff_filter_activate ffmpeg/libavfilter/avfilter.c:1430
    #5 0x86fd22 in push_frame ffmpeg/libavfilter/buffersrc.c:187:15
    #6 0x86fd22 in av_buffersrc_add_frame_internal ffmpeg/libavfilter/buffersrc.c:261
    #7 0x86e762 in av_buffersrc_add_frame_flags ffmpeg/libavfilter/buffersrc.c:170:16
    #8 0x666407 in ifilter_send_frame ffmpeg/fftools/ffmpeg.c:2186:11
    #9 0x666407 in send_frame_to_filters ffmpeg/fftools/ffmpeg.c:2260
    #10 0x607666 in decode_video ffmpeg/fftools/ffmpeg.c:2459:11
    #11 0x607666 in process_input_packet ffmpeg/fftools/ffmpeg.c:2613
    #12 0x644c58 in process_input ffmpeg/fftools/ffmpeg.c:4303:23
    #13 0x5e7157 in transcode_step ffmpeg/fftools/ffmpeg.c:4628:11
    #14 0x5e7157 in transcode ffmpeg/fftools/ffmpeg.c:4682
    #15 0x5db65b in main ffmpeg/fftools/ffmpeg.c:4884:9
    #16 0x7ffff5c93b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #17 0x41def9 in _start (ffmpeg_asan+0x41def9)

0x60900000b681 is located 0 bytes to the right of 1-byte region [0x60900000b680,0x60900000b681)
allocated by thread T0 here:
    #0 0x4de9e8 in posix_memalign (ffmpeg_asan+0x4de9e8)
    #1 0x8598211 in av_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0xcdc71c in config_props ffmpeg/libavfilter/vf_edgedetect.c:137:29

SUMMARY: AddressSanitizer: heap-buffer-overflow (ffmpeg_asan+0x4dcadb) in __asan_memcpy

Please confirm.

Attachments (2)

log_vf_edgedetect_153 (13.3 KB ) - added by Suhwan 5 years ago.
PoC-vf_edgedetect_153.png32 (311 bytes ) - added by Suhwan 5 years ago.

Download all attachments as: .zip

Change History (3)

by Suhwan, 5 years ago

Attachment: log_vf_edgedetect_153 added

by Suhwan, 5 years ago

Attachment: PoC-vf_edgedetect_153.png32 added


comment:1 by Elon Musk, 5 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.