Opened 5 years ago
Closed 5 years ago
#8276 closed defect (fixed)
heap-buffer-overflow at libavfilter/af_afade.c:436:1 in crossfade_samples_fltp
Reported by: | Suhwan | Owned by: | |
---|---|---|---|
Priority: | normal | Component: | undetermined |
Version: | git-master | Keywords: | asan |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
Summary of the bug:
There is a heap-buffer-overflow at libavfilter/af_afade.c:436:1 in crossfade_samples_fltp
I compiled ffmpeg with "--toolchain=clang-asan" to check the memory corruption and attached log file.
How to reproduce:
% ffmpeg_g -y -i $PoC1 -i $PoC2 -filter_complex acrossfade tmp.tta ffmpeg version N-95382-g62f4722582 Copyright (c) 2000-2019 the FFmpeg developers built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final) configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan
Here's ASAN log
==30297==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fffd8445800 at pc 0x0000016a73a2 bp 0x7fffffffa6a0 sp 0x7fffffffa698 READ of size 4 at 0x7fffd8445800 thread T0 #0 0x16a73a1 in crossfade_samples_fltp ffmpeg/libavfilter/af_afade.c:436:1 #1 0x169963c in activate ffmpeg/libavfilter/af_afade.c:504:13 #2 0x824c3e in ff_filter_activate ffmpeg/libavfilter/avfilter.c:1442:38 #3 0x8700b2 in push_frame ffmpeg/libavfilter/buffersrc.c:187:15 #4 0x8700b2 in av_buffersrc_add_frame_internal ffmpeg/libavfilter/buffersrc.c:261 #5 0x86eaf2 in av_buffersrc_add_frame_flags ffmpeg/libavfilter/buffersrc.c:170:16 #6 0x666407 in ifilter_send_frame ffmpeg/fftools/ffmpeg.c:2186:11 #7 0x666407 in send_frame_to_filters ffmpeg/fftools/ffmpeg.c:2260 #8 0x605543 in decode_audio ffmpeg/fftools/ffmpeg.c:2327:11 #9 0x605543 in process_input_packet ffmpeg/fftools/ffmpeg.c:2609 #10 0x64a707 in process_input ffmpeg/fftools/ffmpeg.c:4508:5 #11 0x5e7157 in transcode_step ffmpeg/fftools/ffmpeg.c:4628:11 #12 0x5e7157 in transcode ffmpeg/fftools/ffmpeg.c:4682 #13 0x5db65b in main ffmpeg/fftools/ffmpeg.c:4884:9 #14 0x7ffff5c93b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #15 0x41def9 in _start (ffmpeg_asan+0x41def9) 0x7fffd8445800 is located 0 bytes to the right of 159744-byte region [0x7fffd841e800,0x7fffd8445800) allocated by thread T0 here: #0 0x4de9e8 in posix_memalign (ffmpeg_asan+0x4de9e8) #1 0x85924d1 in av_malloc ffmpeg/libavutil/mem.c:87:9 #2 0x84f927d in av_buffer_alloc ffmpeg/libavutil/buffer.c:72:12 #3 0x84fdc26 in pool_alloc_buffer ffmpeg/libavutil/buffer.c:313:26 #4 0x84fdc26 in av_buffer_pool_get ffmpeg/libavutil/buffer.c:349 #5 0x91c368 in ff_frame_pool_get ffmpeg/libavfilter/framepool.c:261:29 #6 0x6e2d4c in ff_default_get_audio_buffer ffmpeg/libavfilter/audio.c:73:13 #7 0x82a406 in ff_inlink_consume_samples ffmpeg/libavfilter/avfilter.c:1181:11 #8 0x1699080 in activate ffmpeg/libavfilter/af_afade.c:492:19 #9 0x824c3e in ff_filter_activate ffmpeg/libavfilter/avfilter.c:1442:38 #10 0x8700b2 in push_frame ffmpeg/libavfilter/buffersrc.c:187:15 #11 0x8700b2 in av_buffersrc_add_frame_internal ffmpeg/libavfilter/buffersrc.c:261 #12 0x86eaf2 in av_buffersrc_add_frame_flags ffmpeg/libavfilter/buffersrc.c:170:16 #13 0x666407 in ifilter_send_frame ffmpeg/fftools/ffmpeg.c:2186:11 #14 0x666407 in send_frame_to_filters ffmpeg/fftools/ffmpeg.c:2260 #15 0x605543 in decode_audio ffmpeg/fftools/ffmpeg.c:2327:11 #16 0x605543 in process_input_packet ffmpeg/fftools/ffmpeg.c:2609 #17 0x64a707 in process_input ffmpeg/fftools/ffmpeg.c:4508:5 #18 0x5e7157 in transcode_step ffmpeg/fftools/ffmpeg.c:4628:11 #19 0x5e7157 in transcode ffmpeg/fftools/ffmpeg.c:4682 #20 0x5db65b in main ffmpeg/fftools/ffmpeg.c:4884:9 #21 0x7ffff5c93b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 SUMMARY: AddressSanitizer: heap-buffer-overflow ffmpeg/libavfilter/af_afade.c:436:1 in crossfade_samples_fltp Shadow bytes around the buggy address: 0x10007b080ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007b080ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007b080ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007b080ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007b080af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10007b080b00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007b080b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007b080b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007b080b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007b080b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007b080b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==30297==ABORTING
Please confirm.
Thanks
Attachments (2)
Change History (3)
by , 5 years ago
Attachment: | PoC1_af_afade_436.vob added |
---|
comment:1 by , 5 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
poc1