Opened 5 years ago
Closed 5 years ago
#8317 closed defect (fixed)
heap-buffer-overflow at libavfilter/af_tremolo.c:135
Reported by: | Suhwan | Owned by: | |
---|---|---|---|
Priority: | important | Component: | undetermined |
Version: | git-master | Keywords: | asan |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
Summary of the bug:
There is a heap-buffer-overflow at libavfilter/af_tremolo.c:135 in config_input()
I compiled ffmpeg with "--toolchain=clang-asan" to check the memory corruption and attached log file.
How to reproduce:
% ffmpeg_g -y -i $PoC_1 -i $PoC_2 -filter_complex tremolo -target dv tmp.vividas ffmpeg version N-95464-g7056ddc0e0 Copyright (c) 2000-2019 the FFmpeg developers built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final) configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan
Here's ASAN log
================================================================= ==20332==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000004770 at pc 0x000001a389f8 bp 0x7ffde8aa1540 sp 0x7ffde8aa1538 WRITE of size 8 at 0x629000004770 thread T0 #0 0x1a389f7 in config_input ffmpeg/libavfilter/af_tremolo.c:135:21 #1 0x812da0 in avfilter_config_links ffmpeg/libavfilter/avfilter.c:369:28 #2 0x811dae in avfilter_config_links ffmpeg/libavfilter/avfilter.c:307:24 #3 0x811dae in avfilter_config_links ffmpeg/libavfilter/avfilter.c:307:24 #4 0x811dae in avfilter_config_links ffmpeg/libavfilter/avfilter.c:307:24 #5 0x839be2 in graph_config_links ffmpeg/libavfilter/avfiltergraph.c:261:24 #6 0x839be2 in avfilter_graph_config ffmpeg/libavfilter/avfiltergraph.c:1279 #7 0x598d73 in configure_filtergraph ffmpeg/fftools/ffmpeg_filter.c:1109:16 #8 0x6662d7 in ifilter_send_frame ffmpeg/fftools/ffmpeg.c:2179:15 #9 0x6662d7 in send_frame_to_filters ffmpeg/fftools/ffmpeg.c:2260 #10 0x6055a3 in decode_audio ffmpeg/fftools/ffmpeg.c:2327:11 #11 0x6055a3 in process_input_packet ffmpeg/fftools/ffmpeg.c:2609 #12 0x64a767 in process_input ffmpeg/fftools/ffmpeg.c:4508:5 #13 0x5e71b7 in transcode_step ffmpeg/fftools/ffmpeg.c:4628:11 #14 0x5e71b7 in transcode ffmpeg/fftools/ffmpeg.c:4682 #15 0x5db6bb in main ffmpeg/fftools/ffmpeg.c:4884:9 #16 0x7feb27859b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #17 0x41def9 in _start (ffmpeg_g+0x41def9) 0x629000004770 is located 0 bytes to the right of 17776-byte region [0x629000000200,0x629000004770) allocated by thread T0 here: #0 0x4de9e8 in posix_memalign (ffmpeg_g+0x4de9e8) #1 0x85c6559 in av_malloc ffmpeg/libavutil/mem.c:87:9 #2 0x85c6559 in av_malloc_array ffmpeg/libavutil/mem.c:188 #3 0x1a382ff in config_input ffmpeg/libavfilter/af_tremolo.c:128:16 SUMMARY: AddressSanitizer: heap-buffer-overflow ffmpeg/libavfilter/af_tremolo.c:135:21 in config_input Shadow bytes around the buggy address: 0x0c527fff8890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c527fff88a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c527fff88b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c527fff88c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c527fff88d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c527fff88e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa 0x0c527fff88f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c527fff8900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c527fff8910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c527fff8920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c527fff8930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==20332==ABORTING
Please confirm.
Thanks
Attachments (2)
Change History (3)
by , 5 years ago
comment:1 by , 5 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
poc1