Opened 4 years ago
Closed 2 years ago
#8486 closed defect (fixed)
UBSan: int overflow in avidec.c
| Reported by: | andreafioraldi | Owned by: | |
|---|---|---|---|
| Priority: | minor | Component: | avformat |
| Version: | git-master | Keywords: | avi ubsan |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | yes | |
| Analyzed by developer: | no |
Description (last modified by )
Build ffmpeg 4.2.2 using clang and ubsan (-fsanitize=undefined).
Command line: ./ffmpeg.ubsan -y -i ./input -c:v mpeg4 -c:a out.mp4
Output:
ffmpeg version 4.2.2 Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 8.0.0-3~ubuntu18.04.2 (tags/RELEASE_800/final)
configuration: --cc=clang-8 --cxx=clang++-8 --ld=clang-8
libavutil 56. 31.100 / 56. 31.100
libavcodec 58. 54.100 / 58. 54.100
libavformat 58. 29.100 / 58. 29.100
libavdevice 58. 8.100 / 58. 8.100
libavfilter 7. 57.100 / 7. 57.100
libswscale 5. 5.100 / 5. 5.100
libswresample 3. 5.100 / 3. 5.100
Trailing options were found on the commandline.
libavformat/avidec.c:846:44: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
[avi @ 0x902f600] Something went wrong during header parsing, tag [0][0][0][0] has size 1314212352, I will ignore it and try to continue anyway.
[NULL @ 0x9031140] [IMGUTILS @ 0x7fffffffcfc8] Picture size 1426063360x2147483648 is invalid
[avi @ 0x902f600] Failed to open codec in avformat_find_stream_info
[rawvideo @ 0x9031140] Invalid pixel format.
[avi @ 0x902f600] Failed to open codec in avformat_find_stream_info
[avi @ 0x902f600] Could not find codec parameters for stream 0 (Video: rawvideo, none): unspecified size
Consider increasing the value for the 'analyzeduration' and 'probesize' options
Input #0, avi, from './ffmpeg_ubsan_out/f1/crashes/id:000072,sig:04,src:002134,time:5783265,op:havoc,rep:2':
Duration: N/A, start: 0.000000, bitrate: N/A
Stream #0:0: Video: rawvideo, none, 100 fps, 100 tbr, 100 tbn, 100 tbc
At least one output file must be specified
The problem is here:
st->codecpar->height = FFABS(st->codecpar->height);
The FFABS result in 0x80000000 that is a negative number.
As you can see in the warning after the UBSan violation this results in a large size in images, not sure if this can be used to attack the application when st->codecpar->height is used in relation to controlled buffers.
I attach a minimal file to reproduce the issue in base64:
UklGRi4WAP9BVkkgTElTVOwRAABoZHJsYXZpaDgAAAAQJwAAqGEAAP////IQCQAAAAAAAAAAAAABAAAAAAAQAAEAAAABAAAAAAAAAAAAAAAAAAAAAAAAAExJU1SUEAAAc3RybHN0cmg4AAAAdmlkc0ZNUDQAAAAAAAAAAAAAAAABAAAAZAAAAAAAAAAAAAAAAAAAAP////8AAAAAAAAAAAEAAQBzdHJmKAAAACgAAAAAAABVAAAAgAAAAAAAAAAAAE5LGBAAAAQAAQAAAAEAGABGTVA0AwAAAAAAAAAAAAAAAAAAAAAAAABKVU5LGBAAAAQAgAAAAAAAMDBkYwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgXAIV3d3d3d3d3Zm9mgGZmZmaCZmYAABQAAAAiAQAAAA9VBecAF7UAd3d3d3d3d3d3d3d3d3dsaFf/AAAAd3d3EAAAAA4AAAAABv///4BXkHU2//b5Df/wAAD//vYAABIAfwB/HwMA5GQAAID/APo=
Attachments (1)
Change History (3)
comment:1 by , 4 years ago
| Description: | modified (diff) |
|---|---|
| Keywords: | avi added |
| Priority: | important → minor |
| Reproduced by developer: | set |
| Status: | new → open |
| Version: | 4.2 → git-master |
by , 4 years ago
comment:2 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | open → closed |
Note:
See TracTickets
for help on using tickets.
Fixed in ec8ff659f57786c4cb089b07dfeab7e5cbab8d52.