Opened 4 years ago

Closed 4 years ago

#8672 closed defect (duplicate)

UAF while parsing m3u8 files ( in av_probe_input_format3)

Reported by: Assaf Sion Owned by:
Priority: important Component: avformat
Version: git-master Keywords:
Cc: assafsion@gmaiil.com Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

While trying to parse a crafted m3u8 playlist file:
ffmpeg -i input_file

ffmpeg version N-97763-g353aecbb28 Copyright (c) 2000-2020 the FFmpeg developers

built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --cc=clang --extra-cflags='-O2 -g3 -fsanitize=address -fno-omit-frame-pointer -Wno-error' --extra-ldflags='-O2 -g3 -fsanitize=address -fno-omit-frame-pointer -Wno-error' --enable-debug --prefix=/home/cyber/VulnResearch/ffmpeg/clean/out_2
libavutil 56. 45.100 / 56. 45.100
libavcodec 58. 84.100 / 58. 84.100
libavformat 58. 43.100 / 58. 43.100
libavdevice 58. 9.103 / 58. 9.103
libavfilter 7. 80.100 / 7. 80.100
libswscale 5. 6.101 / 5. 6.101
libswresample 3. 6.100 / 3. 6.100

Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'.
Reading option '-i' ... matched as input url with argument './bug.m3u8'.
Reading option 'out.avi' ... matched as output url.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input url ./bug.m3u8.
Successfully parsed a group of options.
Opening an input file: ./bug.m3u8.
[NULL @ 0x61b000000080] Opening './bug.m3u8' for reading
[file @ 0x610000000040] Setting default whitelist 'file,crypto,data'
Probing hls score:100 size:112
[hls @ 0x61b000000080] Format hls probed with size=2048 and score=100
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[hls @ 0x61b000000080] new_program: id=0x0000
[hls @ 0x61b000000080] Opening './bug.m3u8' for reading
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[AVIOContext @ 0x613000000200] Statistics: 112 bytes read, 0 seeks
[hls @ 0x61b000000080] HLS request for url './au_to0.ts', offset 0, playlist 0
[hls @ 0x61b000000080] Opening './au_to0.ts' for reading
[hls @ 0x61b000000080] Failed to open segment 0 of playlist 0
[hls @ 0x61b000000080] Opening './bug.m3u8' for reading
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[AVIOContext @ 0x6130000003c0] Statistics: 112 bytes read, 0 seeks
[hls @ 0x61b000000080] Opening './bug.m3u8' for reading
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[AVIOContext @ 0x613000000580] Statistics: 112 bytes read, 0 seeks
[hls @ 0x61b000000080] Opening './bug.m3u8' for reading
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[AVIOContext @ 0x613000000740] Statistics: 112 bytes read, 0 seeks
[hls @ 0x61b000000080] Opening './bug.m3u8' for reading
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[AVIOContext @ 0x613000000900] Statistics: 112 bytes read, 0 seeks
[hls @ 0x61b000000080] Opening './bug.m3u8' for reading
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[AVIOContext @ 0x613000000ac0] Statistics: 112 bytes read, 0 seeks
[hls @ 0x61b000000080] Opening './bug.m3u8' for reading
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[AVIOContext @ 0x613000000c80] Statistics: 112 bytes read, 0 seeks
[hls @ 0x61b000000080] Opening './bug.m3u8' for reading
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[AVIOContext @ 0x613000000e40] Statistics: 112 bytes read, 0 seeks
[hls @ 0x61b000000080] Opening './bug.m3u8' for reading
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[AVIOContext @ 0x613000001000] Statistics: 112 bytes read, 0 seeks
[hls @ 0x61b000000080] Opening './bug.m3u8' for reading
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[AVIOContext @ 0x6130000011c0] Statistics: 112 bytes read, 0 seeks
[hls @ 0x61b000000080] Opening './bug.m3u8' for reading
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[AVIOContext @ 0x613000001380] Statistics: 112 bytes read, 0 seeks
[hls @ 0x61b000000080] Opening './bug.m3u8' for reading
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[AVIOContext @ 0x613000001540] Statistics: 112 bytes read, 0 seeks
[hls @ 0x61b000000080] Opening './bug.m3u8' for reading
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[AVIOContext @ 0x613000001700] Statistics: 112 bytes read, 0 seeks
[hls @ 0x61b000000080] Opening './bug.m3u8' for reading
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[AVIOContext @ 0x6130000018c0] Statistics: 112 bytes read, 0 seeks
[hls @ 0x61b000000080] Opening './bug.m3u8' for reading
(snippet)
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[AVIOContext @ 0x61300001f300] Statistics: 112 bytes read, 0 seeks
[hls @ 0x61b000000080] Opening './bug.m3u8' for reading
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[AVIOContext @ 0x61300001f4c0] Statistics: 112 bytes read, 0 seeks
[hls @ 0x61b000000080] Opening './bug.m3u8' for reading
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[AVIOContext @ 0x61300001f680] Statistics: 112 bytes read, 0 seeks
[hls @ 0x61b000000080] Opening './bug.m3u8' for reading
[hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
[hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION�� #EXT-X-MEDIA-SEQUENCE:0')
[AVIOContext @ 0x61300001f840] Statistics: 112 bytes read, 0 seeks
=================================================================
==123139==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000000510 at pc 0x00000047dba8 bp 0x7fff6d502d10 sp 0x7fff6d5024c0
READ of size 2 at 0x602000000510 thread T0

#0 0x47dba7 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x47dba7)
#1 0xcb7da4 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xcb7da4)
#2 0xcb87e8 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xcb87e8)
#3 0xcb8a75 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xcb8a75)
#4 0xcd4655 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xcd4655)
#5 0xf7a27b (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xf7a27b)
#6 0x51a007 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x51a007)
#7 0x518e06 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x518e06)
#8 0x518855 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x518855)
#9 0x55799f in main (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x55799f)
#10 0x7f02af8c6b96 in libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#11 0x420009 in _init (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x420009)

0x602000000510 is located 0 bytes inside of 12-byte region [0x602000000510,0x60200000051c)
freed by thread T0 here:

#0 0x4dfcf0 in interceptor_free (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x4dfcf0)
#1 0xcdb258 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xcdb258)
#2 0xcdcb4c (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xcdcb4c)
#3 0xc41d25 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xc41d25)

previously allocated by thread T0 here:

#0 0x4e0340 in interceptor_realloc (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x4e0340)
#1 0x394dee8 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x394dee8)
#2 0xcd34b2 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xcd34b2)
#3 0xf7a27b (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xf7a27b)
#4 0x51a007 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x51a007)
#5 0x518e06 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x518e06)
#6 0x518855 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x518855)
#7 0x55799f in main (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x55799f)
#8 0x7f02af8c6b96 in
libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-use-after-free (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x47dba7)
Shadow bytes around the buggy address:

0x0c047fff8050: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fff8060: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
0x0c047fff8070: fa fa fd fd fa fa 00 06 fa fa 02 fa fa fa 00 00
0x0c047fff8080: fa fa 02 fa fa fa 00 03 fa fa fd fd fa fa 00 01
0x0c047fff8090: fa fa 03 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa

=>0x0c047fff80a0: fa fa[fd]fd fa fa fd fa fa fa 00 fa fa fa 00 00

0x0c047fff80b0: fa fa 02 fa fa fa 00 00 fa fa 03 fa fa fa fd fd
0x0c047fff80c0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
0x0c047fff80d0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fff80e0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fff80f0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb

==123139==ABORTING

This inside av_probe_input_format3 while accessing the pointer lpd.filename at line 168 (format.c). During the call to parse_playlist you free this pointer (hls.c:949, a call to free_segment_dynarray).

Change History (1)

comment:1 by Assaf Sion, 4 years ago

Resolution: duplicate
Status: newclosed
Note: See TracTickets for help on using tickets.