Context Navigation

#8869 closed defect (invalid)

heap-use-after-free in ffmpeg

Reported by:	fstark	Owned by:
Priority:	normal	Component:	avcodec
Version:	git-master	Keywords:
Cc:		Blocked By:
Blocking:		Reproduced by developer:	no
Analyzed by developer:	no

Description

Summary of the bug:heap-use-after-free in ffmpeg
How to reproduce:

%  ./ffmpeg -y -i ./id\:000020\,sig\:06\,src\:005184+005692\,time\:243850025\,op\:splice\,rep\:4 -f null -
ffmpeg version github-master
built on ...clang++ asan

Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.
test@test:~/ffmpeg/afl$ ./ffmpeg -y -i ./id\:000020\,sig\:06\,src\:005184+005692\,time\:243850025\,op\:splice\,rep\:4 -f null -
ffmpeg version N-98785-g412d63fe72 Copyright (c) 2000-2020 the FFmpeg developers

built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --enable-static
libavutil 56. 58.100 / 56. 58.100
libavcodec 58.100.100 / 58.100.100
libavformat 58. 51.100 / 58. 51.100
libavdevice 58. 11.101 / 58. 11.101
libavfilter 7. 87.100 / 7. 87.100
libswscale 5. 8.100 / 5. 8.100
libswresample 3. 8.100 / 3. 8.100

[aac @ 0x619000000580] Multiple frames in a packet.
[aac @ 0x619000000580] Too large remapped id is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
[aac @ 0x619000000580] If you want to help, upload a sample of this file to https://streams.videolan.org/upload/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)
[aac @ 0x619000000580] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000000580] Number of bands (7) exceeds limit (4).
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from './id:000020,sig:06,src:005184+005692,time:243850025,op:splice,rep:4':

Metadata:

major_brand : isom
minor_version : 1769172786
compatible_brands: av
creation_time : 2004-09-21T16:20:31.000000Z

Duration: 00:00:05.90, start: 0.000000, bitrate: 124 kb/s

Stream #0:0(unb): Audio: aac (mp4a / 0x6134706D), 33728 Hz, 39 channels, fltp, 121 kb/s (default)
Metadata:

creation_time : 2004-09-21T16:20:31.000000Z
handler_name : soun

Stream mapping:

Stream #0:0 -> #0:0 (aac (native) -> pcm_s16le (native))

Press [q] to stop, ? for help
[aac @ 0x619000002880] channel element 0.0 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 0.0 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 0.0 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 0.0 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 0.0 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 0.0 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 0.0 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 0.0 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 0.0 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 0.0 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000002880] channel element 0.4 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 1.3 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Multiple frames in a packet.
[aac @ 0x619000002880] Error decoding AAC frame header.
Error while decoding stream #0:0: Error number -50531338 occurred
[aac @ 0x619000002880] channel element 2.0 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 2.6 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 2.4 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 2.12 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Too large remapped id is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
[aac @ 0x619000002880] If you want to help, upload a sample of this file to https://streams.videolan.org/upload/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)
Error while decoding stream #0:0: Not yet implemented in FFmpeg, patches welcome
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of scalefactor bands in group (58) exceeds limit (51).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000002880] Number of bands (52) exceeds limit (49).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 0.0 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 3.5 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (39) exceeds limit (36).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] invalid band type
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (52) exceeds limit (46).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 3.10 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 0.8 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 3.3 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 3.3 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 0.0 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] invalid band type
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] invalid band type
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] invalid band type
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Gain control is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
[aac @ 0x619000002880] channel element 3.2 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of scalefactor bands in group (53) exceeds limit (51).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (5) exceeds limit (3).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 3.4 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of scalefactor bands in group (53) exceeds limit (51).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (11) exceeds limit (6).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (22) exceeds limit (2).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000002880] Number of bands (7) exceeds limit (4).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 0.3 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (28) exceeds limit (2).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (10) exceeds limit (7).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 3.4 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] SBR was found before the first channel element.
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] ms_present = 3 is reserved.
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000002880] Number of bands (18) exceeds limit (6).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (41) exceeds limit (20).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 2.14 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 2.7 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (46) exceeds limit (29).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] ms_present = 3 is reserved.
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (49) exceeds limit (45).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of scalefactor bands in group (56) exceeds limit (51).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 1.5 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Sample rate index in program config element does not match the sample rate index configured by the container.

Last message repeated 1 times

[aac @ 0x619000002880] decode_pce: Input buffer exhausted before END element found
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (18) exceeds limit (8).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (19) exceeds limit (14).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000002880] Too large remapped id is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
[aac @ 0x619000002880] If you want to help, upload a sample of this file to https://streams.videolan.org/upload/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)
Error while decoding stream #0:0: Not yet implemented in FFmpeg, patches welcome
[aac @ 0x619000002880] Sample rate index in program config element does not match the sample rate index configured by the container.
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (17) exceeds limit (10).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (4) exceeds limit (1).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (6) exceeds limit (5).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000002880] Number of bands (19) exceeds limit (7).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] invalid band type
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (18) exceeds limit (13).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (47) exceeds limit (31).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of scalefactor bands in group (55) exceeds limit (51).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (40) exceeds limit (30).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (16) exceeds limit (14).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000002880] Too large remapped id is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
[aac @ 0x619000002880] If you want to help, upload a sample of this file to https://streams.videolan.org/upload/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)
Error while decoding stream #0:0: Not yet implemented in FFmpeg, patches welcome
[aac @ 0x619000002880] Number of bands (25) exceeds limit (14).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Sample rate index in program config element does not match the sample rate index configured by the container.
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] invalid band type
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (33) exceeds limit (12).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (32) exceeds limit (5).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] TNS filter order 31 is greater than maximum 12.
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (29) exceeds limit (8).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (56) exceeds limit (48).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of scalefactor bands in group (56) exceeds limit (51).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 3.1 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (23) exceeds limit (1).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (30) exceeds limit (23).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] SBR was found before the first channel element.

Last message repeated 1 times

[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (27) exceeds limit (16).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000002880] Number of bands (29) exceeds limit (22).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000002880] SBR was found before the first channel element.
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (13) exceeds limit (10).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] invalid band type
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (33) exceeds limit (30).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (7) exceeds limit (5).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (43) exceeds limit (28).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (10) exceeds limit (9).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (47) exceeds limit (45).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (53) exceeds limit (48).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of scalefactor bands in group (60) exceeds limit (51).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] invalid band type
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (33) exceeds limit (32).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (41) exceeds limit (28).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (54) exceeds limit (38).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] invalid band type
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (4) exceeds limit (1).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (46) exceeds limit (44).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (8) exceeds limit (6).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (17) exceeds limit (16).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of scalefactor bands in group (53) exceeds limit (51).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (10) exceeds limit (8).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (29) exceeds limit (28).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] invalid band type
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 0.0 duplicate
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 0.0 duplicate
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 0.0 duplicate
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of scalefactor bands in group (59) exceeds limit (51).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] TNS filter order 14 is greater than maximum 12.
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] invalid band type
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (67) exceeds limit (42).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] invalid band type
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (42) exceeds limit (28).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] invalid band type
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] invalid band type
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of bands (22) exceeds limit (21).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] channel element 3.4 is not allocated
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Number of bands (12) exceeds limit (11).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Sample rate index in program config element does not match the sample rate index configured by the container.
[aac @ 0x619000002880] Inconsistent channel configuration.
[aac @ 0x619000002880] get_buffer() failed
Error while decoding stream #0:0: Invalid argument
[aac @ 0x619000002880] SBR was found before the first channel element.
[aac @ 0x619000002880] Number of bands (15) exceeds limit (2).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Reserved bit set.
[aac @ 0x619000002880] Number of scalefactor bands in group (57) exceeds limit (51).
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] invalid band type
Error while decoding stream #0:0: Invalid data found when processing input
[aac @ 0x619000002880] Sample rate index in program config element does not match the sample rate index configured by the container.
=================================================================
==39663==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fc46eb21800 at pc 0x00000469d07e bp 0x7ffc91473790 sp 0x7ffc91473788
WRITE of size 4 at 0x7fc46eb21800 thread T0

#0 0x469d07d (/home/test/ffmpeg/afl/ffmpeg+0x469d07d)
#1 0x466ce36 (/home/test/ffmpeg/afl/ffmpeg+0x466ce36)
#2 0x20205a5 (/home/test/ffmpeg/afl/ffmpeg+0x20205a5)
#3 0x201f78b (/home/test/ffmpeg/afl/ffmpeg+0x201f78b)
#4 0x5ddd8c (/home/test/ffmpeg/afl/ffmpeg+0x5ddd8c)
#5 0x5ca01a (/home/test/ffmpeg/afl/ffmpeg+0x5ca01a)
#6 0x5b2eef (/home/test/ffmpeg/afl/ffmpeg+0x5b2eef)
#7 0x7fc4735d0b96 in libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
#8 0x41ca79 in isnanf (/home/test/ffmpeg/afl/ffmpeg+0x41ca79)

0x7fc46eb21800 is located 0 bytes inside of 547744-byte region [0x7fc46eb21800,0x7fc46eba73a0)
freed by thread T0 here:

#0 0x4dc760 in interceptor_free (/home/test/ffmpeg/afl/ffmpeg+0x4dc760)
#1 0x468d1a6 (/home/test/ffmpeg/afl/ffmpeg+0x468d1a6)

previously allocated by thread T0 here:

#0 0x4dd568 in interceptor_posix_memalign (/home/test/ffmpeg/afl/ffmpeg+0x4dd568)
#1 0x5f9b294 (/home/test/ffmpeg/afl/ffmpeg+0x5f9b294)
#2 0x468cdb8 (/home/test/ffmpeg/afl/ffmpeg+0x468cdb8)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/test/ffmpeg/afl/ffmpeg+0x469d07d)
Shadow bytes around the buggy address:

0x0ff90dd5c2b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff90dd5c2c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff90dd5c2d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff90dd5c2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff90dd5c2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

=>0x0ff90dd5c300:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

0x0ff90dd5c310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff90dd5c320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff90dd5c330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff90dd5c340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff90dd5c350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb

==39663==ABORTING

Attachments (1)

poc.zip (69.6 KB ) - added by fstark 4 years ago.

Download all attachments as: .zip

Change History (2)

by fstark, 4 years ago

Attachment:	poc.zip added

comment:1 by mkver, 4 years ago

Component:	ffmpeg → avcodec
Priority:	important → normal
Resolution:	→ invalid
Status:	new → closed

This has already been fixed in git master (namely in d6f293353c94c7ce200f6e0975ae3de49787f91f) after having been reported in #8845, #8859 and #8860. Only git master is supported here, so I'm closing this ticket as invalid.

Btw: Don't upload your samples as zip archives.

Note: See TracTickets for help on using tickets.

Download in other formats: