Opened 4 years ago
Closed 4 years ago
#9099 closed defect (fixed)
HEVC Null pointer dereference
Reported by: | QiuhaoLi | Owned by: | |
---|---|---|---|
Priority: | important | Component: | avcodec |
Version: | git-master | Keywords: | hevc crash SIGSEGV regression |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | yes | |
Analyzed by developer: | no |
Description (last modified by )
-- [ Description
During fuzzing, we found a null pointer dereference (CWE-476) in the latest FFmpeg/libavcodec.
I sent a report to ffmpeg-security@ffmpeg.org, but didn't get a reply yet.
-- [ Affected Version
ubuntu@VM-0-6-ubuntu:~/ffmpeg_sources/FFmpeg$ git log | head -n 4
commit 129978af6b6503109517777eba8890713a787cb5
Author: Paul B Mahol <onemda@gmail.com>
Date: Wed Feb 10 14:08:23 2021 +0100
-- [ Reproduce with ASAN & Report
ubuntu@VM-0-6-ubuntu:~$ FFREPORT=1 ./bin/ffmpeg -i PoC output.mp4 # sorry I didn't go deep to figure out the format of the PoC Report written to "ffmpeg-20210210-224350.log" Log level: 48 ffmpeg version N-101043-g129978af6b Copyright (c) 2000-2021 the FFmpeg developers built with clang version 10.0.0-4ubuntu1 configuration: --prefix=/home/ubuntu/ffmpeg_build --pkg-config-flags=--static --extra-cflags='-I/home/ubuntu/ffmpeg_build/include -ggdb -fsanitize=address -fsanitize=undefined' --extra-ldflags='-L/home/ubuntu/ffmpeg_build/lib -fsanitize=address -fsanitize=undefined' --extra-libs='-lpthread -lm' --bindir=/home/ubuntu/bin --cc=clang --cxx=clang++ --disable-ffplay --disable-ffprobe --disable-stripping --assert-level=2 --enable-gpl --enable-gnutls --enable-libaom --enable-libass --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libvpx --enable-libx264 --enable-libx265 --enable-nonfree libavutil 56. 65.100 / 56. 65.100 libavcodec 58.122.100 / 58.122.100 libavformat 58. 67.100 / 58. 67.100 libavdevice 58. 11.103 / 58. 11.103 libavfilter 7.103.100 / 7.103.100 libswscale 5. 8.100 / 5. 8.100 libswresample 3. 8.100 / 3. 8.100 libpostproc 55. 8.100 / 55. 8.100 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] overread end of atom 'stsd' by 808464282 bytes [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] stream 0, timescale not set [hevc @ 0x619000000f80] Invalid NAL unit size in extradata. [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Failed to open codec in avformat_find_stream_info [hevc @ 0x619000000f80] Invalid NAL unit size in extradata. [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Failed to open codec in avformat_find_stream_info [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Could not find codec parameters for stream 0 (Video: hevc (Hvc1 / 0x31637648), none, 12336x12336): unspecified pixel format Consider increasing the value for the 'analyzeduration' (0) and 'probesize' (5000000) options Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'PoC': Duration: N/A, bitrate: N/A Stream #0:0: Video: hevc (Hvc1 / 0x31637648), none, 12336x12336, 1 tbr, 1 tbn, 1 tbc Metadata: handler_name : 0000000000000 vendor_id : 0000 encoder : 0000000000000000000000000000000 [hevc @ 0x619000002d80] Invalid NAL unit size in extradata. libavcodec/hevcdec.c:3427:22: runtime error: applying zero offset to null pointer SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/hevcdec.c:3427:22 in libavcodec/hevcdec.c:3427:22: runtime error: load of null pointer of type 'HEVCLocalContext *' (aka 'struct HEVCLocalContext *') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/hevcdec.c:3427:22 in AddressSanitizer:DEADLYSIGNAL ================================================================= ==23809==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000035bf9ad bp 0x0c4c00001224 sp 0x7ffef55e8e20 T0) ==23809==The signal is caused by a READ memory access. ==23809==Hint: address points to the zero page. #0 0x35bf9ad in hevc_decode_free /home/ubuntu/ffmpeg_sources/FFmpeg/libavcodec/hevcdec.c:3427:19 #1 0x4688cde in ff_frame_thread_free /home/ubuntu/ffmpeg_sources/FFmpeg/libavcodec/pthread_frame.c:712:13 #2 0x468d646 in ff_frame_thread_init /home/ubuntu/ffmpeg_sources/FFmpeg/libavcodec/pthread_frame.c:885:5 #3 0x4e0ffa8 in avcodec_open2 /home/ubuntu/ffmpeg_sources/FFmpeg/libavcodec/utils.c:759:15 #4 0x57c0c4 in init_input_stream /home/ubuntu/ffmpeg_sources/FFmpeg/fftools/ffmpeg.c:2988:20 #5 0x57c0c4 in transcode_init /home/ubuntu/ffmpeg_sources/FFmpeg/fftools/ffmpeg.c:3751:20 #6 0x56f0d7 in transcode /home/ubuntu/ffmpeg_sources/FFmpeg/fftools/ffmpeg.c:4752:11 #7 0x56c7b2 in main /home/ubuntu/ffmpeg_sources/FFmpeg/fftools/ffmpeg.c:4986:9 #8 0x7fe2dcb100b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #9 0x4251ad in _start (/home/ubuntu/bin/ffmpeg+0x4251ad) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/ubuntu/ffmpeg_sources/FFmpeg/libavcodec/hevcdec.c:3427:19 in hevc_decode_free ==23809==ABORTING
ubuntu@VM-0-6-ubuntu:~$ cat ffmpeg-20210210-224350.log ffmpeg started on 2021-02-10 at 22:43:50 Report written to "ffmpeg-20210210-224350.log" Log level: 48 Command line: ./bin/ffmpeg -i PoC output.mp4 ffmpeg version N-101043-g129978af6b Copyright (c) 2000-2021 the FFmpeg developers built with clang version 10.0.0-4ubuntu1 configuration: --prefix=/home/ubuntu/ffmpeg_build --pkg-config-flags=--static --extra-cflags='-I/home/ubuntu/ffmpeg_build/include -ggdb -fsanitize=address -fsanitize=undefined' --extra-ldflags='-L/home/ubuntu/ffmpeg_build/lib -fsanitize=address -fsanitize=undefined' --extra-libs='-lpthread -lm' --bindir=/home/ubuntu/bin --cc=clang --cxx=clang++ --disable-ffplay --disable-ffprobe --disable-stripping --assert-level=2 --enable-gpl --enable-gnutls --enable-libaom --enable-libass --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libvpx --enable-libx264 --enable-libx265 --enable-nonfree libavutil 56. 65.100 / 56. 65.100 libavcodec 58.122.100 / 58.122.100 libavformat 58. 67.100 / 58. 67.100 libavdevice 58. 11.103 / 58. 11.103 libavfilter 7.103.100 / 7.103.100 libswscale 5. 8.100 / 5. 8.100 libswresample 3. 8.100 / 3. 8.100 libpostproc 55. 8.100 / 55. 8.100 Splitting the commandline. Reading option '-i' ... matched as input url with argument 'PoC'. Reading option 'output.mp4' ... matched as output url. Finished splitting the commandline. Parsing a group of options: global . Successfully parsed a group of options. Parsing a group of options: input url PoC. Successfully parsed a group of options. Opening an input file: PoC. [NULL @ 0x61b000000080] Opening 'PoC' for reading [file @ 0x610000000040] Setting default whitelist 'file,crypto,data' [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Format mov,mp4,m4a,3gp,3g2,mj2 probed with size=2048 and score=100 [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] overread end of atom 'stsd' by 808464282 bytes [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] stream 0, timescale not set [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Before avformat_find_stream_info() pos: 495 bytes read:495 seeks:2 nb_streams:1 [hevc @ 0x619000000f80] Invalid NAL unit size in extradata. [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Failed to open codec in avformat_find_stream_info [hevc @ 0x619000000f80] Invalid NAL unit size in extradata. [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Failed to open codec in avformat_find_stream_info [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] Could not find codec parameters for stream 0 (Video: hevc (Hvc1 / 0x31637648), none, 12336x12336): unspecified pixel format Consider increasing the value for the 'analyzeduration' (0) and 'probesize' (5000000) options [mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] After avformat_find_stream_info() pos: 495 bytes read:495 seeks:2 frames:0 Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'PoC': Duration: N/A, bitrate: N/A Stream #0:0, 0, 1/1: Video: hevc (Hvc1 / 0x31637648), none, 12336x12336, 1 tbr, 1 tbn, 1 tbc Metadata: handler_name : 0000000000000 vendor_id : 0000 encoder : 0000000000000000000000000000000 Successfully opened the file. Parsing a group of options: output url output.mp4. Successfully parsed a group of options. Opening an output file: output.mp4. [file @ 0x610000001640] Setting default whitelist 'file,crypto,data' Successfully opened the file. detected 16 logical cores [hevc @ 0x619000002d80] Invalid NAL unit size in extradata.
-- [ GDB Report
ubuntu@VM-0-6-ubuntu:~$ gdb --args ./bin/ffmpeg -i PoC output.mp4 (gdb) run (gdb) bt #0 0x00000000035bf9ad in hevc_decode_free (avctx=<optimized out>) at libavcodec/hevcdec.c:3427 #1 0x0000000004688cdf in ff_frame_thread_free (avctx=0x619000001480, thread_count=<optimized out>) at libavcodec/pthread_frame.c:712 #2 0x000000000468d647 in ff_frame_thread_init (avctx=<optimized out>) at libavcodec/pthread_frame.c:885 #3 0x00000000070a9b23 in ff_thread_init (avctx=<optimized out>) at libavcodec/pthread.c:77 #4 0x0000000004e0ffa9 in avcodec_open2 (avctx=<optimized out>, codec=0x9aa5ec0 <ff_hevc_decoder>, options=<optimized out>) at libavcodec/utils.c:759 #5 0x000000000057c0c5 in init_input_stream (ist_index=<optimized out>, error=0x7fffffffc660 "", error_len=1024) at fftools/ffmpeg.c:2988 #6 transcode_init () at fftools/ffmpeg.c:3751 #7 0x000000000056f0d8 in transcode () at fftools/ffmpeg.c:4752 #8 0x000000000056c7b3 in main (argc=<optimized out>, argv=<optimized out>) at fftools/ffmpeg.c:4986 (gdb) disass $pc-32,$pc+32 Dump of assembler code from 0x35bf98d to 0x35bf9cd: 0x00000000035bf98d <hevc_decode_free+1317>: add (%rax),%al 0x00000000035bf98f <hevc_decode_free+1319>: add %cl,-0x7b(%rax) 0x00000000035bf992 <hevc_decode_free+1322>: fisttpl (%rdi) 0x00000000035bf994 <hevc_decode_free+1324>: test %ah,(%rbx) 0x00000000035bf996 <hevc_decode_free+1326>: add (%rax),%al 0x00000000035bf998 <hevc_decode_free+1328>: add %cl,-0x77(%rax) 0x00000000035bf99b <hevc_decode_free+1331>: fmuls -0x3f(%rax) 0x00000000035bf99e <hevc_decode_free+1334>: callq 0x41479a6 <skip_bits_long+742> 0x00000000035bf9a3 <hevc_decode_free+1339>: cmp $0x7f,%bh 0x00000000035bf9a6 <hevc_decode_free+1342>: add %cl,(%rdi) 0x00000000035bf9a8 <hevc_decode_free+1344>: test %ebp,(%rdx) 0x00000000035bf9aa <hevc_decode_free+1346>: add (%rax),%eax 0x00000000035bf9ac <hevc_decode_free+1348>: add %cl,0x23(%rbx,%rdi,1) 0x00000000035bf9b0 <hevc_decode_free+1352>: mov 0x8(%rsp),%r12 0x00000000035bf9b5 <hevc_decode_free+1357>: jne 0x35bf9de <hevc_decode_free+1398> 0x00000000035bf9b7 <hevc_decode_free+1359>: test %r14b,%r14b 0x00000000035bf9ba <hevc_decode_free+1362>: je 0x35bfc69 <hevc_decode_free+2049> 0x00000000035bf9c0 <hevc_decode_free+1368>: test $0x7,%r15b 0x00000000035bf9c4 <hevc_decode_free+1372>: jne 0x35bfc7f <hevc_decode_free+2071> 0x00000000035bf9ca <hevc_decode_free+1378>: cmpb $0x0,0x7fff8000(%rbp) End of assembler dump. (gdb) info all-registers rax 0x0 0 rbx 0x0 0 rcx 0x0 0 rdx 0xc4c00001223 13520557052451 rsi 0x0 0 rdi 0x7fffffffb6a9 140737488336553 rbp 0xc4c00001224 0xc4c00001224 rsp 0x7fffffffb780 0x7fffffffb780 r8 0x7fffffffaa70 140737488333424 r9 0x2 2 r10 0x7e98b73 132746099 r11 0x206 518 r12 0x0 0 r13 0x626000009118 108164456419608 r14 0x624000002101 108027017437441 r15 0x626000009120 108164456419616 rip 0x35bf9ad 0x35bf9ad <hevc_decode_free+1349> eflags 0x10246 [ PF ZF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 st0 0 (raw 0x00000000000000000000) st1 0 (raw 0x00000000000000000000) st2 0 (raw 0x00000000000000000000) st3 0 (raw 0x00000000000000000000) st4 0 (raw 0x00000000000000000000) st5 0 (raw 0x00000000000000000000) st6 0 (raw 0x00000000000000000000) st7 0 (raw 0x00000000000000000000) fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ] bndcfgu {raw = 0x0, config = {base = 0x0, reserved = 0x0, preserved = 0x0, enabled = 0x0}} {raw = 0x0, config = {base = 0, reserved = 0, preserved = 0, enabled = 0}} bndstatus {raw = 0x0, status = {bde = 0x0, error = 0x0}} {raw = 0x0, status = {bde = 0, error = 0}} k0 0x0 0 k1 0x0 0 k2 0x0 0 k3 0x0 0 k4 0x0 0 k5 0x0 0 k6 0x0 0 k7 0x0 0 /* ... */
-- [ PoC base64 encoded
ubuntu@VM-0-6-ubuntu:~$ base64 PoC MDAwMG1vb3YAAABsMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwdHJhawAAAFwwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAHDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMAAAAC1oZGxyMDAwMDAwMDB2aWRlMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMAAAAAEwMDAwAAAAAAAAABwwMDAwMDAwMDAwMDAAAAAMMDAwMDAwMDAwMDAwc3RzZDAwMDAA AAABMDAwMGVuY3YwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAA0YXZjQzAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMGZybWFIdmMx
Thank you.
Qiuhao Li
Attachments (1)
Change History (6)
by , 4 years ago
comment:1 by , 4 years ago
Reproduced by developer: | set |
---|
comment:2 by , 4 years ago
Description: | modified (diff) |
---|---|
Keywords: | asan hevc added; NULL Pointer Dereference removed |
Priority: | important → normal |
Reproduced by developer: | unset |
Summary: | FFmpeg/libavcodec: NULL Pointer Dereference → Undefined behaviour in the hevc decoder |
I cannot reproduce a crash.
comment:4 by , 4 years ago
Keywords: | crash SIGSEGV regression added; asan removed |
---|---|
Priority: | normal → important |
Summary: | Undefined behaviour in the hevc decoder → HEVC Null pointer dereference |
Indeed, a regression since d4751d8c630983e6343c3100debb5de80be50ac3
comment:5 by , 4 years ago
Resolution: | → fixed |
---|---|
Status: | open → closed |
Should be fixed in 089706e009240ce3dc76f09ae9eee0ba98e65bd1
The crash input file (SEGV: Read on address 0x000000000000)