#9120 closed defect (fixed)

dss seek crash

Reported by: bird Owned by:
Priority: important Component: avformat
Version: git-master Keywords: dss crash
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Summary of the bug:
There is a heap buffer overflow write when extracting frames from the video.
How to reproduce:

$ ./ffmpeg_g -ss 0 -i ./1 -s 320x240 -y -f image2 output.jpeg
ffmpeg version N-101261-g78d5e1c653 Copyright (c) 2000-2021 the FFmpeg developers
  built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
  configuration: --prefix=/home/bird/ffmpeg_build_new --pkg-config-flags=--static --extra-cflags='-I/home/bird/ffmpeg_build_new/include -fno-omit-frame-pointer -g -fsanitize=address' --extra-cxxflags='-fno-omit-frame-pointer -g -fsanitize=address' --extra-ldflags='-L/home/bird/ffmpeg_build_new/lib -fsanitize=address' --extra-libs='-lpthread -lm' --bindir=/home/bird/bin_new --enable-gpl --enable-gnutls --enable-libass --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvpx --enable-libx264 --enable-libx265 --enable-nonfree --cc=clang --cxx=clang++ --enable-debug
  libavutil      56. 66.100 / 56. 66.100
  libavcodec     58.125.100 / 58.125.100
  libavformat    58. 68.100 / 58. 68.100
  libavdevice    58. 12.100 / 58. 12.100
  libavfilter     7.107.100 /  7.107.100
  libswscale      5.  8.100 /  5.  8.100
  libswresample   3.  8.100 /  3.  8.100
  libpostproc    55.  8.100 / 55.  8.100
[dss @ 0x61b000000080] Estimating duration from bitrate, this may be inaccurate
=================================================================
==14599==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e000025af4 at pc 0x0000004e21ec bp 0x7ffc285d86e0 sp 0x7ffc285d7e90
WRITE of size 70 at 0x60e000025af4 thread T0
    #0 0x4e21eb in __asan_memcpy (/disk1/fuzzing/ffmpeg_latest/ffmpeg_g+0x4e21eb)
    #1 0xdebec6 in avio_read /disk1/fuzzing/ffmpeg_latest/libavformat/aviobuf.c:673:13
    #2 0xe2ec18 in dss_sp_read_packet /disk1/fuzzing/ffmpeg_latest/libavformat/dss.c:246:11
    #3 0xe2ec18 in dss_read_packet /disk1/fuzzing/ffmpeg_latest/libavformat/dss.c:321
    #4 0x1136aa1 in ff_read_packet /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:823:15
    #5 0x113be26 in read_frame_internal /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:1526:15
    #6 0x113b14c in av_read_frame /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:1730:17
    #7 0x1142e4a in seek_frame_generic /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2388:31
    #8 0x1142e4a in seek_frame_internal /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2461
    #9 0x1142e4a in av_seek_frame /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2481
    #10 0x11439ff in avformat_seek_file /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2533:19
    #11 0x51dd2d in open_input_file /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:1252:15
    #12 0x51c42a in open_files /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3335:15
    #13 0x51be55 in ffmpeg_parse_options /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3375:11
    #14 0x55ba9f in main /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg.c:4964:11
    #15 0x7fcabf899bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #16 0x423609 in _start (/disk1/fuzzing/ffmpeg_latest/ffmpeg_g+0x423609)

0x60e000025af4 is located 12 bytes to the left of 68-byte region [0x60e000025b00,0x60e000025b44)
allocated by thread T0 here:
    #0 0x4e40f8 in __interceptor_posix_memalign (/disk1/fuzzing/ffmpeg_latest/ffmpeg_g+0x4e40f8)
    #1 0x3c0e14c in av_malloc /disk1/fuzzing/ffmpeg_latest/libavutil/mem.c:86:9
    #2 0x3c0e14c in av_mallocz /disk1/fuzzing/ffmpeg_latest/libavutil/mem.c:239
    #3 0x1134e51 in avformat_open_input /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:581:30
    #4 0x51d667 in open_input_file /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:1174:11
    #5 0x51c42a in open_files /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3335:15
    #6 0x51be55 in ffmpeg_parse_options /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3375:11
    #7 0x55ba9f in main /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg.c:4964:11
    #8 0x7fcabf899bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow (/disk1/fuzzing/ffmpeg_latest/ffmpeg_g+0x4e21eb) in __asan_memcpy

Attachments (1)

1 (1.5 KB ) - added by bird 18 months ago.

Download all attachments as: .zip

Change History (3)

by bird, 18 months ago

Attachment: 1 added

comment:1 by Carl Eugen Hoyos, 18 months ago

Component: ffmpegavformat
Keywords: dss crash added
Priority: normalimportant
Reproduced by developer: set
Status: newopen
Summary: heap buffer overflow write when extracting frames from the videodss seek crash
$ valgrind ffmpeg_g -ss 0 -i 1 
==1963== Memcheck, a memory error detector
==1963== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1963== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==1963== Command: ffmpeg_g -ss 0 -i 1
==1963== 
ffmpeg version N-101291-gd3d99a0a06 Copyright (c) 2000-2021 the FFmpeg developers
  built with gcc 10 (SUSE Linux)
  configuration: --enable-gpl
  libavutil      56. 66.100 / 56. 66.100
  libavcodec     58.125.100 / 58.125.100
  libavformat    58. 68.100 / 58. 68.100
  libavdevice    58. 12.100 / 58. 12.100
  libavfilter     7.107.100 /  7.107.100
  libswscale      5.  8.100 /  5.  8.100
  libswresample   3.  8.100 /  3.  8.100
  libpostproc    55.  8.100 / 55.  8.100
[dss @ 0x5082540] Estimating duration from bitrate, this may be inaccurate
==1963== Invalid write of size 2
==1963==    at 0x483DEC3: memcpy@GLIBC_2.2.5 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==1963==    by 0x720723: avio_read (aviobuf.c:673)
==1963==    by 0x7366F3: dss_sp_read_packet (dss.c:246)
==1963==    by 0x7366F3: dss_read_packet (dss.c:321)
==1963==    by 0x833BE9: ff_read_packet (utils.c:823)
==1963==    by 0x834D7A: read_frame_internal (utils.c:1526)
==1963==    by 0x835C27: av_read_frame (utils.c:1730)
==1963==    by 0x83780C: seek_frame_generic (utils.c:2388)
==1963==    by 0x83780C: seek_frame_internal (utils.c:2461)
==1963==    by 0x83780C: av_seek_frame (utils.c:2481)
==1963==    by 0x8373F9: avformat_seek_file (utils.c:2533)
==1963==    by 0x49C7A0: open_input_file (ffmpeg_opt.c:1252)
==1963==    by 0x4A0117: open_files (ffmpeg_opt.c:3335)
==1963==    by 0x4A0117: ffmpeg_parse_options (ffmpeg_opt.c:3375)
==1963==    by 0x494C97: main (ffmpeg.c:4964)
==1963==  Address 0x5094874 is 12 bytes before a block of size 68 alloc'd
==1963==    at 0x483BEB8: memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==1963==    by 0x483BFEE: posix_memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==1963==    by 0x121A74F: av_malloc (mem.c:86)
==1963==    by 0x121A74F: av_mallocz (mem.c:239)
==1963==    by 0x83CC04: avformat_open_input (utils.c:581)
==1963==    by 0x49C973: open_input_file (ffmpeg_opt.c:1174)
==1963==    by 0x4A0117: open_files (ffmpeg_opt.c:3335)
==1963==    by 0x4A0117: ffmpeg_parse_options (ffmpeg_opt.c:3375)
==1963==    by 0x494C97: main (ffmpeg.c:4964)
==1963== 
1: could not seek to position 0.000
Input #0, dss, from '1':
  Metadata:
    author          : ��0� ?B�
                    : ������
    date            : 2077-77-77T77:77:77
    comment         : 
  Duration: 00:00:00.29, start: 0.000000, bitrate: 13 kb/s
  Stream #0:0: Audio: dss_sp, 11025 Hz, mono, s16
At least one output file must be specified
==1963== 
==1963== HEAP SUMMARY:
==1963==     in use at exit: 0 bytes in 0 blocks
==1963==   total heap usage: 206 allocs, 206 frees, 100,610 bytes allocated
==1963== 
==1963== All heap blocks were freed -- no leaks are possible
==1963== 
==1963== For lists of detected and suppressed errors, rerun with: -s
==1963== ERROR SUMMARY: 12 errors from 1 contexts (suppressed: 0 from 0)

comment:2 by mkver, 17 months ago

Resolution: fixed
Status: openclosed
Note: See TracTickets for help on using tickets.