Opened 3 years ago
Closed 3 years ago
#9121 closed defect (fixed)
vividas seek crash
Reported by: | bird | Owned by: | |
---|---|---|---|
Priority: | important | Component: | avformat |
Version: | git-master | Keywords: | vividas crash |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | yes | |
Analyzed by developer: | no |
Description
Summary of the bug:
There is a heap buffer overflow read when extracting frames from the video.
How to reproduce:
$ ./ffmpeg_g -ss 0 -i ./2 -s 320x240 -y -f image2 output.jpeg ffmpeg version N-101261-g78d5e1c653 Copyright (c) 2000-2021 the FFmpeg developers built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final) configuration: --prefix=/home/bird/ffmpeg_build_new --pkg-config-flags=--static --extra-cflags='-I/home/bird/ffmpeg_build_new/include -fno-omit-frame-pointer -g -fsanitize=address' --extra-cxxflags='-fno-omit-frame-pointer -g -fsanitize=address' --extra-ldflags='-L/home/bird/ffmpeg_build_new/lib -fsanitize=address' --extra-libs='-lpthread -lm' --bindir=/home/bird/bin_new --enable-gpl --enable-gnutls --enable-libass --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvpx --enable-libx264 --enable-libx265 --enable-nonfree --cc=clang --cxx=clang++ --enable-debug libavutil 56. 66.100 / 56. 66.100 libavcodec 58.125.100 / 58.125.100 libavformat 58. 68.100 / 58. 68.100 libavdevice 58. 12.100 / 58. 12.100 libavfilter 7.107.100 / 7.107.100 libswscale 5. 8.100 / 5. 8.100 libswresample 3. 8.100 / 3. 8.100 libpostproc 55. 8.100 / 55. 8.100 Ignoring attempt to set invalid timebase 0/0 for st:0 [vividas @ 0x61b000000080] number of audio tracks 0 is not 1 [vividas @ 0x61b000000080] Could not find codec parameters for stream 0 (Video: vp6, yuv420p): unspecified size Consider increasing the value for the 'analyzeduration' (0) and 'probesize' (5000000) options ================================================================= ==15154==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000005318 at pc 0x000001167ade bp 0x7ffffa677bd0 sp 0x7ffffa677bc8 READ of size 8 at 0x602000005318 thread T0 #0 0x1167add in viv_read_seek /disk1/fuzzing/ffmpeg_latest/libavformat/vividas.c:769:89 #1 0x1142360 in seek_frame_internal /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2449:15 #2 0x1142360 in av_seek_frame /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2481 #3 0x11439ff in avformat_seek_file /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2533:19 #4 0x51dd2d in open_input_file /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:1252:15 #5 0x51c42a in open_files /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3335:15 #6 0x51be55 in ffmpeg_parse_options /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3375:11 #7 0x55ba9f in main /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg.c:4964:11 #8 0x7f59d7e58bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 #9 0x423609 in _start (/disk1/fuzzing/ffmpeg_latest/ffmpeg_g+0x423609) 0x602000005318 is located 0 bytes to the right of 8-byte region [0x602000005310,0x602000005318) allocated by thread T0 here: #0 0x4e3940 in realloc (/disk1/fuzzing/ffmpeg_latest/ffmpeg_g+0x4e3940) #1 0x11553a0 in avformat_new_stream /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:4492:15 #2 0x11656ce in track_header /disk1/fuzzing/ffmpeg_latest/libavformat/vividas.c:322:24 #3 0x11656ce in viv_read_header /disk1/fuzzing/ffmpeg_latest/libavformat/vividas.c:605 #4 0x1134fd4 in avformat_open_input /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:599:20 #5 0x51d667 in open_input_file /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:1174:11 #6 0x51c42a in open_files /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3335:15 #7 0x51be55 in ffmpeg_parse_options /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3375:11 #8 0x55ba9f in main /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg.c:4964:11 #9 0x7f59d7e58bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 SUMMARY: AddressSanitizer: heap-buffer-overflow /disk1/fuzzing/ffmpeg_latest/libavformat/vividas.c:769:89 in viv_read_seek
Attachments (1)
Change History (4)
by , 3 years ago
comment:1 by , 3 years ago
Component: | ffmpeg → avformat |
---|---|
Keywords: | vividas crash added |
Priority: | normal → important |
Reproduced by developer: | set |
Status: | new → open |
comment:2 by , 3 years ago
Summary: | heap buffer overflow read when extracting frames from the video → vividas seek crash |
---|
comment:3 by , 3 years ago
Resolution: | → fixed |
---|---|
Status: | open → closed |
Fixed in af867e59d9ac3db5aaf7df4691f032e14ea51588.
Note:
See TracTickets
for help on using tickets.