Context Navigation

#9121 closed defect (fixed)

vividas seek crash

Reported by:	bird	Owned by:
Priority:	important	Component:	avformat
Version:	git-master	Keywords:	vividas crash
Cc:		Blocked By:
Blocking:		Reproduced by developer:	yes
Analyzed by developer:	no

Description

Summary of the bug:
There is a heap buffer overflow read when extracting frames from the video.
How to reproduce:

$ ./ffmpeg_g -ss 0 -i ./2 -s 320x240 -y -f image2 output.jpeg
ffmpeg version N-101261-g78d5e1c653 Copyright (c) 2000-2021 the FFmpeg developers
  built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
  configuration: --prefix=/home/bird/ffmpeg_build_new --pkg-config-flags=--static --extra-cflags='-I/home/bird/ffmpeg_build_new/include -fno-omit-frame-pointer -g -fsanitize=address' --extra-cxxflags='-fno-omit-frame-pointer -g -fsanitize=address' --extra-ldflags='-L/home/bird/ffmpeg_build_new/lib -fsanitize=address' --extra-libs='-lpthread -lm' --bindir=/home/bird/bin_new --enable-gpl --enable-gnutls --enable-libass --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvpx --enable-libx264 --enable-libx265 --enable-nonfree --cc=clang --cxx=clang++ --enable-debug
  libavutil      56. 66.100 / 56. 66.100
  libavcodec     58.125.100 / 58.125.100
  libavformat    58. 68.100 / 58. 68.100
  libavdevice    58. 12.100 / 58. 12.100
  libavfilter     7.107.100 /  7.107.100
  libswscale      5.  8.100 /  5.  8.100
  libswresample   3.  8.100 /  3.  8.100
  libpostproc    55.  8.100 / 55.  8.100
Ignoring attempt to set invalid timebase 0/0 for st:0
[vividas @ 0x61b000000080] number of audio tracks 0 is not 1
[vividas @ 0x61b000000080] Could not find codec parameters for stream 0 (Video: vp6, yuv420p): unspecified size
Consider increasing the value for the 'analyzeduration' (0) and 'probesize' (5000000) options
=================================================================
==15154==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000005318 at pc 0x000001167ade bp 0x7ffffa677bd0 sp 0x7ffffa677bc8
READ of size 8 at 0x602000005318 thread T0
    #0 0x1167add in viv_read_seek /disk1/fuzzing/ffmpeg_latest/libavformat/vividas.c:769:89
    #1 0x1142360 in seek_frame_internal /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2449:15
    #2 0x1142360 in av_seek_frame /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2481
    #3 0x11439ff in avformat_seek_file /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:2533:19
    #4 0x51dd2d in open_input_file /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:1252:15
    #5 0x51c42a in open_files /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3335:15
    #6 0x51be55 in ffmpeg_parse_options /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3375:11
    #7 0x55ba9f in main /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg.c:4964:11
    #8 0x7f59d7e58bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x423609 in _start (/disk1/fuzzing/ffmpeg_latest/ffmpeg_g+0x423609)

0x602000005318 is located 0 bytes to the right of 8-byte region [0x602000005310,0x602000005318)
allocated by thread T0 here:
    #0 0x4e3940 in realloc (/disk1/fuzzing/ffmpeg_latest/ffmpeg_g+0x4e3940)
    #1 0x11553a0 in avformat_new_stream /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:4492:15
    #2 0x11656ce in track_header /disk1/fuzzing/ffmpeg_latest/libavformat/vividas.c:322:24
    #3 0x11656ce in viv_read_header /disk1/fuzzing/ffmpeg_latest/libavformat/vividas.c:605
    #4 0x1134fd4 in avformat_open_input /disk1/fuzzing/ffmpeg_latest/libavformat/utils.c:599:20
    #5 0x51d667 in open_input_file /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:1174:11
    #6 0x51c42a in open_files /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3335:15
    #7 0x51be55 in ffmpeg_parse_options /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg_opt.c:3375:11
    #8 0x55ba9f in main /disk1/fuzzing/ffmpeg_latest/fftools/ffmpeg.c:4964:11
    #9 0x7f59d7e58bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /disk1/fuzzing/ffmpeg_latest/libavformat/vividas.c:769:89 in viv_read_seek

Attachments (1)

2 (414 bytes ) - added by bird 3 years ago.

Download all attachments as: .zip

Change History (4)

by bird, 3 years ago

Attachment:	2 added

comment:1 by Carl Eugen Hoyos, 3 years ago

Component:	ffmpeg → avformat
Keywords:	vividas crash added
Priority:	normal → important
Reproduced by developer:	set
Status:	new → open

$ valgrind ffmpeg_g -ss 0 -i 2   
==31689== Memcheck, a memory error detector
==31689== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==31689== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==31689== Command: ffmpeg_g -ss 0 -i 2
==31689== 
ffmpeg version N-101291-gd3d99a0a06 Copyright (c) 2000-2021 the FFmpeg developers
  built with gcc 10 (SUSE Linux)
  configuration: --enable-gpl
  libavutil      56. 66.100 / 56. 66.100
  libavcodec     58.125.100 / 58.125.100
  libavformat    58. 68.100 / 58. 68.100
  libavdevice    58. 12.100 / 58. 12.100
  libavfilter     7.107.100 /  7.107.100
  libswscale      5.  8.100 /  5.  8.100
  libswresample   3.  8.100 /  3.  8.100
  libpostproc    55.  8.100 / 55.  8.100
Ignoring attempt to set invalid timebase 0/0 for st:0
[vividas @ 0x5082540] number of audio tracks 0 is not 1
[vividas @ 0x5082540] Could not find codec parameters for stream 0 (Video: vp6, yuv420p): unspecified size
Consider increasing the value for the 'analyzeduration' (0) and 'probesize' (5000000) options
==31689== Invalid read of size 8
==31689==    at 0x83FFEE: viv_read_seek (vividas.c:769)
==31689==    by 0x8375F0: seek_frame_internal (utils.c:2449)
==31689==    by 0x8375F0: av_seek_frame (utils.c:2481)
==31689==    by 0x8373F9: avformat_seek_file (utils.c:2533)
==31689==    by 0x49C7A0: open_input_file (ffmpeg_opt.c:1252)
==31689==    by 0x4A0117: open_files (ffmpeg_opt.c:3335)
==31689==    by 0x4A0117: ffmpeg_parse_options (ffmpeg_opt.c:3375)
==31689==    by 0x494C97: main (ffmpeg.c:4964)
==31689==  Address 0x5094d58 is 0 bytes after a block of size 8 alloc'd
==31689==    at 0x48396AF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31689==    by 0x83D502: avformat_new_stream (utils.c:4492)
==31689==    by 0x840735: track_header (vividas.c:322)
==31689==    by 0x840735: viv_read_header (vividas.c:605)
==31689==    by 0x83C987: avformat_open_input (utils.c:599)
==31689==    by 0x49C973: open_input_file (ffmpeg_opt.c:1174)
==31689==    by 0x4A0117: open_files (ffmpeg_opt.c:3335)
==31689==    by 0x4A0117: ffmpeg_parse_options (ffmpeg_opt.c:3375)
==31689==    by 0x494C97: main (ffmpeg.c:4964)
==31689== 
==31689== Invalid read of size 8
==31689==    at 0x83FFF2: viv_read_seek (vividas.c:769)
==31689==    by 0x8375F0: seek_frame_internal (utils.c:2449)
==31689==    by 0x8375F0: av_seek_frame (utils.c:2481)
==31689==    by 0x8373F9: avformat_seek_file (utils.c:2533)
==31689==    by 0x49C7A0: open_input_file (ffmpeg_opt.c:1252)
==31689==    by 0x4A0117: open_files (ffmpeg_opt.c:3335)
==31689==    by 0x4A0117: ffmpeg_parse_options (ffmpeg_opt.c:3375)
==31689==    by 0x494C97: main (ffmpeg.c:4964)
==31689==  Address 0xd0 is not stack'd, malloc'd or (recently) free'd
==31689== 
==31689== 
==31689== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==31689==  Access not within mapped region at address 0xD0
==31689==    at 0x83FFF2: viv_read_seek (vividas.c:769)
==31689==    by 0x8375F0: seek_frame_internal (utils.c:2449)
==31689==    by 0x8375F0: av_seek_frame (utils.c:2481)
==31689==    by 0x8373F9: avformat_seek_file (utils.c:2533)
==31689==    by 0x49C7A0: open_input_file (ffmpeg_opt.c:1252)
==31689==    by 0x4A0117: open_files (ffmpeg_opt.c:3335)
==31689==    by 0x4A0117: ffmpeg_parse_options (ffmpeg_opt.c:3375)
==31689==    by 0x494C97: main (ffmpeg.c:4964)
==31689==  If you believe this happened as a result of a stack
==31689==  overflow in your program's main thread (unlikely but
==31689==  possible), you can try to increase the size of the
==31689==  main thread stack using the --main-stacksize= flag.
==31689==  The main thread stack size used in this run was 8388608.
==31689== 
==31689== HEAP SUMMARY:
==31689==     in use at exit: 39,614 bytes in 31 blocks
==31689==   total heap usage: 114 allocs, 83 frees, 87,683 bytes allocated
==31689== 
==31689== LEAK SUMMARY:
==31689==    definitely lost: 0 bytes in 0 blocks
==31689==    indirectly lost: 0 bytes in 0 blocks
==31689==      possibly lost: 0 bytes in 0 blocks
==31689==    still reachable: 39,614 bytes in 31 blocks
==31689==         suppressed: 0 bytes in 0 blocks
==31689== Rerun with --leak-check=full to see details of leaked memory
==31689== 
==31689== For lists of detected and suppressed errors, rerun with: -s
==31689== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

comment:2 by Carl Eugen Hoyos, 3 years ago

Summary:	heap buffer overflow read when extracting frames from the video → vividas seek crash

comment:3 by mkver, 3 years ago

Resolution:	→ fixed
Status:	open → closed

Fixed in af867e59d9ac3db5aaf7df4691f032e14ea51588.

Note: See TracTickets for help on using tickets.

Download in other formats: