Opened 7 months ago

Closed 7 months ago

Last modified 7 months ago

#9161 closed defect (fixed)

null pointer dereference in ff_mpeg_unref_picture (libavcodec/mpegpicture.c)

Reported by: AAA-zraxx Owned by:
Priority: important Component: avcodec
Version: 4.3.2 Keywords: crash SIGSEGV regression
Cc: Marton Balint Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Summary

During fuzzing, we found a null pointer dereference (CWE-476) in the
latest FFmpeg/libavcodec.

Test Version

$ git log | head -n 4
commit f719f869907764e6412a6af6e178c46e5f915d25
Author: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat Feb 20 14:22:23 2021 +0100

Reproduce & ASAN Report

linux64@ubuntu:~/ffmpeg-afl$ ./ffmpeg_g -i ../hangs/test_001.avi output_001.mp4 
ffmpeg version 4.3.2-c872040 Copyright (c) 2000-2021 the FFmpeg developers
  built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
  configuration: --enable-debug --cc=afl-clang
  libavutil      56. 51.100 / 56. 51.100
  libavcodec     58. 91.100 / 58. 91.100
  libavformat    58. 45.100 / 58. 45.100
  libavdevice    58. 10.100 / 58. 10.100
  libavfilter     7. 85.100 /  7. 85.100
  libswscale      5.  7.100 /  5.  7.100
  libswresample   3.  7.100 /  3.  7.100
[pictor_pipe @ 0x61b000000080] Format pictor_pipe detected only with low score of 12, misdetection possible!
Input #0, pictor_pipe, from '../hangs/test_001.avi':
  Duration: N/A, bitrate: N/A
    Stream #0:0: Video: pictor, pal8, 4039x32783, 25 tbr, 25 tbn, 25 tbc
File 'output_001.mp4' already exists. Overwrite? [y/N] y
Stream mapping:
  Stream #0:0 -> #0:0 (pictor (native) -> mpeg4 (native))
Press [q] to stop, [?] for help
[mpeg4 @ 0x619000001e80] dimensions too large for MPEG-4
AddressSanitizer:DEADLYSIGNAL
=================================================================
==41208==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00000378e8b5 bp 0x7ffc7f2c7bb0 sp 0x7ffc7f2c7120 T0)
==41208==The signal is caused by a READ memory access.
==41208==Hint: address points to the zero page.
    #0 0x378e8b4 in ff_mpeg_unref_picture /home/linux64/ffmpeg-c872040/libavcodec/mpegpicture.c:306:50
    #1 0x37ac423 in ff_mpv_common_end /home/linux64/ffmpeg-c872040/libavcodec/mpegvideo.c:1163:5
    #2 0x382abfc in ff_mpv_encode_end /home/linux64/ffmpeg-c872040/libavcodec/mpegvideo_enc.c:1074:5
    #3 0x466fa69 in avcodec_open2 /home/linux64/ffmpeg-c872040/libavcodec/utils.c:1029:9
    #4 0x5dd479 in init_output_stream /home/linux64/ffmpeg-c872040/fftools/ffmpeg.c:3476:20
    #5 0x5eaf0a in reap_filters /home/linux64/ffmpeg-c872040/fftools/ffmpeg.c:1432:19
    #6 0x5b6a0f in transcode_step /home/linux64/ffmpeg-c872040/fftools/ffmpeg.c:4621:12
    #7 0x5b6a0f in transcode /home/linux64/ffmpeg-c872040/fftools/ffmpeg.c:4665
    #8 0x5a161e in main /home/linux64/ffmpeg-c872040/fftools/ffmpeg.c:4870:9
    #9 0x7ff15e466bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x41d159 in _start (/home/linux64/ffmpeg-afl/ffmpeg_g+0x41d159)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/linux64/ffmpeg-c872040/libavcodec/mpegpicture.c:306:50 in ff_mpeg_unref_picture
==41208==ABORTING

GDB Output(complied with gcc)

[#0] Id 1, Name: "ffmpeg_g", stopped 0x555555cb7e59 in ff_mpeg_unref_picture (), reason: SIGSEGV
[#1] Id 2, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV
[#2] Id 3, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV
[#3] Id 4, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV
[#4] Id 5, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV
[#5] Id 6, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV
[#6] Id 7, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV
[#7] Id 8, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV
[#8] Id 9, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV
[#9] Id 10, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV
[#10] Id 11, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV
[#11] Id 12, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV
[#12] Id 13, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in futex_wait_cancelable (), reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x555555cb7e59 → ff_mpeg_unref_picture(avctx=0x0, pic=0x555557598ba8)
[#1] 0x555555cbddf6 → ff_mpv_common_end(s=0x555557598740)
[#2] 0x55555567eca9 → ff_mpv_encode_end(avctx=0x55555758d8c0)
[#3] 0x555555e24b26 → avcodec_open2(avctx=0x55555758d8c0, codec=0x555556b75f20 <ff_mpeg4_encoder>, options=0x55555758d7d8)
[#4] 0x5555556ecdfc → init_output_stream(ost=<optimized out>, error=<optimized out>, error_len=0x400)
[#5] 0x5555556eec19 → reap_filters(flush=0x0)
[#6] 0x5555556f2d1e → transcode_step()
[#7] 0x5555556f2d1e → transcode()
[#8] 0x5555556cccfe → main(argc=0x4, argv=0x7fffffffdcb8)
[#9] 0x7ffff6dfebf7 → __libc_start_main(main=0x5555556ccbc0 <main>, argc=0x4, argv=0x7fffffffdcb8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdca8)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
ff_mpeg_unref_picture (avctx=0x0, pic=pic@entry=0x555557598ba8) at libavcodec/mpegpicture.c:306
306	    if (avctx->codec_id != AV_CODEC_ID_WMV3IMAGE &&

PoC

linux64@ubuntu:~/hangs$ base64 test_001.avi
NBLHDw+AAAALNAMtECXUJR0UD4D/NA3/5Q==

Attachments (1)

poc.avi (25 bytes ) - added by AAA-zraxx 7 months ago.
poc

Download all attachments as: .zip

Change History (12)

by AAA-zraxx, 7 months ago

Attachment: poc.avi added

poc

comment:1 by Carl Eugen Hoyos, 7 months ago

Is the issue you see reproducible with current FFmpeg git head? This information is necessary for every valid ticket.

comment:2 by AAA-zraxx, 7 months ago

Sorry, I haven't tried it before. I find that this bug has been patched.

comment:3 by Carl Eugen Hoyos, 7 months ago

Keywords: crash SIGSEGV regression added
Reproduced by developer: set
Status: newopen

comment:4 by Marton Balint, 7 months ago

Cc: Marton Balint added

I suggest we simply revert the commit causing the issue, because the fix depends on several commits, not only the one you mentioned... Will do it in a few days.

comment:5 by mkver, 7 months ago

Resolution: fixed
Status: openclosed

This particular crash has already fixed in 87d87e6587deec1fa8ed5f5c6901535becdb0358. I am therefore closing this.

See https://patchwork.ffmpeg.org/project/ffmpeg/patch/20201225154724.287465-5-andreas.rheinhardt@gmail.com/ for more regressions caused by this commit. I am currently preparing a new version of this patch(set).

comment:6 by Marton Balint, 7 months ago

Ok, I meant the revert only for the 4.3 branch, there I guess that is the simplest thing to do.

comment:7 by mkver, 7 months ago

Yeah, that seems fine.

comment:8 by Carl Eugen Hoyos, 7 months ago

Resolution: fixed
Status: closedreopened

comment:9 by mkver, 7 months ago

Resolution: fixed
Status: reopenedclosed

comment:10 by Carl Eugen Hoyos, 7 months ago

Which commit fixed this ticket?

comment:11 by Carl Eugen Hoyos, 7 months ago

Note: See TracTickets for help on using tickets.