#9517 closed defect (fixed)
Null pointer dereference
| Reported by: | Yu3H0 | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | avformat |
| Version: | git-master | Keywords: | mov crash |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Summary of the bug:
During fuzzing, I found a null pointer dereference (CWE-476) in the latest FFmpeg.
I have tested in the ffmpeg installed by Ubuntu 2004 apt install and the version with a commit of 8c150d3d9794c29a54bbdf2f2a88066277c7197e both.
How to reproduce:
fuzzer@757e029224c5:~$ ./FFmpeg/ffmpeg_g -ss 00:00:00 -i ./poc -frames 1 -vf "select=not(mod(n\,3)),scale=320:240,tile=2x3" out1.png -y
ffmpeg version N-104569-g08b4716a9e Copyright (c) 2000-2021 the FFmpeg developers
built with Ubuntu clang version 11.1.0-++20210204121720+1fdec59bffc1-1~exp1~20210203232336.162
configuration: --prefix=/home/fuzzer/ffmpeg_build --pkg-config-flags=--static --extra-cflags='-I/home/fuzzer/ffmpeg_build/include -fno-omit-frame-pointer -g' --extra-cxxflags='-fno-omit-frame-pointer -g' --extra-ldflags=-L/home/fuzzer/ffmpeg_build/lib --extra-libs='-lpthread -lm' --bindir=/home/fuzzer/bin --enable-gpl --enable-gnutls --enable-libass --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvpx --enable-libx264 --enable-libx265 --enable-nonfree --cc=hfuzz-clang --cxx=hfuzz-clang++ --enable-debug
libavutil 57. 8.100 / 57. 8.100
libavcodec 59. 12.100 / 59. 12.100
libavformat 59. 9.100 / 59. 9.100
libavdevice 59. 0.101 / 59. 0.101
libavfilter 8. 16.102 / 8. 16.102
libswscale 6. 1.100 / 6. 1.100
libswresample 4. 0.100 / 4. 0.100
libpostproc 56. 0.100 / 56. 0.100
[av1 @ 0x619000000a80] No sequence header available
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x617000000080] Could not find codec parameters for stream 0 (Video: av1 (av01 / 0x31307661), none(tv, progressive), 320x240): unspecified pixel format
Consider increasing the value for the 'analyzeduration' (0) and 'probesize' (5000000) options
AddressSanitizer:DEADLYSIGNAL
=================================================================
==180210==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0000013c47e4 bp 0x000000000000 sp 0x7ffff17d6cc0 T0)
==180210==The signal is caused by a READ memory access.
==180210==Hint: address points to the zero page.
#0 0x13c47e4 in mov_seek_fragment /home/fuzzer/FFmpeg/libavformat/mov.c:8384:38
#1 0x13c47e4 in mov_seek_stream /home/fuzzer/FFmpeg/libavformat/mov.c:8403:11
#2 0x138ca8e in mov_read_seek /home/fuzzer/FFmpeg/libavformat/mov.c:8477:14
#3 0x1605453 in seek_frame_internal /home/fuzzer/FFmpeg/libavformat/seek.c:616:15
#4 0x1605453 in av_seek_frame /home/fuzzer/FFmpeg/libavformat/seek.c:648:11
#5 0x1608c53 in avformat_seek_file /home/fuzzer/FFmpeg/libavformat/seek.c:700:19
#6 0x4d5cf6 in open_input_file /home/fuzzer/FFmpeg/fftools/ffmpeg_opt.c:1291:15
#7 0x4ccfbb in open_files /home/fuzzer/FFmpeg/fftools/ffmpeg_opt.c:3466:15
#8 0x4cc8d0 in ffmpeg_parse_options /home/fuzzer/FFmpeg/fftools/ffmpeg_opt.c:3506:11
#9 0x524fd9 in main /home/fuzzer/FFmpeg/fftools/ffmpeg.c:4950:11
#10 0x7fc1df1120b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#11 0x4226ad in _start (/home/fuzzer/FFmpeg/ffmpeg_g+0x4226ad)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/fuzzer/FFmpeg/libavformat/mov.c:8384:38 in mov_seek_fragment
==180210==ABORTING
gdb result
(gdb) set args -ss 00:00:00 -i ./poc -frames 1 -vf "select=not(mod(n\,3)),scale=320:240,tile=2x3" out1.png -y (gdb) r Starting program: /home/fuzzer/TestFF/ffmpeg_g -ss 00:00:00 -i ./poc -frames 1 -vf "select=not(mod(n\,3)),scale=320:240,tile=2x3" out1.png -y [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". ffmpeg version N-104591-g8c150d3d97 Copyright (c) 2000-2021 the FFmpeg developers built with Ubuntu clang version 11.1.0-++20210204121720+1fdec59bffc1-1~exp1~20210203232336.162 configuration: --prefix=/home/fuzzer/ffmpeg_build_new --pkg-config-flags=--static --extra-cflags='-I/home/fuzzer/ffmpeg_build_new/include -fno-omit-frame-pointer -g -fsanitize=address' --extra-cxxflags='-fno-omit-frame-pointer -g -fsanitize=address' --extra-ldflags='-L/home/fuzzer/ffmpeg_build_new/lib -fsanitize=address' --extra-libs='-lpthread -lm' --bindir=/home/fuzzer/bin_new --enable-gpl --enable-gnutls --enable-libass --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvpx --enable-libx264 --enable-libx265 --enable-nonfree --cc=clang --cxx=clang++ --enable-debug libavutil 57. 9.100 / 57. 9.100 libavcodec 59. 13.100 / 59. 13.100 libavformat 59. 9.101 / 59. 9.101 libavdevice 59. 0.101 / 59. 0.101 libavfilter 8. 17.100 / 8. 17.100 libswscale 6. 1.100 / 6. 1.100 libswresample 4. 0.100 / 4. 0.100 libpostproc 56. 0.100 / 56. 0.100 [av1 @ 0x619000000a80] No sequence header available [mov,mp4,m4a,3gp,3g2,mj2 @ 0x617000000080] Could not find codec parameters for stream 0 (Video: av1 (av01 / 0x31307661), none(tv, progressive), 320x240): unspecified pixel format Consider increasing the value for the 'analyzeduration' (0) and 'probesize' (5000000) options Program received signal SIGSEGV, Segmentation fault. 0x0000000000fcd5f2 in mov_seek_fragment (s=0x617000000080, st=<optimized out>, timestamp=0) at libavformat/mov.c:8384 8384 if (!mov->frag_index.item[index].headers_read) (gdb) bt #0 0x0000000000fcd5f2 in mov_seek_fragment (s=0x617000000080, st=<optimized out>, timestamp=0) at libavformat/mov.c:8384 #1 mov_seek_stream (s=0x617000000080, st=<optimized out>, st@entry=0x618000000080, timestamp=timestamp@entry=0, flags=flags@entry=1) at libavformat/mov.c:8403 #2 0x0000000000fa41dd in mov_read_seek (s=0x617000000080, stream_index=<optimized out>, sample_time=<optimized out>, flags=<optimized out>) at libavformat/mov.c:8477 #3 0x000000000115c62a in seek_frame_internal (s=0x617000000080, stream_index=0, timestamp=0, flags=1) at libavformat/seek.c:616 #4 av_seek_frame (s=0x617000000080, stream_index=<optimized out>, timestamp=<optimized out>, flags=1) at libavformat/seek.c:648 #5 0x000000000115d415 in avformat_seek_file (s=<optimized out>, stream_index=-1, min_ts=-9223372036854775808, ts=0, max_ts=0, flags=<optimized out>) at libavformat/seek.c:700 #6 0x00000000004cd3c1 in open_input_file (o=<optimized out>, filename=<optimized out>) at fftools/ffmpeg_opt.c:1292 #7 0x00000000004cbb24 in open_files (l=<optimized out>, inout=<optimized out>, open_file=<optimized out>) at fftools/ffmpeg_opt.c:3467 #8 0x00000000004cb556 in ffmpeg_parse_options (argc=<optimized out>, argv=0x7fffffffe538) at fftools/ffmpeg_opt.c:3507 #9 0x000000000050b799 in main (argc=11, argv=0x7fffffffe538) at fftools/ffmpeg.c:4955
Thank you
Yu3H0
Attachments (1)
Change History (3)
by , 2 years ago
comment:1 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:2 by , 18 months ago
| Keywords: | mov crash added; Null pointer dereference removed |
|---|
Note:
See TracTickets
for help on using tickets.
poc file