Opened 2 months ago

#9517 new defect

Null pointer dereference

Reported by: Yu3H0 Owned by:
Priority: important Component: avformat
Version: git-master Keywords: Null pointer dereference
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:
During fuzzing, I found a null pointer dereference (CWE-476) in the latest FFmpeg.
I have tested in the ffmpeg installed by Ubuntu 2004 apt install and the version with a commit of 8c150d3d9794c29a54bbdf2f2a88066277c7197e both.
How to reproduce:

fuzzer@757e029224c5:~$ ./FFmpeg/ffmpeg_g -ss 00:00:00 -i ./poc -frames 1 -vf "select=not(mod(n\,3)),scale=320:240,tile=2x3" out1.png -y
ffmpeg version N-104569-g08b4716a9e Copyright (c) 2000-2021 the FFmpeg developers
  built with Ubuntu clang version 11.1.0-++20210204121720+1fdec59bffc1-1~exp1~20210203232336.162
  configuration: --prefix=/home/fuzzer/ffmpeg_build --pkg-config-flags=--static --extra-cflags='-I/home/fuzzer/ffmpeg_build/include -fno-omit-frame-pointer -g' --extra-cxxflags='-fno-omit-frame-pointer -g' --extra-ldflags=-L/home/fuzzer/ffmpeg_build/lib --extra-libs='-lpthread -lm' --bindir=/home/fuzzer/bin --enable-gpl --enable-gnutls --enable-libass --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvpx --enable-libx264 --enable-libx265 --enable-nonfree --cc=hfuzz-clang --cxx=hfuzz-clang++ --enable-debug
  libavutil      57.  8.100 / 57.  8.100
  libavcodec     59. 12.100 / 59. 12.100
  libavformat    59.  9.100 / 59.  9.100
  libavdevice    59.  0.101 / 59.  0.101
  libavfilter     8. 16.102 /  8. 16.102
  libswscale      6.  1.100 /  6.  1.100
  libswresample   4.  0.100 /  4.  0.100
  libpostproc    56.  0.100 / 56.  0.100
[av1 @ 0x619000000a80] No sequence header available
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x617000000080] Could not find codec parameters for stream 0 (Video: av1 (av01 / 0x31307661), none(tv, progressive), 320x240): unspecified pixel format
Consider increasing the value for the 'analyzeduration' (0) and 'probesize' (5000000) options
AddressSanitizer:DEADLYSIGNAL
=================================================================
==180210==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0000013c47e4 bp 0x000000000000 sp 0x7ffff17d6cc0 T0)
==180210==The signal is caused by a READ memory access.
==180210==Hint: address points to the zero page.
    #0 0x13c47e4 in mov_seek_fragment /home/fuzzer/FFmpeg/libavformat/mov.c:8384:38
    #1 0x13c47e4 in mov_seek_stream /home/fuzzer/FFmpeg/libavformat/mov.c:8403:11
    #2 0x138ca8e in mov_read_seek /home/fuzzer/FFmpeg/libavformat/mov.c:8477:14
    #3 0x1605453 in seek_frame_internal /home/fuzzer/FFmpeg/libavformat/seek.c:616:15
    #4 0x1605453 in av_seek_frame /home/fuzzer/FFmpeg/libavformat/seek.c:648:11
    #5 0x1608c53 in avformat_seek_file /home/fuzzer/FFmpeg/libavformat/seek.c:700:19
    #6 0x4d5cf6 in open_input_file /home/fuzzer/FFmpeg/fftools/ffmpeg_opt.c:1291:15
    #7 0x4ccfbb in open_files /home/fuzzer/FFmpeg/fftools/ffmpeg_opt.c:3466:15
    #8 0x4cc8d0 in ffmpeg_parse_options /home/fuzzer/FFmpeg/fftools/ffmpeg_opt.c:3506:11
    #9 0x524fd9 in main /home/fuzzer/FFmpeg/fftools/ffmpeg.c:4950:11
    #10 0x7fc1df1120b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x4226ad in _start (/home/fuzzer/FFmpeg/ffmpeg_g+0x4226ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/fuzzer/FFmpeg/libavformat/mov.c:8384:38 in mov_seek_fragment
==180210==ABORTING

gdb result

(gdb) set args -ss 00:00:00 -i ./poc -frames 1 -vf "select=not(mod(n\,3)),scale=320:240,tile=2x3" out1.png -y
(gdb) r
Starting program: /home/fuzzer/TestFF/ffmpeg_g -ss 00:00:00 -i ./poc -frames 1 -vf "select=not(mod(n\,3)),scale=320:240,tile=2x3" out1.png -y
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffmpeg version N-104591-g8c150d3d97 Copyright (c) 2000-2021 the FFmpeg developers
  built with Ubuntu clang version 11.1.0-++20210204121720+1fdec59bffc1-1~exp1~20210203232336.162
  configuration: --prefix=/home/fuzzer/ffmpeg_build_new --pkg-config-flags=--static --extra-cflags='-I/home/fuzzer/ffmpeg_build_new/include -fno-omit-frame-pointer -g -fsanitize=address' --extra-cxxflags='-fno-omit-frame-pointer -g -fsanitize=address' --extra-ldflags='-L/home/fuzzer/ffmpeg_build_new/lib -fsanitize=address' --extra-libs='-lpthread -lm' --bindir=/home/fuzzer/bin_new --enable-gpl --enable-gnutls --enable-libass --enable-libfdk-aac --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvpx --enable-libx264 --enable-libx265 --enable-nonfree --cc=clang --cxx=clang++ --enable-debug
  libavutil      57.  9.100 / 57.  9.100
  libavcodec     59. 13.100 / 59. 13.100
  libavformat    59.  9.101 / 59.  9.101
  libavdevice    59.  0.101 / 59.  0.101
  libavfilter     8. 17.100 /  8. 17.100
  libswscale      6.  1.100 /  6.  1.100
  libswresample   4.  0.100 /  4.  0.100
  libpostproc    56.  0.100 / 56.  0.100
[av1 @ 0x619000000a80] No sequence header available
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x617000000080] Could not find codec parameters for stream 0 (Video: av1 (av01 / 0x31307661), none(tv, progressive), 320x240): unspecified pixel format
Consider increasing the value for the 'analyzeduration' (0) and 'probesize' (5000000) options

Program received signal SIGSEGV, Segmentation fault.
0x0000000000fcd5f2 in mov_seek_fragment (s=0x617000000080, st=<optimized out>, timestamp=0) at libavformat/mov.c:8384
8384	    if (!mov->frag_index.item[index].headers_read)
(gdb) bt
#0  0x0000000000fcd5f2 in mov_seek_fragment (s=0x617000000080, st=<optimized out>, timestamp=0) at libavformat/mov.c:8384
#1  mov_seek_stream (s=0x617000000080, st=<optimized out>, st@entry=0x618000000080, timestamp=timestamp@entry=0, flags=flags@entry=1) at libavformat/mov.c:8403
#2  0x0000000000fa41dd in mov_read_seek (s=0x617000000080, stream_index=<optimized out>, sample_time=<optimized out>, flags=<optimized out>) at libavformat/mov.c:8477
#3  0x000000000115c62a in seek_frame_internal (s=0x617000000080, stream_index=0, timestamp=0, flags=1) at libavformat/seek.c:616
#4  av_seek_frame (s=0x617000000080, stream_index=<optimized out>, timestamp=<optimized out>, flags=1) at libavformat/seek.c:648
#5  0x000000000115d415 in avformat_seek_file (s=<optimized out>, stream_index=-1, min_ts=-9223372036854775808, ts=0, max_ts=0, flags=<optimized out>) at libavformat/seek.c:700
#6  0x00000000004cd3c1 in open_input_file (o=<optimized out>, filename=<optimized out>) at fftools/ffmpeg_opt.c:1292
#7  0x00000000004cbb24 in open_files (l=<optimized out>, inout=<optimized out>, open_file=<optimized out>) at fftools/ffmpeg_opt.c:3467
#8  0x00000000004cb556 in ffmpeg_parse_options (argc=<optimized out>, argv=0x7fffffffe538) at fftools/ffmpeg_opt.c:3507
#9  0x000000000050b799 in main (argc=11, argv=0x7fffffffe538) at fftools/ffmpeg.c:4955

Thank you

Yu3H0

Attachments (1)

poc (2.0 KB ) - added by Yu3H0 2 months ago.
poc file

Download all attachments as: .zip

Change History (1)

by Yu3H0, 2 months ago

Attachment: poc added

poc file

Note: See TracTickets for help on using tickets.