[FFmpeg-trac] #7980(avcodec:open): heap-buffer-overflow at ffmpeg/libavcodec/zmbvenc.c:97:30 in block_cmp by null pointer or undefined-behavior libavformat/nutenc.c:794:27
FFmpeg
trac at avcodec.org
Mon Jul 1 14:53:08 EEST 2019
#7980: heap-buffer-overflow at ffmpeg/libavcodec/zmbvenc.c:97:30 in block_cmp by
null pointer or undefined-behavior libavformat/nutenc.c:794:27
-------------------------------------+-------------------------------------
Reporter: Suhwan | Owner:
Type: defect | Status: open
Priority: important | Component: avcodec
Version: git-master | Resolution:
Keywords: zmbv ubsan | Blocked By:
asan regression |
Blocking: | Reproduced by developer: 1
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Changes (by cehoyos):
* keywords: zmbv ubsan => zmbv ubsan asan regression
* status: new => open
* reproduced: 0 => 1
Comment:
The buffer overflow is a regression since
0321370601833f4ae47e8e11c44570ea4bd382a4
{{{
$ ffmpeg -i tmp.webm -vcodec zmbv -f null -
ffmpeg version N-94148-g4877b5869e Copyright (c) 2000-2019 the FFmpeg
developers
built with gcc 9 (SUSE Linux)
configuration: --toolchain=gcc-asan
libavutil 56. 30.100 / 56. 30.100
libavcodec 58. 53.101 / 58. 53.101
libavformat 58. 28.101 / 58. 28.101
libavdevice 58. 7.100 / 58. 7.100
libavfilter 7. 55.100 / 7. 55.100
libswscale 5. 4.101 / 5. 4.101
libswresample 3. 4.100 / 3. 4.100
Input #0, matroska,webm, from 'tmp.webm':
Metadata:
encoder : Lavf53.17.0
Duration: 00:00:05.57, start: 0.000000, bitrate: 329 kb/s
Stream #0:0: Video: vp8, yuv420p(progressive), 560x320, SAR 1:1 DAR
7:4, 30 fps, 30 tbr, 1k tbn, 1k tbc (default)
Stream #0:1(eng): Audio: vorbis, 48000 Hz, mono, fltp (default)
Stream mapping:
Stream #0:0 -> #0:0 (vp8 (native) -> zmbv (native))
Stream #0:1 -> #0:1 (vorbis (native) -> pcm_s16le (native))
Press [q] to stop, [?] for help
Output #0, null, to 'pipe:':
Metadata:
encoder : Lavf58.28.101
Stream #0:0: Video: zmbv, bgr0, 560x320 [SAR 1:1 DAR 7:4], q=2-31, 200
kb/s, 30 fps, 30 tbn, 30 tbc (default)
Metadata:
encoder : Lavc58.53.101 zmbv
Stream #0:1(eng): Audio: pcm_s16le, 48000 Hz, mono, s16, 768 kb/s
(default)
Metadata:
encoder : Lavc58.53.101 pcm_s16le
=================================================================
==24243==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7f1cc348e7f0 at pc 0x000001fa74f1 bp 0x7fff41dee710 sp 0x7fff41dee708
READ of size 1 at 0x7f1cc348e7f0 thread T0
#0 0x1fa74f0 in block_cmp src/libavcodec/zmbvenc.c:97
#1 0x1fa871b in zmbv_me src/libavcodec/zmbvenc.c:153
#2 0x1fa871b in encode_frame src/libavcodec/zmbvenc.c:242
#3 0x104c9b5 in avcodec_encode_video2 src/libavcodec/encode.c:296
#4 0x104d250 in do_encode src/libavcodec/encode.c:365
#5 0x104d65a in avcodec_send_frame src/libavcodec/encode.c:414
#6 0x5d9dfb in do_video_out src/fftools/ffmpeg.c:1287
#7 0x5dc553 in reap_filters src/fftools/ffmpeg.c:1504
#8 0x5ea71a in transcode_step src/fftools/ffmpeg.c:4648
#9 0x5ea71a in transcode src/fftools/ffmpeg.c:4692
#10 0x57df6b in main src/fftools/ffmpeg.c:4894
#11 0x7f1cd3812bca in __libc_start_main (/lib64/libc.so.6+0x26bca)
#12 0x592719 in _start
(/mnt/sdb6/cehoyos/android/linux64/ffmpeg_g+0x592719)
0x7f1cc348e7f0 is located 16 bytes to the left of 763424-byte region
[0x7f1cc348e800,0x7f1cc3548e20)
allocated by thread T0 here:
#0 0x7f1cd40944a5 in __interceptor_posix_memalign
(/usr/lib64/libasan.so.5+0x10b4a5)
#1 0x29c4074 in av_malloc src/libavutil/mem.c:87
#2 0x29c4074 in av_mallocz src/libavutil/mem.c:238
SUMMARY: AddressSanitizer: heap-buffer-overflow
src/libavcodec/zmbvenc.c:97 in block_cmp
Shadow bytes around the buggy address:
0x0fe418689ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe418689cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe418689cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe418689cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe418689ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0fe418689cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
0x0fe418689d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe418689d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe418689d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe418689d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe418689d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==24243==ABORTING
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/7980#comment:4>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list