[FFmpeg-trac] #8859(avcodec:new): A heap-buffer-overflow in FFmpeg JIT code
FFmpeg
trac at avcodec.org
Sat Aug 22 14:59:54 EEST 2020
#8859: A heap-buffer-overflow in FFmpeg JIT code
------------------------------------+-----------------------------------
Reporter: seviezhou | Owner:
Type: defect | Status: new
Priority: normal | Component: avcodec
Version: git-master | Resolution:
Keywords: aac | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
------------------------------------+-----------------------------------
Comment (by seviezhou):
Here is the output of ffmpeg_g, I am sorry for my previous post:
{{{
ffmpeg version N-98801-g3fc3d712a9 Copyright (c) 2000-2020 the FFmpeg
developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --disable-shared --enable-debug=3 --disable-ffplay
--disable-ffprobe --disable-doc --disable-asm --cc=clang --cxx=clang++
--ld=clang --toolchain=clang-asan
libavutil 56. 58.100 / 56. 58.100
libavcodec 58.101.100 / 58.101.100
libavformat 58. 51.100 / 58. 51.100
libavdevice 58. 11.101 / 58. 11.101
libavfilter 7. 87.100 / 7. 87.100
libswscale 5. 8.100 / 5. 8.100
libswresample 3. 8.100 / 3. 8.100
[aac @ 0x61b000000080] Format aac detected only with low score of 1,
misdetection possible!
[aac @ 0x619000000580] More than one AAC RDB per ADTS frame is not
implemented. Update your FFmpeg version to the newest one from Git. If the
problem still occurs, it means that your file has a feature which has not
been implemented.
[aac @ 0x61b000000080] Packet corrupt (stream = 0, dts = NOPTS).
[aac @ 0x619000000580] Error decoding AAC frame header.
[aac @ 0x619000000580] Sample rate index in program config element does
not match the sample rate index configured by the container.
=================================================================
==36919==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6240000055d0 at pc 0x0000027e9428 bp 0x7ffe1de34230 sp 0x7ffe1de34228
READ of size 8 at 0x6240000055d0 thread T0
#0 0x27e9427 in che_configure
/home/seviezhou/ffmpeg/libavcodec/aacdec_template.c
#1 0x27db93d in output_configure
/home/seviezhou/ffmpeg/libavcodec/aacdec_template.c:543:15
#2 0x27ef51c in aac_decode_frame_int
/home/seviezhou/ffmpeg/libavcodec/aacdec_template.c:3312:23
#3 0x27d7843 in aac_decode_frame
/home/seviezhou/ffmpeg/libavcodec/aacdec_template.c:3457:15
#4 0x12659b8 in decode_simple_internal
/home/seviezhou/ffmpeg/libavcodec/decode.c:342:15
#5 0x12659b8 in decode_simple_receive_frame
/home/seviezhou/ffmpeg/libavcodec/decode.c:538
#6 0x12659b8 in decode_receive_frame_internal
/home/seviezhou/ffmpeg/libavcodec/decode.c:556
#7 0x12652cd in avcodec_send_packet
/home/seviezhou/ffmpeg/libavcodec/decode.c:614:15
#8 0xfabadf in try_decode_frame
/home/seviezhou/ffmpeg/libavformat/utils.c:3111:19
#9 0xfa3054 in avformat_find_stream_info
/home/seviezhou/ffmpeg/libavformat/utils.c:3954:9
#10 0x5181fa in open_input_file
/home/seviezhou/ffmpeg/fftools/ffmpeg_opt.c:1186:15
#11 0x516d6a in open_files
/home/seviezhou/ffmpeg/fftools/ffmpeg_opt.c:3303:15
#12 0x516795 in ffmpeg_parse_options
/home/seviezhou/ffmpeg/fftools/ffmpeg_opt.c:3343:11
#13 0x555d8f in main /home/seviezhou/ffmpeg/fftools/ffmpeg.c:4850:11
#14 0x7fd409933b96 in __libc_start_main /build/glibc-
OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#15 0x41df49 in _start (/home/seviezhou/ffmpeg/ffmpeg_g+0x41df49)
Address 0x6240000055d0 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/seviezhou/ffmpeg/libavcodec/aacdec_template.c in che_configure
Shadow bytes around the buggy address:
0x0c487fff8a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c487fff8a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c487fff8a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c487fff8a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c487fff8aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c487fff8ab0: fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa
0x0c487fff8ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c487fff8ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c487fff8ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c487fff8af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c487fff8b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==36919==ABORTING
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/8859#comment:4>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list