[FFmpeg-trac] #8859(avcodec:new): A heap-buffer-overflow in FFmpeg JIT code

FFmpeg trac at avcodec.org
Sat Aug 22 14:59:54 EEST 2020 

#8859: A heap-buffer-overflow in FFmpeg JIT code
------------------------------------+-----------------------------------
             Reporter:  seviezhou   |                    Owner:
                 Type:  defect      |                   Status:  new
             Priority:  normal      |                Component:  avcodec
              Version:  git-master  |               Resolution:
             Keywords:  aac         |               Blocked By:
             Blocking:              |  Reproduced by developer:  0
Analyzed by developer:  0           |
------------------------------------+-----------------------------------

Comment (by seviezhou):

 Here is the output of ffmpeg_g, I am sorry for my previous post:

 {{{
 ffmpeg version N-98801-g3fc3d712a9 Copyright (c) 2000-2020 the FFmpeg
 developers
   built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
   configuration: --disable-shared --enable-debug=3 --disable-ffplay
 --disable-ffprobe --disable-doc --disable-asm --cc=clang --cxx=clang++
 --ld=clang --toolchain=clang-asan
   libavutil      56. 58.100 / 56. 58.100
   libavcodec     58.101.100 / 58.101.100
   libavformat    58. 51.100 / 58. 51.100
   libavdevice    58. 11.101 / 58. 11.101
   libavfilter     7. 87.100 /  7. 87.100
   libswscale      5.  8.100 /  5.  8.100
   libswresample   3.  8.100 /  3.  8.100
 [aac @ 0x61b000000080] Format aac detected only with low score of 1,
 misdetection possible!
 [aac @ 0x619000000580] More than one AAC RDB per ADTS frame is not
 implemented. Update your FFmpeg version to the newest one from Git. If the
 problem still occurs, it means that your file has a feature which has not
 been implemented.
 [aac @ 0x61b000000080] Packet corrupt (stream = 0, dts = NOPTS).
 [aac @ 0x619000000580] Error decoding AAC frame header.
 [aac @ 0x619000000580] Sample rate index in program config element does
 not match the sample rate index configured by the container.
 =================================================================
 ==36919==ERROR: AddressSanitizer: heap-buffer-overflow on address
 0x6240000055d0 at pc 0x0000027e9428 bp 0x7ffe1de34230 sp 0x7ffe1de34228
 READ of size 8 at 0x6240000055d0 thread T0
     #0 0x27e9427 in che_configure
 /home/seviezhou/ffmpeg/libavcodec/aacdec_template.c
     #1 0x27db93d in output_configure
 /home/seviezhou/ffmpeg/libavcodec/aacdec_template.c:543:15
     #2 0x27ef51c in aac_decode_frame_int
 /home/seviezhou/ffmpeg/libavcodec/aacdec_template.c:3312:23
     #3 0x27d7843 in aac_decode_frame
 /home/seviezhou/ffmpeg/libavcodec/aacdec_template.c:3457:15
     #4 0x12659b8 in decode_simple_internal
 /home/seviezhou/ffmpeg/libavcodec/decode.c:342:15
     #5 0x12659b8 in decode_simple_receive_frame
 /home/seviezhou/ffmpeg/libavcodec/decode.c:538
     #6 0x12659b8 in decode_receive_frame_internal
 /home/seviezhou/ffmpeg/libavcodec/decode.c:556
     #7 0x12652cd in avcodec_send_packet
 /home/seviezhou/ffmpeg/libavcodec/decode.c:614:15
     #8 0xfabadf in try_decode_frame
 /home/seviezhou/ffmpeg/libavformat/utils.c:3111:19
     #9 0xfa3054 in avformat_find_stream_info
 /home/seviezhou/ffmpeg/libavformat/utils.c:3954:9
     #10 0x5181fa in open_input_file
 /home/seviezhou/ffmpeg/fftools/ffmpeg_opt.c:1186:15
     #11 0x516d6a in open_files
 /home/seviezhou/ffmpeg/fftools/ffmpeg_opt.c:3303:15
     #12 0x516795 in ffmpeg_parse_options
 /home/seviezhou/ffmpeg/fftools/ffmpeg_opt.c:3343:11
     #13 0x555d8f in main /home/seviezhou/ffmpeg/fftools/ffmpeg.c:4850:11
     #14 0x7fd409933b96 in __libc_start_main /build/glibc-
 OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
     #15 0x41df49 in _start (/home/seviezhou/ffmpeg/ffmpeg_g+0x41df49)

 Address 0x6240000055d0 is a wild pointer.
 SUMMARY: AddressSanitizer: heap-buffer-overflow
 /home/seviezhou/ffmpeg/libavcodec/aacdec_template.c in che_configure
 Shadow bytes around the buggy address:
   0x0c487fff8a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c487fff8a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c487fff8a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c487fff8a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c487fff8aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 =>0x0c487fff8ab0: fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa
   0x0c487fff8ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c487fff8ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c487fff8ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c487fff8af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c487fff8b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
 ==36919==ABORTING
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8859#comment:4>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list