[FFmpeg-trac] #8716(avfilter:new): Heap buffer overflow in ff_dnn_load_model_native
FFmpeg
trac at avcodec.org
Sun Jun 7 11:26:33 EEST 2020
#8716: Heap buffer overflow in ff_dnn_load_model_native
-----------------------------------+--------------------------------------
Reporter: assafsion | Type: defect
Status: new | Priority: critical
Component: avfilter | Version: git-master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-----------------------------------+--------------------------------------
In dnn_backend_native.c the call to ff_dnn_load_model_native could cause a
heap buffer overflow caused by a missing check of the variable
operand_index while accessing network->operands and setting the name. this
could cause a read buffer overflow and may use as a primitive to leak
addresses or sensitive memory.
I compiled ffmpeg on Ubuntu 18.04 with the following configuration:
configuration: --cc=clang --extra-cflags='-O0 -g3 -fsanitize=address -Wno-
error -fPIC' --extra-ldflags='-O0 -g3 -fsanitize=address -Wno-error -fPIC'
--enable-debug --disable-asm --disable-optimizations --disable-shared
--enable-libopenjpeg --enable-gpl --enable-libass --enable-libfdk-aac
--enable-libmp3lame --enable-libopus --enable-libtheora --enable-libvorbis
--enable-libvpx --enable-libx264 --enable-nonfree
the bug could be reproduced while running the following command line:
ffmpeg -v debug -i 10.jpg -vf
format=rgb24,sr=dnn_backend=native:model=crash_dnn_backend_native_1
derain.jpg
the output after running the command:
ffmpeg version N-97806-gf603d10b1e Copyright (c) 2000-2020 the FFmpeg
developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --cc=clang --extra-cflags='-O0 -g3 -fsanitize=address
-Wno-error -fPIC' --extra-ldflags='-O0 -g3 -fsanitize=address -Wno-error
-fPIC' --enable-debug --disable-asm --disable-optimizations --disable-
shared --enable-libopenjpeg --enable-gpl --enable-libass --enable-libfdk-
aac --enable-libmp3lame --enable-libopus --enable-libtheora --enable-
libvorbis --enable-libvpx --enable-libx264 --enable-nonfree
libavutil 56. 45.100 / 56. 45.100
libavcodec 58. 84.100 / 58. 84.100
libavformat 58. 43.100 / 58. 43.100
libavdevice 58. 9.103 / 58. 9.103
libavfilter 7. 81.100 / 7. 81.100
libswscale 5. 6.101 / 5. 6.101
libswresample 3. 6.100 / 3. 6.100
libpostproc 55. 6.100 / 55. 6.100
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with
argument 'debug'.
Reading option '-i' ... matched as input url with argument '10.jpg'.
Reading option '-vf' ... matched as option 'vf' (set video filters) with
argument
'format=rgb24,sr=dnn_backend=native:model=crash_dnn_backend_native_1'.
Reading option 'derain.jpg' ... matched as output url.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument debug.
Successfully parsed a group of options.
Parsing a group of options: input url 10.jpg.
Successfully parsed a group of options.
Opening an input file: 10.jpg.
[NULL @ 0x61b000000080] Opening '10.jpg' for reading
[file @ 0x60c000000040] Setting default whitelist 'file,crypto,data'
[image2 @ 0x61b000000080] Format image2 probed with size=2048 and score=50
[image2 @ 0x61b000000080] Before avformat_find_stream_info() pos: 0 bytes
read:18522 seeks:0 nb_streams:1
[mjpeg @ 0x619000000580] marker=d8 avail_size_in_buf=18520
[mjpeg @ 0x619000000580] marker parser used 0 bytes (0 bits)
[mjpeg @ 0x619000000580] marker=e0 avail_size_in_buf=18518
[mjpeg @ 0x619000000580] marker parser used 16 bytes (128 bits)
[mjpeg @ 0x619000000580] marker=e1 avail_size_in_buf=18500
[mjpeg @ 0x619000000580] marker parser used 12833 bytes (102664 bits)
[mjpeg @ 0x619000000580] marker=db avail_size_in_buf=5664
[mjpeg @ 0x619000000580] index=0
[mjpeg @ 0x619000000580] qscale[0]: 2
[mjpeg @ 0x619000000580] marker parser used 67 bytes (536 bits)
[mjpeg @ 0x619000000580] marker=db avail_size_in_buf=5595
[mjpeg @ 0x619000000580] index=1
[mjpeg @ 0x619000000580] qscale[1]: 8
[mjpeg @ 0x619000000580] marker parser used 67 bytes (536 bits)
[mjpeg @ 0x619000000580] marker=c0 avail_size_in_buf=5526
[mjpeg @ 0x619000000580] Changing bps from 0 to 8
[mjpeg @ 0x619000000580] sof0: picture: 432x173
[mjpeg @ 0x619000000580] component 0 1:1 id: 0 quant:0
[mjpeg @ 0x619000000580] component 1 1:1 id: 1 quant:1
[mjpeg @ 0x619000000580] component 2 1:1 id: 2 quant:1
[mjpeg @ 0x619000000580] pix fmt id 11111100
[mjpeg @ 0x619000000580] Format yuvj444p chosen by get_format().
[mjpeg @ 0x619000000580] marker parser used 17 bytes (136 bits)
[mjpeg @ 0x619000000580] marker=c4 avail_size_in_buf=5507
[mjpeg @ 0x619000000580] marker parser used 0 bytes (0 bits)
[mjpeg @ 0x619000000580] marker=c4 avail_size_in_buf=5478
[mjpeg @ 0x619000000580] marker parser used 0 bytes (0 bits)
[mjpeg @ 0x619000000580] marker=c4 avail_size_in_buf=5420
[mjpeg @ 0x619000000580] marker parser used 0 bytes (0 bits)
[mjpeg @ 0x619000000580] marker=c4 avail_size_in_buf=5393
[mjpeg @ 0x619000000580] marker parser used 0 bytes (0 bits)
[mjpeg @ 0x619000000580] escaping removed 16 bytes
[mjpeg @ 0x619000000580] marker=da avail_size_in_buf=5360
[mjpeg @ 0x619000000580] marker parser used 5344 bytes (42752 bits)
[mjpeg @ 0x619000000580] marker=d9 avail_size_in_buf=0
[mjpeg @ 0x619000000580] decode frame unused 0 bytes
[image2 @ 0x61b000000080] After avformat_find_stream_info() pos: 18522
bytes read:18522 seeks:0 frames:1
Input #0, image2, from '10.jpg':
Duration: 00:00:00.04, start: 0.000000, bitrate: 3704 kb/s
Stream #0:0, 1, 1/25: Video: mjpeg (Baseline), 1 reference frame,
yuvj444p(pc, bt470bg/unknown/unknown, center), 432x173 [SAR 96:96 DAR
432:173], 0/1, 25 tbr, 25 tbn, 25 tbc
Successfully opened the file.
Parsing a group of options: output url derain.jpg.
Applying option vf (set video filters) with argument
format=rgb24,sr=dnn_backend=native:model=crash_dnn_backend_native_1.
Successfully parsed a group of options.
Opening an output file: derain.jpg.
Successfully opened the file.
Stream mapping:
Stream #0:0 -> #0:0 (mjpeg (native) -> mjpeg (native))
Press [q] to stop, [?] for help
cur_dts is invalid st:0 (0) [init:0 i_done:0 finish:0] (this is harmless
if it occurs once at the start per stream)
[mjpeg @ 0x619000000a80] marker=d8 avail_size_in_buf=18520
[mjpeg @ 0x619000000a80] marker parser used 0 bytes (0 bits)
[mjpeg @ 0x619000000a80] marker=e0 avail_size_in_buf=18518
[mjpeg @ 0x619000000a80] marker parser used 16 bytes (128 bits)
[mjpeg @ 0x619000000a80] marker=e1 avail_size_in_buf=18500
[mjpeg @ 0x619000000a80] marker parser used 12833 bytes (102664 bits)
[mjpeg @ 0x619000000a80] marker=db avail_size_in_buf=5664
[mjpeg @ 0x619000000a80] index=0
[mjpeg @ 0x619000000a80] qscale[0]: 2
[mjpeg @ 0x619000000a80] marker parser used 67 bytes (536 bits)
[mjpeg @ 0x619000000a80] marker=db avail_size_in_buf=5595
[mjpeg @ 0x619000000a80] index=1
[mjpeg @ 0x619000000a80] qscale[1]: 8
[mjpeg @ 0x619000000a80] marker parser used 67 bytes (536 bits)
[mjpeg @ 0x619000000a80] marker=c0 avail_size_in_buf=5526
[mjpeg @ 0x619000000a80] sof0: picture: 432x173
[mjpeg @ 0x619000000a80] component 0 1:1 id: 0 quant:0
[mjpeg @ 0x619000000a80] component 1 1:1 id: 1 quant:1
[mjpeg @ 0x619000000a80] component 2 1:1 id: 2 quant:1
[mjpeg @ 0x619000000a80] pix fmt id 11111100
[mjpeg @ 0x619000000a80] Format yuvj444p chosen by get_format().
[mjpeg @ 0x619000000a80] marker parser used 17 bytes (136 bits)
[mjpeg @ 0x619000000a80] marker=c4 avail_size_in_buf=5507
[mjpeg @ 0x619000000a80] class=0 index=0 nb_codes=8
[mjpeg @ 0x619000000a80] marker parser used 27 bytes (216 bits)
[mjpeg @ 0x619000000a80] marker=c4 avail_size_in_buf=5478
[mjpeg @ 0x619000000a80] class=1 index=0 nb_codes=226
[mjpeg @ 0x619000000a80] marker parser used 56 bytes (448 bits)
[mjpeg @ 0x619000000a80] marker=c4 avail_size_in_buf=5420
[mjpeg @ 0x619000000a80] class=0 index=1 nb_codes=6
[mjpeg @ 0x619000000a80] marker parser used 25 bytes (200 bits)
[mjpeg @ 0x619000000a80] marker=c4 avail_size_in_buf=5393
[mjpeg @ 0x619000000a80] class=1 index=1 nb_codes=82
[mjpeg @ 0x619000000a80] marker parser used 31 bytes (248 bits)
[mjpeg @ 0x619000000a80] escaping removed 16 bytes
[mjpeg @ 0x619000000a80] marker=da avail_size_in_buf=5360
[mjpeg @ 0x619000000a80] component: 0
[mjpeg @ 0x619000000a80] component: 1
[mjpeg @ 0x619000000a80] component: 2
[mjpeg @ 0x619000000a80] marker parser used 5343 bytes (42742 bits)
[mjpeg @ 0x619000000a80] marker=d9 avail_size_in_buf=0
[mjpeg @ 0x619000000a80] decode frame unused 0 bytes
detected 32 logical cores
[Parsed_format_0 @ 0x610000000040] Setting 'pix_fmts' to value 'rgb24'
[Parsed_sr_1 @ 0x610000000140] Setting 'dnn_backend' to value 'native'
[Parsed_sr_1 @ 0x610000000140] Setting 'model' to value
'crash_dnn_backend_native_1'
[file @ 0x60d000000040] Setting default whitelist 'file,crypto,data'
=================================================================
==95291==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x610000000a99 at pc 0x0000013b0b46 bp 0x7fffffff81e0 sp 0x7fffffff81d8
WRITE of size 1 at 0x610000000a99 thread T0
#0 0x13b0b45 in avio_get_str
/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavformat/aviobuf.c:866:22
#1 0x130d50e in ff_dnn_load_model_native
/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavfilter/dnn/dnn_backend_native.c:233:9
#2 0xe5802e in init
/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavfilter/vf_sr.c:84:25
#3 0x6c56ca in avfilter_init_dict
/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavfilter/avfilter.c:912:15
#4 0x6c6747 in avfilter_init_str
/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavfilter/avfilter.c:1013:11
#5 0x74b4fe in create_filter
/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavfilter/graphparser.c:149:11
#6 0x747826 in parse_filter
/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavfilter/graphparser.c:192:11
#7 0x74685f in avfilter_graph_parse2
/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavfilter/graphparser.c:427:20
#8 0x5687d7 in configure_filtergraph
/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg_filter.c:1061:16
#9 0x5d66a3 in ifilter_send_frame
/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:2166:15
#10 0x5d5669 in send_frame_to_filters
/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:2247:15
#11 0x5d0f2b in decode_video
/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:2446:11
#12 0x59ba41 in process_input_packet
/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:2600:19
#13 0x5be936 in process_input
/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:4491:5
#14 0x597af6 in transcode_step
/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:4611:11
#15 0x590da5 in transcode
/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:4665:15
#16 0x58efda in main
/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/fftools/ffmpeg.c:4866:9
#17 0x7ffff2cb9b96 in __libc_start_main /build/glibc-
OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#18 0x423839 in _start
(/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg_g+0x423839)
Address 0x610000000a99 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/libavformat/aviobuf.c:866:22
in avio_get_str
Shadow bytes around the buggy address:
0x0c207fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c207fff8150: fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==95291==ABORTING
[1] + Done "/usr/bin/gdb" --interpreter=mi
--tty=${DbgTerm} 0<"/tmp/Microsoft-MIEngine-In-tnrcrzm8.01d" 1>"/tmp
/Microsoft-MIEngine-Out-7wia81vb.b6z"
--
Ticket URL: <https://trac.ffmpeg.org/ticket/8716>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list