[FFmpeg-trac] #8672(avformat:new): UAF while parsing m3u8 files ( in av_probe_input_format3)

FFmpeg trac at avcodec.org
Wed May 13 18:41:39 EEST 2020


#8672: UAF while parsing m3u8 files ( in av_probe_input_format3)
-----------------------------------+--------------------------------------
             Reporter:  assafsion  |                     Type:  defect
               Status:  new        |                 Priority:  important
            Component:  avformat   |                  Version:  git-master
             Keywords:             |               Blocked By:
             Blocking:             |  Reproduced by developer:  0
Analyzed by developer:  0          |
-----------------------------------+--------------------------------------
 While trying to parse a crafted m3u8 playlist file:
 ffmpeg -i input_file

 ffmpeg version N-97763-g353aecbb28 Copyright (c) 2000-2020 the FFmpeg
 developers
   built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
   configuration: --cc=clang --extra-cflags='-O2 -g3 -fsanitize=address
 -fno-omit-frame-pointer -Wno-error' --extra-ldflags='-O2 -g3
 -fsanitize=address -fno-omit-frame-pointer -Wno-error' --enable-debug
 --prefix=/home/cyber/VulnResearch/ffmpeg/clean/out_2
   libavutil      56. 45.100 / 56. 45.100
   libavcodec     58. 84.100 / 58. 84.100
   libavformat    58. 43.100 / 58. 43.100
   libavdevice    58.  9.103 / 58.  9.103
   libavfilter     7. 80.100 /  7. 80.100
   libswscale      5.  6.101 /  5.  6.101
   libswresample   3.  6.100 /  3.  6.100
 Splitting the commandline.
 Reading option '-v' ... matched as option 'v' (set logging level) with
 argument '9'.
 Reading option '-loglevel' ... matched as option 'loglevel' (set logging
 level) with argument '99'.
 Reading option '-i' ... matched as input url with argument './bug.m3u8'.
 Reading option 'out.avi' ... matched as output url.
 Finished splitting the commandline.
 Parsing a group of options: global .
 Applying option v (set logging level) with argument 9.
 Successfully parsed a group of options.
 Parsing a group of options: input url ./bug.m3u8.
 Successfully parsed a group of options.
 Opening an input file: ./bug.m3u8.
 [NULL @ 0x61b000000080] Opening './bug.m3u8' for reading
 [file @ 0x610000000040] Setting default whitelist 'file,crypto,data'
 Probing hls score:100 size:112
 [hls @ 0x61b000000080] Format hls probed with size=2048 and score=100
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [hls @ 0x61b000000080] new_program: id=0x0000
 [hls @ 0x61b000000080] Opening './bug.m3u8' for reading
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [AVIOContext @ 0x613000000200] Statistics: 112 bytes read, 0 seeks
 [hls @ 0x61b000000080] HLS request for url './au_to0.ts', offset 0,
 playlist 0
 [hls @ 0x61b000000080] Opening './au_to0.ts' for reading
 [hls @ 0x61b000000080] Failed to open segment 0 of playlist 0
 [hls @ 0x61b000000080] Opening './bug.m3u8' for reading
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [AVIOContext @ 0x6130000003c0] Statistics: 112 bytes read, 0 seeks
 [hls @ 0x61b000000080] Opening './bug.m3u8' for reading
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [AVIOContext @ 0x613000000580] Statistics: 112 bytes read, 0 seeks
 [hls @ 0x61b000000080] Opening './bug.m3u8' for reading
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [AVIOContext @ 0x613000000740] Statistics: 112 bytes read, 0 seeks
 [hls @ 0x61b000000080] Opening './bug.m3u8' for reading
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [AVIOContext @ 0x613000000900] Statistics: 112 bytes read, 0 seeks
 [hls @ 0x61b000000080] Opening './bug.m3u8' for reading
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [AVIOContext @ 0x613000000ac0] Statistics: 112 bytes read, 0 seeks
 [hls @ 0x61b000000080] Opening './bug.m3u8' for reading
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [AVIOContext @ 0x613000000c80] Statistics: 112 bytes read, 0 seeks
 [hls @ 0x61b000000080] Opening './bug.m3u8' for reading
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [AVIOContext @ 0x613000000e40] Statistics: 112 bytes read, 0 seeks
 [hls @ 0x61b000000080] Opening './bug.m3u8' for reading
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [AVIOContext @ 0x613000001000] Statistics: 112 bytes read, 0 seeks
 [hls @ 0x61b000000080] Opening './bug.m3u8' for reading
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [AVIOContext @ 0x6130000011c0] Statistics: 112 bytes read, 0 seeks
 [hls @ 0x61b000000080] Opening './bug.m3u8' for reading
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [AVIOContext @ 0x613000001380] Statistics: 112 bytes read, 0 seeks
 [hls @ 0x61b000000080] Opening './bug.m3u8' for reading
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [AVIOContext @ 0x613000001540] Statistics: 112 bytes read, 0 seeks
 [hls @ 0x61b000000080] Opening './bug.m3u8' for reading
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [AVIOContext @ 0x613000001700] Statistics: 112 bytes read, 0 seeks
 [hls @ 0x61b000000080] Opening './bug.m3u8' for reading
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [AVIOContext @ 0x6130000018c0] Statistics: 112 bytes read, 0 seeks
 [hls @ 0x61b000000080] Opening './bug.m3u8' for reading
 (snippet)
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [AVIOContext @ 0x61300001f300] Statistics: 112 bytes read, 0 seeks
 [hls @ 0x61b000000080] Opening './bug.m3u8' for reading
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [AVIOContext @ 0x61300001f4c0] Statistics: 112 bytes read, 0 seeks
 [hls @ 0x61b000000080] Opening './bug.m3u8' for reading
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [AVIOContext @ 0x61300001f680] Statistics: 112 bytes read, 0 seeks
 [hls @ 0x61b000000080] Opening './bug.m3u8' for reading
 [hls @ 0x61b000000080] Skip ('#EXT-X-VERSION:3')
 [hls @ 0x61b000000080] Skip ('#EXT-X-TARGETDURATION��   #EXT-X-MEDIA-
 SEQUENCE:0')
 [AVIOContext @ 0x61300001f840] Statistics: 112 bytes read, 0 seeks
 =================================================================
 ==123139==ERROR: AddressSanitizer: heap-use-after-free on address
 0x602000000510 at pc 0x00000047dba8 bp 0x7fff6d502d10 sp 0x7fff6d5024c0
 READ of size 2 at 0x602000000510 thread T0
     #0 0x47dba7
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x47dba7)
     #1 0xcb7da4
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xcb7da4)
     #2 0xcb87e8
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xcb87e8)
     #3 0xcb8a75
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xcb8a75)
     #4 0xcd4655
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xcd4655)
     #5 0xf7a27b
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xf7a27b)
     #6 0x51a007
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x51a007)
     #7 0x518e06
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x518e06)
     #8 0x518855
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x518855)
     #9 0x55799f in main
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x55799f)
     #10 0x7f02af8c6b96 in __libc_start_main /build/glibc-
 OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
     #11 0x420009 in _init
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x420009)

 0x602000000510 is located 0 bytes inside of 12-byte region
 [0x602000000510,0x60200000051c)
 freed by thread T0 here:
     #0 0x4dfcf0 in __interceptor_free
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x4dfcf0)
     #1 0xcdb258
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xcdb258)
     #2 0xcdcb4c
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xcdcb4c)
     #3 0xc41d25
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xc41d25)

 previously allocated by thread T0 here:
     #0 0x4e0340 in __interceptor_realloc
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x4e0340)
     #1 0x394dee8
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x394dee8)
     #2 0xcd34b2
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xcd34b2)
     #3 0xf7a27b
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0xf7a27b)
     #4 0x51a007
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x51a007)
     #5 0x518e06
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x518e06)
     #6 0x518855
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x518855)
     #7 0x55799f in main
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x55799f)
     #8 0x7f02af8c6b96 in __libc_start_main /build/glibc-
 OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

 SUMMARY: AddressSanitizer: heap-use-after-free
 (/home/cyber/VulnResearch/ffmpeg/clean/13_5_ffmpeg/FFmpeg/ffmpeg+0x47dba7)
 Shadow bytes around the buggy address:
   0x0c047fff8050: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
   0x0c047fff8060: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
   0x0c047fff8070: fa fa fd fd fa fa 00 06 fa fa 02 fa fa fa 00 00
   0x0c047fff8080: fa fa 02 fa fa fa 00 03 fa fa fd fd fa fa 00 01
   0x0c047fff8090: fa fa 03 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
 =>0x0c047fff80a0: fa fa[fd]fd fa fa fd fa fa fa 00 fa fa fa 00 00
   0x0c047fff80b0: fa fa 02 fa fa fa 00 00 fa fa 03 fa fa fa fd fd
   0x0c047fff80c0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
   0x0c047fff80d0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
   0x0c047fff80e0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
   0x0c047fff80f0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
 Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
 ==123139==ABORTING


 This inside av_probe_input_format3 while accessing the pointer
 lpd.filename at line 168 (format.c). During the call to parse_playlist you
 free this pointer (hls.c:949, a call to free_segment_dynarray).

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8672>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list