[FFmpeg-trac] #8960(avcodec:new): The function decode_frame in libavcodec/tiff.c has an uninitialized variable which may cause application crash
FFmpeg
trac at avcodec.org
Tue Nov 3 03:41:48 EET 2020
#8960: The function decode_frame in libavcodec/tiff.c has an uninitialized
variable which may cause application crash
----------------------------------+--------------------------------------
Reporter: 1vanChen | Type: defect
Status: new | Priority: important
Component: avcodec | Version: git-master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
----------------------------------+--------------------------------------
commit ae9a1a96982669926a4ecb92b066814f5f27dc38
{{{
$ ./ffmpeg_AV_CODEC_ID_TIFF_fuzzer_asan poc1
======================= INFO =========================
This binary is built for AFL-fuzz.
To run the target function on individual input(s) execute this:
./ffmpeg_AV_CODEC_ID_TIFF_fuzzer_asan < INPUT_FILE
or
./ffmpeg_AV_CODEC_ID_TIFF_fuzzer_asan INPUT_FILE1 [INPUT_FILE2 ... ]
To fuzz with afl-fuzz execute this:
afl-fuzz [afl-flags] ./ffmpeg_AV_CODEC_ID_TIFF_fuzzer_asan [-N]
afl-fuzz will run N iterations before re-spawning the process (default:
1000)
======================================================
Reading 21170 bytes from poc1
AddressSanitizer:DEADLYSIGNAL
=================================================================
==13995==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001
(pc 0x0000006674d1 bp 0x7ffc9154b5c0 sp 0x7ffc9154b5a0 T0)
==13995==The signal is caused by a READ memory access.
==13995==Hint: address points to the zero page.
#0 0x6674d1 in bytestream_get_be32
/src/ffmpeg/libavcodec/bytestream.h:96:1
#1 0x6674d1 in bytestream2_get_be32u
/src/ffmpeg/libavcodec/bytestream.h:96:1
#2 0x6674d1 in bytestream2_get_be32
/src/ffmpeg/libavcodec/bytestream.h:96:1
#3 0x6674d1 in ff_tget_long /src/ffmpeg/libavcodec/tiff_common.c:51:44
#4 0x668b14 in ff_tget /src/ffmpeg/libavcodec/tiff_common.c:67:29
#5 0x6006e3 in decode_frame /src/ffmpeg/libavcodec/tiff.c:2002:25
#6 0x523428 in decode_simple_internal
/src/ffmpeg/libavcodec/decode.c:352:15
#7 0x52257e in decode_simple_receive_frame
/src/ffmpeg/libavcodec/decode.c:556:15
#8 0x4f75c4 in decode_receive_frame_internal
/src/ffmpeg/libavcodec/decode.c:576:15
#9 0x4f6e9e in avcodec_send_packet
/src/ffmpeg/libavcodec/decode.c:634:15
#10 0x4fcadb in compat_decode /src/ffmpeg/libavcodec/decode.c:769:15
#11 0x4d40dc in LLVMFuzzerTestOneInput
/src/ffmpeg/tools/target_dec_fuzzer.c:338:23
#12 0x1749bea in main (/mnt/disk/out/ffmpeg-
single/ffmpeg_AV_CODEC_ID_TIFF_fuzzer_asan+0x1749bea)
#13 0x7fe3803f783f in __libc_start_main /build/glibc-
e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
#14 0x41e198 in _start (/mnt/disk/out/ffmpeg-
single/ffmpeg_AV_CODEC_ID_TIFF_fuzzer_asan+0x41e198)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/ffmpeg/libavcodec/bytestream.h:96:1
in bytestream_get_be32
==13995==ABORTING
}}}
Compilation parameters:
{{{
#!/bin/bash -eux
export CC="/afl/afl-clang-fast"
export CXX="/afl/afl-clang-fast++"
export CFLAGS="-pthread -Wl,--no-as-needed -Wl,-ldl -Wl,-lm -Wno-unused-
command-line-argument -O3"
export CXXFLAGS="-stdlib=libc++ -pthread -Wl,--no-as-needed -Wl,-ldl
-Wl,-lm -Wno-unused-command-line-argument -O3"
export LIB_FUZZING_ENGINE="/libAFLDriver.a"
export ARCHITECTURE="x86_64"
export CFLAGS="$CFLAGS -fno-sanitize=vptr"
export CXXFLAGS="$CXXFLAGS -fno-sanitize=vptr"
#add llvm-coverage
export CFLAGS="$CFLAGS -fprofile-instr-generate -fcoverage-mapping"
export CXXFLAGS="$CXXFLAGS -fprofile-instr-generate -fcoverage-mapping"
# Build dependencies.
export FFMPEG_DEPS_PATH=$SRC/ffmpeg_deps
mkdir -p $FFMPEG_DEPS_PATH
export PATH="$FFMPEG_DEPS_PATH/bin:$PATH"
export LD_LIBRARY_PATH="$FFMPEG_DEPS_PATH/lib"
export AFL_LLVM_LAF_SPLIT_SWITCHES=1
export AFL_LLVM_LAF_SPLIT_COMPARES=1
cd $SRC
bzip2 -f -d alsa-lib-*
tar xf alsa-lib-*
cd alsa-lib-*
./configure --prefix="$FFMPEG_DEPS_PATH" --enable-static --disable-shared
make clean
make -j$(nproc) all
make install
cd $SRC/fdk-aac
autoreconf -fiv
CXXFLAGS="$CXXFLAGS -fno-sanitize=shift-base,signed-integer-overflow" \
./configure --prefix="$FFMPEG_DEPS_PATH" --disable-shared
make clean
make -j$(nproc) all
make install
cd $SRC/libXext
./autogen.sh
./configure --prefix="$FFMPEG_DEPS_PATH" --enable-static
make clean
make -j$(nproc)
make install
cd $SRC/libXfixes
./autogen.sh
./configure --prefix="$FFMPEG_DEPS_PATH" --enable-static
make clean
make -j$(nproc)
make install
cd $SRC/libva
./autogen.sh
./configure --prefix="$FFMPEG_DEPS_PATH" --enable-static --disable-shared
make clean
make -j$(nproc) all
make install
cd $SRC/libvdpau
./autogen.sh
./configure --prefix="$FFMPEG_DEPS_PATH" --enable-static --disable-shared
make clean
make -j$(nproc) all
make install
cd $SRC/libvpx
LDFLAGS="$CXXFLAGS" ./configure --prefix="$FFMPEG_DEPS_PATH" \
--disable-examples --disable-unit-tests \
--size-limit=12288x12288 \
--extra-cflags="-DVPX_MAX_ALLOCABLE_MEMORY=1073741824"
make clean
make -j$(nproc) all
make install
cd $SRC/ogg
./autogen.sh
./configure --prefix="$FFMPEG_DEPS_PATH" --enable-static --disable-crc
make clean
make -j$(nproc)
make install
cd $SRC/opus
./autogen.sh
./configure --prefix="$FFMPEG_DEPS_PATH" --enable-static
make clean
make -j$(nproc) all
make install
cd $SRC/theora
# theora requires ogg, need to pass its location to the "configure"
script.
CFLAGS="$CFLAGS -fPIC" LDFLAGS="-L$FFMPEG_DEPS_PATH/lib/" \
CPPFLAGS="$CXXFLAGS -I$FFMPEG_DEPS_PATH/include/" \
LD_LIBRARY_PATH="$FFMPEG_DEPS_PATH/lib/" \
./autogen.sh
./configure --with-ogg="$FFMPEG_DEPS_PATH" --prefix="$FFMPEG_DEPS_PATH" \
--enable-static --disable-examples
make clean
make -j$(nproc)
make install
cd $SRC/vorbis
./autogen.sh
./configure --prefix="$FFMPEG_DEPS_PATH" --enable-static
make clean
make -j$(nproc)
make install
# Remove shared libraries to avoid accidental linking against them.
rm $FFMPEG_DEPS_PATH/lib/*.so
rm $FFMPEG_DEPS_PATH/lib/*.so.*
export AFL_USE_ASAN=1
cd $SRC/ffmpeg
make clean
PKG_CONFIG_PATH="$FFMPEG_DEPS_PATH/lib/pkgconfig" ./configure \
--cc=$CC --cxx=$CXX --ld="$CXX $CXXFLAGS -std=c++11" \
--extra-cflags="-I$FFMPEG_DEPS_PATH/include" \
--extra-ldflags="-L$FFMPEG_DEPS_PATH/lib" \
--extra-ldflags="-L/afl/" \
--prefix="$FFMPEG_DEPS_PATH" \
--pkg-config-flags="--static" \
--libfuzzer=$LIB_FUZZING_ENGINE \
--optflags=-O1 \
--enable-gpl \
--enable-libass \
--enable-libfdk-aac \
--enable-libfreetype \
--enable-libopus \
--enable-libtheora \
--enable-libvorbis \
--enable-libvpx \
--enable-nonfree \
--disable-muxers \
--disable-protocols \
--disable-demuxer=rtp,rtsp,sdp \
--disable-devices \
--disable-shared --enable-cross-compile
make clean
make -j$(nproc) install
# Build the fuzzers.
cd $SRC/ffmpeg
FUZZ_TARGET_SOURCE=$SRC/ffmpeg/tools/target_dec_fuzzer.c
export TEMP_VAR_CODEC="TIFF"
export TEMP_VAR_CODEC_TYPE="VIDEO"
# Build fuzzers for decoders.
fuzzer_name=ffmpeg_AV_CODEC_ID_${TEMP_VAR_CODEC}_fuzzer
symbol=`echo $TEMP_VAR_CODEC | sed "s/.*/\L\0/"`
make tools/target_dec_${symbol}_fuzzer
mv tools/target_dec_${symbol}_fuzzer $OUT/${fuzzer_name}_asan
}}}
Credit: 1vanChen of NSFOCUS Security Team
--
Ticket URL: <https://trac.ffmpeg.org/ticket/8960>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list