[FFmpeg-trac] #9161(avcodec:new): null pointer dereference in ff_mpeg_unref_picture (libavcodec/mpegpicture.c)
FFmpeg
trac at avcodec.org
Thu Mar 25 07:52:36 EET 2021
#9161: null pointer dereference in ff_mpeg_unref_picture
(libavcodec/mpegpicture.c)
-----------------------------------+-------------------------------------
Reporter: AAA-zraxx | Type: defect
Status: new | Priority: important
Component: avcodec | Version: 4.3.2
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-----------------------------------+-------------------------------------
== Summary ==
During fuzzing, we found a null pointer dereference (CWE-476) in the
latest FFmpeg/libavcodec.
== Test Version ==
$ git log | head -n 4
commit f719f869907764e6412a6af6e178c46e5f915d25
Author: Michael Niedermayer <michael at niedermayer.cc>
Date: Sat Feb 20 14:22:23 2021 +0100
== Reproduce & ASAN Report ==
{{{
linux64 at ubuntu:~/ffmpeg-afl$ ./ffmpeg_g -i ../hangs/test_001.avi
output_001.mp4
ffmpeg version 4.3.2-c872040 Copyright (c) 2000-2021 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --enable-debug --cc=afl-clang
libavutil 56. 51.100 / 56. 51.100
libavcodec 58. 91.100 / 58. 91.100
libavformat 58. 45.100 / 58. 45.100
libavdevice 58. 10.100 / 58. 10.100
libavfilter 7. 85.100 / 7. 85.100
libswscale 5. 7.100 / 5. 7.100
libswresample 3. 7.100 / 3. 7.100
[pictor_pipe @ 0x61b000000080] Format pictor_pipe detected only with low
score of 12, misdetection possible!
Input #0, pictor_pipe, from '../hangs/test_001.avi':
Duration: N/A, bitrate: N/A
Stream #0:0: Video: pictor, pal8, 4039x32783, 25 tbr, 25 tbn, 25 tbc
File 'output_001.mp4' already exists. Overwrite? [y/N] y
Stream mapping:
Stream #0:0 -> #0:0 (pictor (native) -> mpeg4 (native))
Press [q] to stop, [?] for help
[mpeg4 @ 0x619000001e80] dimensions too large for MPEG-4
AddressSanitizer:DEADLYSIGNAL
=================================================================
==41208==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018
(pc 0x00000378e8b5 bp 0x7ffc7f2c7bb0 sp 0x7ffc7f2c7120 T0)
==41208==The signal is caused by a READ memory access.
==41208==Hint: address points to the zero page.
#0 0x378e8b4 in ff_mpeg_unref_picture
/home/linux64/ffmpeg-c872040/libavcodec/mpegpicture.c:306:50
#1 0x37ac423 in ff_mpv_common_end
/home/linux64/ffmpeg-c872040/libavcodec/mpegvideo.c:1163:5
#2 0x382abfc in ff_mpv_encode_end
/home/linux64/ffmpeg-c872040/libavcodec/mpegvideo_enc.c:1074:5
#3 0x466fa69 in avcodec_open2
/home/linux64/ffmpeg-c872040/libavcodec/utils.c:1029:9
#4 0x5dd479 in init_output_stream
/home/linux64/ffmpeg-c872040/fftools/ffmpeg.c:3476:20
#5 0x5eaf0a in reap_filters
/home/linux64/ffmpeg-c872040/fftools/ffmpeg.c:1432:19
#6 0x5b6a0f in transcode_step
/home/linux64/ffmpeg-c872040/fftools/ffmpeg.c:4621:12
#7 0x5b6a0f in transcode
/home/linux64/ffmpeg-c872040/fftools/ffmpeg.c:4665
#8 0x5a161e in main
/home/linux64/ffmpeg-c872040/fftools/ffmpeg.c:4870:9
#9 0x7ff15e466bf6 in __libc_start_main /build/glibc-
S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#10 0x41d159 in _start (/home/linux64/ffmpeg-afl/ffmpeg_g+0x41d159)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/linux64/ffmpeg-c872040/libavcodec/mpegpicture.c:306:50 in
ff_mpeg_unref_picture
==41208==ABORTING
}}}
== GDB Output(complied with gcc)==
{{{
[#0] Id 1, Name: "ffmpeg_g", stopped 0x555555cb7e59 in
ff_mpeg_unref_picture (), reason: SIGSEGV
[#1] Id 2, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in
futex_wait_cancelable (), reason: SIGSEGV
[#2] Id 3, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in
futex_wait_cancelable (), reason: SIGSEGV
[#3] Id 4, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in
futex_wait_cancelable (), reason: SIGSEGV
[#4] Id 5, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in
futex_wait_cancelable (), reason: SIGSEGV
[#5] Id 6, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in
futex_wait_cancelable (), reason: SIGSEGV
[#6] Id 7, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in
futex_wait_cancelable (), reason: SIGSEGV
[#7] Id 8, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in
futex_wait_cancelable (), reason: SIGSEGV
[#8] Id 9, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in
futex_wait_cancelable (), reason: SIGSEGV
[#9] Id 10, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in
futex_wait_cancelable (), reason: SIGSEGV
[#10] Id 11, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in
futex_wait_cancelable (), reason: SIGSEGV
[#11] Id 12, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in
futex_wait_cancelable (), reason: SIGSEGV
[#12] Id 13, Name: "ffmpeg_g", stopped 0x7ffff71dbad3 in
futex_wait_cancelable (), reason: SIGSEGV
─────────────────────────────────────────────────────────────────────────────────────────────────────────────
trace ────
[#0] 0x555555cb7e59 → ff_mpeg_unref_picture(avctx=0x0, pic=0x555557598ba8)
[#1] 0x555555cbddf6 → ff_mpv_common_end(s=0x555557598740)
[#2] 0x55555567eca9 → ff_mpv_encode_end(avctx=0x55555758d8c0)
[#3] 0x555555e24b26 → avcodec_open2(avctx=0x55555758d8c0,
codec=0x555556b75f20 <ff_mpeg4_encoder>, options=0x55555758d7d8)
[#4] 0x5555556ecdfc → init_output_stream(ost=<optimized out>,
error=<optimized out>, error_len=0x400)
[#5] 0x5555556eec19 → reap_filters(flush=0x0)
[#6] 0x5555556f2d1e → transcode_step()
[#7] 0x5555556f2d1e → transcode()
[#8] 0x5555556cccfe → main(argc=0x4, argv=0x7fffffffdcb8)
[#9] 0x7ffff6dfebf7 → __libc_start_main(main=0x5555556ccbc0 <main>,
argc=0x4, argv=0x7fffffffdcb8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffdca8)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
ff_mpeg_unref_picture (avctx=0x0, pic=pic at entry=0x555557598ba8) at
libavcodec/mpegpicture.c:306
306 if (avctx->codec_id != AV_CODEC_ID_WMV3IMAGE &&
}}}
== PoC ==
linux64 at ubuntu:~/hangs$ base64 test_001.avi
NBLHDw+AAAALNAMtECXUJR0UD4D/NA3/5Q==
--
Ticket URL: <https://trac.ffmpeg.org/ticket/9161>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list