[FFmpeg-trac] #10308(undetermined:new): heap-buffer-overflow in ffmpeg (get_vlc2 at libavcodec/get_bits.h:639)
FFmpeg
trac at avcodec.org
Tue Apr 4 07:58:22 EEST 2023
#10308: heap-buffer-overflow in ffmpeg (get_vlc2 at libavcodec/get_bits.h:639)
-------------------------------------+-------------------------------------
Reporter: Youngseok | Type: defect
Choi |
Status: new | Priority: normal
Component: | Version:
undetermined | unspecified
Keywords: fuzzing, | Blocked By:
heap-overflow |
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Hello, our fuzzer found a new heap-overflow bug.
**Command to Reproduce**
{{{
ffmpeg -err_detect ignore_err -i poc_file -f null @
}}}
poc_file is attached.
**Command Output**
{{{
ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg
developers
built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04)
configuration:
--prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-
cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g
-O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations
--disable-stripping
libavutil 58. 5.100 / 58. 5.100
libavcodec 60. 9.100 / 60. 9.100
libavformat 60. 4.101 / 60. 4.101
libavdevice 60. 2.100 / 60. 2.100
libavfilter 9. 5.100 / 9. 5.100
libswscale 7. 2.100 / 7. 2.100
libswresample 4. 11.100 / 4. 11.100
[mpeg4 @ 0x619000000580] time_increment_bits 0 is invalid in relation to
the current bitstream, this is likely caused by a missing VOL header
[mpeg4 @ 0x619000000580] time_increment_bits set to 14 bits, based on
bitstream analysis
[mpeg4 @ 0x619000000580] Marker bit missing at 56 of 376 before
time_increment_resolution
[mpeg4 @ 0x619000000580] Marker bit missing at 73 of 376 before
fixed_vop_rate
[mpeg4 @ 0x619000000580] Marker bit missing at 75 of 376 before width
[mpeg4 @ 0x619000000580] Marker bit missing at 89 of 376 before height
[mpeg4 @ 0x619000000580] N-bit not supported
[mpeg4 @ 0x619000000580] quant precision 15
[mpeg4 @ 0x619000000580] insufficient data for custom matrix
[mpeg4 @ 0x619000000580] looks like this file was encoded with
(divx4/(old)xvid/opendivx) -> forcing low_delay flag
[mpeg4 @ 0x619000000580] [IMGUTILS @ 0x7fffffffc650] Picture size 0x0 is
invalid
[mpeg4 @ 0x619000000580] Marker bit missing at 56 of 376 before
time_increment_resolution
[mpeg4 @ 0x619000000580] Marker bit missing at 73 of 376 before
fixed_vop_rate
[mpeg4 @ 0x619000000580] Marker bit missing at 75 of 376 before width
[mpeg4 @ 0x619000000580] Marker bit missing at 89 of 376 before height
[mpeg4 @ 0x619000000580] N-bit not supported
[mpeg4 @ 0x619000000580] quant precision 15
[mpeg4 @ 0x619000000580] insufficient data for custom matrix
[mpeg4 @ 0x619000000580] Reverting picture dimensions change due to header
decoding failure
[mpeg4 @ 0x619000000580] header damaged
Input #0, m4v, from
'/home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/ffmpeg/2_id:026013/poc_file':
Duration: N/A, start: 4.997986, bitrate: N/A
Stream #0:0: Video: mpeg4, yuv420p, 3x7038, 512.16 fps, 512 tbr, 1200k
tbn
Stream mapping:
Stream #0:0 -> #0:0 (mpeg4 (native) -> wrapped_avframe (native))
Press [q] to stop, [?] for help
[mpeg4 @ 0x619000003280] looks like this file was encoded with
(divx4/(old)xvid/opendivx) -> forcing low_delay flag
[mpeg4 @ 0x619000003780] Context scratch buffers could not be allocated
due to unknown size.
[mpeg4 @ 0x619000003780] warning: first frame is no keyframe
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 0
[mpeg4 @ 0x619000003780] Error at MB: 0
[mpeg4 @ 0x619000003780] ac-tex damaged at 0 16
[mpeg4 @ 0x619000003780] Error at MB: 32
[mpeg4 @ 0x619000003780] Error at MB: 40
[mpeg4 @ 0x619000003780] Error at MB: 46
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 24
[mpeg4 @ 0x619000003780] Error at MB: 48
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 25
[mpeg4 @ 0x619000003780] Error at MB: 50
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 26
[mpeg4 @ 0x619000003780] Error at MB: 52
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 27
[mpeg4 @ 0x619000003780] Error at MB: 54
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 28
[mpeg4 @ 0x619000003780] Error at MB: 56
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 29
[mpeg4 @ 0x619000003780] Error at MB: 58
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 30
[mpeg4 @ 0x619000003780] Error at MB: 60
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 31
[mpeg4 @ 0x619000003780] Error at MB: 62
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 32
[mpeg4 @ 0x619000003780] Error at MB: 64
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 33
[mpeg4 @ 0x619000003780] Error at MB: 66
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 34
[mpeg4 @ 0x619000003780] Error at MB: 68
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 35
[mpeg4 @ 0x619000003780] Error at MB: 70
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 36
[mpeg4 @ 0x619000003780] Error at MB: 72
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 37
[mpeg4 @ 0x619000003780] Error at MB: 74
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 38
[mpeg4 @ 0x619000003780] Error at MB: 76
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 39
[mpeg4 @ 0x619000003780] Error at MB: 78
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 40
[mpeg4 @ 0x619000003780] Error at MB: 80
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 41
[mpeg4 @ 0x619000003780] Error at MB: 82
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 42
[mpeg4 @ 0x619000003780] Error at MB: 84
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 43
[mpeg4 @ 0x619000003780] Error at MB: 86
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 44
[mpeg4 @ 0x619000003780] Error at MB: 88
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 45
[mpeg4 @ 0x619000003780] Error at MB: 90
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 46
[mpeg4 @ 0x619000003780] Error at MB: 92
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 47
[mpeg4 @ 0x619000003780] Error at MB: 94
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 48
[mpeg4 @ 0x619000003780] Error at MB: 96
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 49
[mpeg4 @ 0x619000003780] Error at MB: 98
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 50
[mpeg4 @ 0x619000003780] Error at MB: 100
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 51
[mpeg4 @ 0x619000003780] Error at MB: 102
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 52
[mpeg4 @ 0x619000003780] Error at MB: 104
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 53
[mpeg4 @ 0x619000003780] Error at MB: 106
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 54
[mpeg4 @ 0x619000003780] Error at MB: 108
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 55
[mpeg4 @ 0x619000003780] Error at MB: 110
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 56
[mpeg4 @ 0x619000003780] Error at MB: 112
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 57
[mpeg4 @ 0x619000003780] Error at MB: 114
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 58
[mpeg4 @ 0x619000003780] Error at MB: 116
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 59
[mpeg4 @ 0x619000003780] Error at MB: 118
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 60
[mpeg4 @ 0x619000003780] Error at MB: 120
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 61
[mpeg4 @ 0x619000003780] Error at MB: 122
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 62
[mpeg4 @ 0x619000003780] Error at MB: 124
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 63
[mpeg4 @ 0x619000003780] Error at MB: 126
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 64
[mpeg4 @ 0x619000003780] Error at MB: 128
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 65
[mpeg4 @ 0x619000003780] Error at MB: 130
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 66
[mpeg4 @ 0x619000003780] Error at MB: 132
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 67
[mpeg4 @ 0x619000003780] Error at MB: 134
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 68
[mpeg4 @ 0x619000003780] Error at MB: 136
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 69
[mpeg4 @ 0x619000003780] Error at MB: 138
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 70
[mpeg4 @ 0x619000003780] Error at MB: 140
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 71
[mpeg4 @ 0x619000003780] Error at MB: 142
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 72
[mpeg4 @ 0x619000003780] Error at MB: 144
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 73
[mpeg4 @ 0x619000003780] Error at MB: 146
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 74
[mpeg4 @ 0x619000003780] Error at MB: 148
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 75
[mpeg4 @ 0x619000003780] Error at MB: 150
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 76
[mpeg4 @ 0x619000003780] Error at MB: 152
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 77
[mpeg4 @ 0x619000003780] Error at MB: 154
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 78
[mpeg4 @ 0x619000003780] Error at MB: 156
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 79
[mpeg4 @ 0x619000003780] Error at MB: 158
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 80
[mpeg4 @ 0x619000003780] Error at MB: 160
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 81
[mpeg4 @ 0x619000003780] Error at MB: 162
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 82
[mpeg4 @ 0x619000003780] Error at MB: 164
[mpeg4 @ 0x619000003780] mcbpc damaged at 0 83
[mpeg4 @ 0x619000003780] Error at MB: 166
=================================================================
[mpeg4 @ 0x619000003c80] Marker bit missing at 56 of 376 before
time_increment_resolution
[mpeg4 @ 0x619000003c80] Marker bit missing at 73 of 376 before
fixed_vop_rate
[mpeg4 @ 0x619000003c80] Marker bit missing at 75 of 376 before width
[mpeg4 @ 0x619000003c80] Marker bit missing at 89 of 376 before height
[mpeg4 @ 0x619000003c80] N-bit not supported
[mpeg4 @ 0x619000003c80] quant precision 15
[mpeg4 @ 0x619000003c80] insufficient data for custom matrix
[mpeg4 @ 0x619000003c80] header damaged
[mpeg4 @ 0x619000004180] header damaged
Error while decoding stream #0:0: Invalid data found when processing input
}}}
**Backtrace** (asan)
{{{
==11134==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60b0000000a0 at pc 0x5555573e3f56 bp 0x7ffff14fd960 sp 0x7ffff14fd950
READ of size 4 at 0x60b0000000a0 thread T2 (av:mpeg4:df1)
#0 0x5555573e3f55 in get_vlc2 libavcodec/get_bits.h:639
#1 0x5555573e3f55 in mpeg4_decode_mb libavcodec/mpeg4videodec.c:1692
#2 0x555556fbfc28 in decode_slice libavcodec/h263dec.c:248
#3 0x555556fc3779 in ff_h263_decode_frame libavcodec/h263dec.c:594
#4 0x555557621ab1 in frame_worker_thread
libavcodec/pthread_frame.c:214
#5 0x7ffff59d86da in start_thread (/lib/x86_64-linux-
gnu/libpthread.so.0+0x76da)
#6 0x7ffff570161e in __clone (/lib/x86_64-linux-
gnu/libc.so.6+0x12161e)
0x60b0000000a3 is located 0 bytes to the right of 99-byte region
[0x60b000000040,0x60b0000000a3)
allocated by thread T0 here:
#0 0x7ffff6ef6f30 in realloc (/usr/lib/x86_64-linux-
gnu/libasan.so.4+0xdef30)
#1 0x555558d1133a in av_realloc libavutil/mem.c:162
#2 0x555558ccb931 in av_buffer_realloc libavutil/buffer.c:192
#3 0x555556b4ee09 in packet_alloc libavcodec/avpacket.c:88
#4 0x555556b514ab in av_packet_make_refcounted
libavcodec/avpacket.c:492
#5 0x5555565b6256 in parse_packet libavformat/demux.c:1167
#6 0x5555565b85a6 in read_frame_internal libavformat/demux.c:1334
#7 0x5555565c5184 in avformat_find_stream_info
libavformat/demux.c:2613
#8 0x555555a95a11 in ifile_open fftools/ffmpeg_demux.c:1077
#9 0x555555adb403 in open_files fftools/ffmpeg_opt.c:1244
#10 0x555555adb778 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1283
#11 0x555555b195ba in main fftools/ffmpeg.c:4165
#12 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-
gnu/libc.so.6+0x21c86)
Thread T2 (av:mpeg4:df1) created by T0 here:
#0 0x7ffff6e4fd2f in __interceptor_pthread_create (/usr/lib/x86_64
-linux-gnu/libasan.so.4+0x37d2f)
#1 0x555557627dc3 in init_thread libavcodec/pthread_frame.c:797
#2 0x555557628503 in ff_frame_thread_init
libavcodec/pthread_frame.c:853
#3 0x555557620b8b in ff_thread_init libavcodec/pthread.c:78
#4 0x555556b4b1f4 in avcodec_open2 libavcodec/avcodec.c:309
#5 0x555555b0b2d4 in init_input_stream fftools/ffmpeg.c:2838
#6 0x555555b11ac8 in transcode_init fftools/ffmpeg.c:3335
#7 0x555555b18980 in transcode fftools/ffmpeg.c:4020
#8 0x555555b196f8 in main fftools/ffmpeg.c:4182
#9 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-
gnu/libc.so.6+0x21c86)
}}}
gdb didn't produce the assembly code around the program counter and the
registers' info.
Thank you.
--
Ticket URL: <https://trac.ffmpeg.org/ticket/10308>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list