[FFmpeg-trac] #10309(undetermined:new): haep-buffer-overflow bug in FFmpeg (new_output_stream at fftools/ffmpeg_mux_init.c:610)

FFmpeg trac at avcodec.org
Tue Apr 4 08:06:00 EEST 2023 

#10309: haep-buffer-overflow bug in FFmpeg (new_output_stream at
fftools/ffmpeg_mux_init.c:610)
-------------------------------------+-------------------------------------
             Reporter:  Youngseok    |                    Owner:  (none)
  Choi                               |
                 Type:  defect       |                   Status:  new
             Priority:  normal       |                Component:
                                     |  undetermined
              Version:  git-master   |               Resolution:
             Keywords:  fuzzing,     |               Blocked By:
  heap-overflow                      |
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
Description changed by Youngseok Choi:

Old description:

> Our fuzzer found a new heap overflow bug in FFmpeg.
>
> **Command input**
> {{{
> ffmpeg -i poc_file -f mp4 -tag e @
> }}}
>
> **Command Output**
> {{{
> ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg
> developers
>   built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04)
>   configuration:
> --prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-
> cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address
> -g -O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-
> optimizations --disable-stripping
>   libavutil      58.  5.100 / 58.  5.100
>   libavcodec     60.  9.100 / 60.  9.100
>   libavformat    60.  4.101 / 60.  4.101
>   libavdevice    60.  2.100 / 60.  2.100
>   libavfilter     9.  5.100 /  9.  5.100
>   libswscale      7.  2.100 /  7.  2.100
>   libswresample   4. 11.100 /  4. 11.100
> [amr @ 0x617000000080] Estimating duration from bitrate, this may be
> inaccurate
> Input #0, amr, from
> '/home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/ffmpeg/5_id:012265/poc_file':
>   Duration: 00:00:00.03, bitrate: 14 kb/s
>   Stream #0:0: Audio: amr_nb (samr / 0x726D6173), 8000 Hz, mono, fltp, 12
> kb/s
> }}}
>
> **Backtrace** (Asan dump)
>
> {{{
> =================================================================
> ==16792==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x602000000470 at pc 0x555555ab684c bp 0x7fffffffb8f0 sp 0x7fffffffb8e0
> READ of size 4 at 0x602000000470 thread T0
>     #0 0x555555ab684b in new_output_stream fftools/ffmpeg_mux_init.c:610
>     #1 0x555555ac20a6 in new_audio_stream fftools/ffmpeg_mux_init.c:952
>     #2 0x555555ac72ae in map_auto_audio fftools/ffmpeg_mux_init.c:1230
>     #3 0x555555ac9214 in create_streams fftools/ffmpeg_mux_init.c:1432
>     #4 0x555555ad2482 in of_open fftools/ffmpeg_mux_init.c:2274
>     #5 0x555555adb403 in open_files fftools/ffmpeg_opt.c:1244
>     #6 0x555555adb820 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1297
>     #7 0x555555b195ba in main fftools/ffmpeg.c:4165
>     #8 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-
> gnu/libc.so.6+0x21c86)
>     #9 0x555555a84499 in _start
> (/home/youngseok/subjects/latest_asan_install/ffmpeg/bin/ffmpeg+0x530499)
>
> 0x602000000472 is located 0 bytes to the right of 2-byte region
> [0x602000000470,0x602000000472)
> allocated by thread T0 here:
>     #0 0x7ffff6ef6f30 in realloc (/usr/lib/x86_64-linux-
> gnu/libasan.so.4+0xdef30)
>     #1 0x555558d1133a in av_realloc libavutil/mem.c:162
>     #2 0x555558d1207d in av_strdup libavutil/mem.c:275
>     #3 0x555555ae2178 in write_option fftools/cmdutils.c:282
>     #4 0x555555ae31c4 in parse_optgroup fftools/cmdutils.c:405
>     #5 0x555555adb2d2 in open_files fftools/ffmpeg_opt.c:1235
>     #6 0x555555adb820 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1297
>     #7 0x555555b195ba in main fftools/ffmpeg.c:4165
>     #8 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-
> gnu/libc.so.6+0x21c86
> }}}
>
> **Environment**
>
> We used git master branch version to test FFmpeg.
> OS: Ubuntu 18.04
> GCC: 7.5.0

New description:

 Our fuzzer found a new heap overflow bug in FFmpeg.

 **Command input**
 {{{
 ffmpeg -i poc_file -f mp4 -tag e @
 }}}

 **Command Output**
 {{{
 ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg
 developers
   built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04)
   configuration:
 --prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-
 cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g
 -O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations
 --disable-stripping
   libavutil      58.  5.100 / 58.  5.100
   libavcodec     60.  9.100 / 60.  9.100
   libavformat    60.  4.101 / 60.  4.101
   libavdevice    60.  2.100 / 60.  2.100
   libavfilter     9.  5.100 /  9.  5.100
   libswscale      7.  2.100 /  7.  2.100
   libswresample   4. 11.100 /  4. 11.100
 [amr @ 0x617000000080] Estimating duration from bitrate, this may be
 inaccurate
 Input #0, amr, from
 '/home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/ffmpeg/5_id:012265/poc_file':
   Duration: 00:00:00.03, bitrate: 14 kb/s
   Stream #0:0: Audio: amr_nb (samr / 0x726D6173), 8000 Hz, mono, fltp, 12
 kb/s
 }}}

 **Backtrace** (Asan dump)

 {{{
 =================================================================
 ==16792==ERROR: AddressSanitizer: heap-buffer-overflow on address
 0x602000000470 at pc 0x555555ab684c bp 0x7fffffffb8f0 sp 0x7fffffffb8e0
 READ of size 4 at 0x602000000470 thread T0
     #0 0x555555ab684b in new_output_stream fftools/ffmpeg_mux_init.c:610
     #1 0x555555ac20a6 in new_audio_stream fftools/ffmpeg_mux_init.c:952
     #2 0x555555ac72ae in map_auto_audio fftools/ffmpeg_mux_init.c:1230
     #3 0x555555ac9214 in create_streams fftools/ffmpeg_mux_init.c:1432
     #4 0x555555ad2482 in of_open fftools/ffmpeg_mux_init.c:2274
     #5 0x555555adb403 in open_files fftools/ffmpeg_opt.c:1244
     #6 0x555555adb820 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1297
     #7 0x555555b195ba in main fftools/ffmpeg.c:4165
     #8 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-
 gnu/libc.so.6+0x21c86)
     #9 0x555555a84499 in _start
 (/home/youngseok/subjects/latest_asan_install/ffmpeg/bin/ffmpeg+0x530499)

 0x602000000472 is located 0 bytes to the right of 2-byte region
 [0x602000000470,0x602000000472)
 allocated by thread T0 here:
     #0 0x7ffff6ef6f30 in realloc (/usr/lib/x86_64-linux-
 gnu/libasan.so.4+0xdef30)
     #1 0x555558d1133a in av_realloc libavutil/mem.c:162
     #2 0x555558d1207d in av_strdup libavutil/mem.c:275
     #3 0x555555ae2178 in write_option fftools/cmdutils.c:282
     #4 0x555555ae31c4 in parse_optgroup fftools/cmdutils.c:405
     #5 0x555555adb2d2 in open_files fftools/ffmpeg_opt.c:1235
     #6 0x555555adb820 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1297
     #7 0x555555b195ba in main fftools/ffmpeg.c:4165
     #8 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-
 gnu/libc.so.6+0x21c86
 }}}

 **Environment**

 We used git master branch version to test FFmpeg. To detect heap overflow,
 it is built with address sanitizer.
 OS: Ubuntu 18.04
 GCC: 7.5.0

--
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/10309#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list