[FFmpeg-trac] #10310(undetermined:new): stack-buffer-overflow in FFmpeg (fftools/ffmpeg_mux_init.c:610 in new_output_stream)

FFmpeg trac at avcodec.org
Tue Apr 4 08:12:32 EEST 2023 

#10310: stack-buffer-overflow in FFmpeg (fftools/ffmpeg_mux_init.c:610 in
new_output_stream)
-------------------------------------+-------------------------------------
             Reporter:  Youngseok    |                    Owner:  (none)
  Choi                               |
                 Type:  defect       |                   Status:  new
             Priority:  normal       |                Component:
                                     |  undetermined
              Version:  git-master   |               Resolution:
             Keywords:  fuzzing,     |               Blocked By:
  stack-overflow                     |
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
Description changed by Youngseok Choi:

Old description:

> Our fuzzer found a new stack overflow bug.
>
> **Command Input**
>
> {{{
> ffmpeg -i poc_file -aac_pred true .mpd
> }}}
>
> poc_file is attached.
>
> **Command Output**
>
> {{{
>   libavutil      58.  5.100 / 58.  5.100
>   libavcodec     60.  9.100 / 60.  9.100
>   libavformat    60.  4.101 / 60.  4.101
>   libavdevice    60.  2.100 / 60.  2.100
>   libavfilter     9.  5.100 /  9.  5.100
>   libswscale      7.  2.100 /  7.  2.100
>   libswresample   4. 11.100 /  4. 11.100
> [amr @ 0x617000000080] Estimating duration from bitrate, this may be
> inaccurate
> Input #0, amr, from
> '/home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/ffmpeg/5_id:012265/poc_file':
>   Duration: 00:00:00.03, bitrate: 14 kb/s
>   Stream #0:0: Audio: amr_nb (samr / 0x726D6173), 8000 Hz, mono, fltp, 12
> kb/s
> }}}
>
> **Stack Trace**
> {{{
> ==21207==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x602000000470 at pc 0x555555ab684c bp 0x7fffffffb8f0 sp 0x7fffffffb8e0
> READ of size 4 at 0x602000000470 thread T0
>     #0 0x555555ab684b in new_output_stream fftools/ffmpeg_mux_init.c:610
>     #1 0x555555ac20a6 in new_audio_stream fftools/ffmpeg_mux_init.c:952
>     #2 0x555555ac72ae in map_auto_audio fftools/ffmpeg_mux_init.c:1230
>     #3 0x555555ac9214 in create_streams fftools/ffmpeg_mux_init.c:1432
>     #4 0x555555ad2482 in of_open fftools/ffmpeg_mux_init.c:2274
>     #5 0x555555adb403 in open_files fftools/ffmpeg_opt.c:1244
>     #6 0x555555adb820 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1297
>     #7 0x555555b195ba in main fftools/ffmpeg.c:4165
>     #8 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-
> gnu/libc.so.6+0x21c86)
>     #9 0x555555a84499 in _start
> (/home/youngseok/subjects/latest_asan_install/ffmpeg/bin/ffmpeg+0x530499)
> }}}
>
> **Environment**
>
> OS: Ubuntu 18.04
> GCC: 7.5.0
> FFmpeg: version N-110167-g97c95961f0, configured with following flags:
> {{{
> --extra-cflags='-fsanitize=address -g -O0' --extra-
> cxxflags='-fsanitize=address -g -O0' --extra-ldflags='-fsanitize=address
> -g -O0' --disable-optimizations --disable-stripping
> }}}

New description:

 Our fuzzer found a new stack overflow bug.

 **Command Input**

 {{{
 ffmpeg -i poc_file -aac_pred true .mpd
 }}}

 poc_file is attached.

 **Command Output**

 {{{
 ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg
 developers
   built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04)
   configuration:
 --prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-
 cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g
 -O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations
 --disable-stripping
   libavutil      58.  5.100 / 58.  5.100
   libavcodec     60.  9.100 / 60.  9.100
   libavformat    60.  4.101 / 60.  4.101
   libavdevice    60.  2.100 / 60.  2.100
   libavfilter     9.  5.100 /  9.  5.100
   libswscale      7.  2.100 /  7.  2.100
   libswresample   4. 11.100 /  4. 11.100
 [ea_cdata @ 0x617000000080] Format ea_cdata detected only with low score
 of 12, misdetection possible!
 [aist#0:0/adpcm_ea_xas @ 0x616000000980] Guessed Channel Layout: mono
 Input #0, ea_cdata, from
 '/home/youngseok/data/230327/asan_inter_30_30_shrink5_1_230308/ffmpeg/1_id:024501/poc_file':
   Duration: N/A, start: 0.000000, bitrate: N/A
   Stream #0:0: Audio: adpcm_ea_xas, 304 Hz, 1 channels, s16p
 Stream mapping:
   Stream #0:0 -> #0:0 (adpcm_ea_xas (native) -> aac (native))
 Press [q] to stop, [?] for help
 [ea_cdata @ 0x617000000080] Packet corrupt (stream = 0, dts = NOPTS).
 [in#0/ea_cdata @ 0x612000000040] corrupt input packet in stream 0
 [aac @ 0x619000001e80] Too many bits 9613.061224 > 6144 per frame
 requested, clamping to max
 [aac @ 0x619000001e80] Chainging profile to "aac_main"
 [dash @ 0x617000000400] Opening 'init-stream0.m4s' for writing
 Output #0, dash, to '.mpd':
   Metadata:
     encoder         : Lavf60.4.101
   Stream #0:0: Audio: aac (Main), 7350 Hz, mono, fltp, 44 kb/s
     Metadata:
       encoder         : Lavc60.9.100 aac
 [adpcm_ea_xas @ 0x619000000a80] invalid number of samples in packet
 Error while decoding stream #0:0: Invalid data found when processing input
 [dash @ 0x617000000400] Opening 'chunk-stream0-00001.m4s.tmp' for writing
 }}}

 **Stack Trace**
 {{{
 ==24765==ERROR: AddressSanitizer: stack-buffer-overflow on address
 0x7fffffffc958 at pc 0x55555881107c bp 0x7fffffffc8a0 sp 0x7fffffffc890
 READ of size 4 at 0x7fffffffc958 thread T0
     #0 0x55555881107b in ff_aac_search_for_tns libavcodec/aacenc_tns.c:203
     #1 0x55555817ebf0 in aac_encode_frame libavcodec/aacenc.c:1021
     #2 0x555556e51a6e in ff_encode_encode_cb libavcodec/encode.c:223
     #3 0x555556e525eb in encode_simple_internal libavcodec/encode.c:309
     #4 0x555556e52734 in encode_simple_receive_packet
 libavcodec/encode.c:323
     #5 0x555556e52c71 in encode_receive_packet_internal
 libavcodec/encode.c:357
     #6 0x555556e537e8 in avcodec_send_frame libavcodec/encode.c:506
     #7 0x555555af7260 in encode_frame fftools/ffmpeg.c:904
     #8 0x555555af871d in submit_encode_frame fftools/ffmpeg.c:985
     #9 0x555555af8d79 in do_audio_out fftools/ffmpeg.c:1046
     #10 0x555555afcb2c in reap_filters fftools/ffmpeg.c:1440
     #11 0x555555b17958 in transcode_from_filter fftools/ffmpeg.c:3887
     #12 0x555555b1822d in transcode_step fftools/ffmpeg.c:3975
     #13 0x555555b18a9e in transcode fftools/ffmpeg.c:4044
     #14 0x555555b196f8 in main fftools/ffmpeg.c:4182
     #15 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-
 gnu/libc.so.6+0x21c86)
     #16 0x555555a84499 in _start
 (/home/youngseok/subjects/latest_asan_install/ffmpeg/bin/ffmpeg+0x530499)
 }}}

 **Environment**

 OS: Ubuntu 18.04
 GCC: 7.5.0
 FFmpeg: version N-110167-g97c95961f0, configured with following flags:
 {{{
 --extra-cflags='-fsanitize=address -g -O0' --extra-
 cxxflags='-fsanitize=address -g -O0' --extra-ldflags='-fsanitize=address
 -g -O0' --disable-optimizations --disable-stripping
 }}}

--
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/10310#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list