[FFmpeg-trac] #10319(ffmpeg:new): heap overflow in ffmpeg(add_input_streams fftools/ffmpeg_demux.c:691)
FFmpeg
trac at avcodec.org
Wed Apr 12 13:36:52 EEST 2023
#10319: heap overflow in ffmpeg(add_input_streams fftools/ffmpeg_demux.c:691)
-------------------------------------+-------------------------------------
Reporter: Youngseok | Type: defect
Choi |
Status: new | Priority: normal
Component: ffmpeg | Version: git-
Keywords: fuzzing | master
heap-overflow | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Our fuzzer found a new heap overflow bug in ffmpeg.
**Command Input**
{{{
ffmpeg -tag F -pattern_type 1 -i ?.y
}}}
Interestingly, there is no input file. Only command line arguments lead
ffmpeg to crash.
**Command Output**
{{{
ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg
developers
built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04)
configuration:
--prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-
cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g
-O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations
--disable-stripping
libavutil 58. 5.100 / 58. 5.100
libavcodec 60. 9.100 / 60. 9.100
libavformat 60. 4.101 / 60. 4.101
libavdevice 60. 2.100 / 60. 2.100
libavfilter 9. 5.100 / 9. 5.100
libswscale 7. 2.100 / 7. 2.100
libswresample 4. 11.100 / 4. 11.100
[rawvideo @ 0x619000000580] Invalid pixel format.
[image2 @ 0x617000000080] Failed to open codec in
avformat_find_stream_info
[image2 @ 0x617000000080] Could not open file : ?.y
[rawvideo @ 0x619000000580] Invalid pixel format.
[image2 @ 0x617000000080] Failed to open codec in
avformat_find_stream_info
[image2 @ 0x617000000080] Could not find codec parameters for stream 0
(Video: rawvideo, none): unspecified size
Consider increasing the value for the 'analyzeduration' (0) and
'probesize' (5000000) options
}}}
**Sanitizer Dump**
{{{
==19936==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020000000b0 at pc 0x555555a8dd9e bp 0x7fffffffc820 sp 0x7fffffffc810
READ of size 4 at 0x6020000000b0 thread T0
#0 0x555555a8dd9d in add_input_streams fftools/ffmpeg_demux.c:691
#1 0x555555a96932 in ifile_open fftools/ffmpeg_demux.c:1165
#2 0x555555adb403 in open_files fftools/ffmpeg_opt.c:1244
#3 0x555555adb778 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1283
#4 0x555555b195ba in main fftools/ffmpeg.c:4165
#5 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-
gnu/libc.so.6+0x21c86)
#6 0x555555a84499 in _start
(/home/youngseok/subjects/latest_asan_install/ffmpeg/bin/ffmpeg+0x530499)
0x6020000000b2 is located 0 bytes to the right of 2-byte region
[0x6020000000b0,0x6020000000b2)
allocated by thread T0 here:
#0 0x7ffff6ef6f30 in realloc (/usr/lib/x86_64-linux-
gnu/libasan.so.4+0xdef30)
#1 0x555558d1133a in av_realloc libavutil/mem.c:162
#2 0x555558d1207d in av_strdup libavutil/mem.c:275
#3 0x555555ae2178 in write_option fftools/cmdutils.c:282
#4 0x555555ae31c4 in parse_optgroup fftools/cmdutils.c:405
#5 0x555555adb2d2 in open_files fftools/ffmpeg_opt.c:1235
#6 0x555555adb778 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1283
#7 0x555555b195ba in main fftools/ffmpeg.c:4165
#8 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-
gnu/libc.so.6+0x21c86)
}}}
**Environment**
Built with address sanitizer.
{{{
ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg
developers
built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04)
configuration:
--prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-
cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g
-O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations
--disable-stripping
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/10319>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list