[FFmpeg-trac] #10244(ffmpeg:new): stack-buffer-overflow in ffmpeg (libavcodec/options.c:4)

FFmpeg trac at avcodec.org
Thu Mar 9 06:41:58 EET 2023 

#10244: stack-buffer-overflow in ffmpeg (libavcodec/options.c:4)
-------------------------------------+-------------------------------------
             Reporter:  Youngseok    |                     Type:  defect
  Choi                               |
               Status:  new          |                 Priority:  normal
            Component:  ffmpeg       |                  Version:  git-
                                     |  master
             Keywords:               |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Hello, we are developing a new fuzzing technique, and it found a stack-
 buffer-overflow in ffmpeg.

 How to reproduce:
 {{{
 % ./ffmpeg -discard "" -i <input_file>
 }}}

 <input_file> is available at https://github.com/3-24/oss-fuzz-
 reports/raw/master/ffmpeg/poc_4/poc_file.

 Stack Trace:
 {{{
 ==16401==ERROR: AddressSanitizer: stack-buffer-overflow on address
 0x7ffce3a8f980 at pc 0x558c3518c716 bp 0x7ffce3a8ce00 sp 0x7ffce3a8cdf0
 READ of size 8 at 0x7ffce3a8f980 thread T0
     #0 0x558c3518c715 in context_to_name libavcodec/options.c:44
     #1 0x558c36928c38 in format_line libavutil/log.c:309
     #2 0x558c369295e3 in av_log_default_callback libavutil/log.c:368
     #3 0x558c3692a147 in av_vlog libavutil/log.c:434
     #4 0x558c36929d8d in av_log libavutil/log.c:413
     #5 0x558c3690685f in parse_primary libavutil/eval.c:387
     #6 0x558c369094a3 in parse_pow libavutil/eval.c:522
     #7 0x558c36909770 in parse_dB libavutil/eval.c:537
     #8 0x558c369098c9 in parse_factor libavutil/eval.c:544
     #9 0x558c36909e78 in parse_term libavutil/eval.c:571
     #10 0x558c3690a295 in parse_subexpr libavutil/eval.c:595
     #11 0x558c3690a6bb in parse_expr libavutil/eval.c:623
     #12 0x558c3690b33f in av_expr_parse libavutil/eval.c:716
     #13 0x558c3690be8e in av_expr_parse_and_eval libavutil/eval.c:783
     #14 0x558c36936994 in set_string_number libavutil/opt.c:307
     #15 0x558c36938720 in av_opt_eval_int libavutil/opt.c:602
     #16 0x558c336bcabc in add_input_streams fftools/ffmpeg_demux.c:784
     #17 0x558c336c2932 in ifile_open fftools/ffmpeg_demux.c:1165
     #18 0x558c337072f4 in open_files fftools/ffmpeg_opt.c:1244
     #19 0x558c33707669 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1283
     #20 0x558c337450df in main fftools/ffmpeg.c:4160
     #21 0x7fc525d28c86 in __libc_start_main (/lib/x86_64-linux-
 gnu/libc.so.6+0x21c86)
     #22 0x558c336b0499 in _start (/home/youngseok/latest-
 subjects/ffmpeg/ffmpeg+0x52f499)
 }}}



 Environment:
 - OS: Ubuntu 18.04
 - gcc: 7.5.0
 - ffmpeg: version N-109968-gcc76e8340d (git-master)

 Note that I built ffmpeg with address sanitizer.
 {{{
 ./configure --extra-cflags="-fsanitize=address -g -O0" \
 --extra-cxxflags="-fsanitize=address -g -O0" --extra-
 ldflags="-fsanitize=address -g -O0" \
 --disable-optimizations --disable-stripping
 }}}
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/10244>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list