[FFmpeg-trac] #11133(avcodec:new): heap-buffer-overflow in libavcodec/bytestream.h:99:1
FFmpeg
trac at avcodec.org
Fri Aug 9 14:08:50 EEST 2024
#11133: heap-buffer-overflow in libavcodec/bytestream.h:99:1
---------------------------------+--------------------------------------
Reporter: kmfl | Type: defect
Status: new | Priority: critical
Component: avcodec | Version: git-master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
---------------------------------+--------------------------------------
Summary of the bug:
An heap-buffer-overflow bug was found in the latest version, it may cause
information leaks or arbitrary code execution
How to reproduce:
{{{
/home/ffmpeg-debug/ffmpeg_g -i ./heap_overflow_ffmpeg test
ffmpeg version N-116549-g94165d1b79 Copyright (c) 2000-2024 the FFmpeg
developers
built with Ubuntu clang version 15.0.7
configuration: --disable-shared --pkg-config-flags=--static --extra-
libs='-lpthread -lm' --enable-gpl --enable-libass --enable-libfreetype
--enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libx264
--enable-libx265 --enable-nonfree --enable-debug --cc=clang-15
--cxx=clang++-15 --extra-cflags='-fsanitize=address' --extra-
cxxflags='-fsanitize=address' --extra-ldflags='-fsanitize=address'
libavutil 59. 32.100 / 59. 32.100
libavcodec 61. 11.100 / 61. 11.100
libavformat 61. 5.101 / 61. 5.101
libavdevice 61. 2.100 / 61. 2.100
libavfilter 10. 2.102 / 10. 2.102
libswscale 8. 2.100 / 8. 2.100
libswresample 5. 2.100 / 5. 2.100
libpostproc 58. 2.100 / 58. 2.100
Ignoring attempt to set invalid timebase 1/0 for st:0
Truncating packet of size 13303840 to 39173
[genh @ 0x617000000080] Packet corrupt (stream = 0, dts = NOPTS).
Aborted
}}}
ASAN output:
{{{
=================================================================
==21==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x62e00000a6da at pc 0x55ca233d5857 bp 0x7ffe3caa63d0 sp 0x7ffe3caa63c8
READ of size 1 at 0x62e00000a6da thread T0
#0 0x55ca233d5856 in bytestream_get_byte /home/ffmpeg-
debug/libavcodec/bytestream.h:99:1
#1 0x55ca233d5856 in bytestream2_get_byteu /home/ffmpeg-
debug/libavcodec/bytestream.h:99:1
#2 0x55ca233d5856 in adpcm_decode_frame /home/ffmpeg-
debug/libavcodec/adpcm.c:2136:5
#3 0x55ca21bbde79 in decode_simple_internal /home/ffmpeg-
debug/libavcodec/decode.c:429:20
#4 0x55ca21bbde79 in decode_simple_receive_frame /home/ffmpeg-
debug/libavcodec/decode.c:600:15
#5 0x55ca21bbde79 in decode_receive_frame_internal /home/ffmpeg-
debug/libavcodec/decode.c:631:15
#6 0x55ca21bbd73b in avcodec_send_packet /home/ffmpeg-
debug/libavcodec/decode.c:721:15
#7 0x55ca21413f0c in try_decode_frame /home/ffmpeg-
debug/libavformat/demux.c:2156:19
#8 0x55ca2140cfd0 in avformat_find_stream_info /home/ffmpeg-
debug/libavformat/demux.c:2840:9
#9 0x55ca208db180 in ifile_open /home/ffmpeg-
debug/fftools/ffmpeg_demux.c:1771:15
#10 0x55ca2092ff26 in open_files /home/ffmpeg-
debug/fftools/ffmpeg_opt.c:1188:15
#11 0x55ca2092ff26 in ffmpeg_parse_options /home/ffmpeg-
debug/fftools/ffmpeg_opt.c:1228:11
#12 0x55ca2095abff in main /home/ffmpeg-debug/fftools/ffmpeg.c:972:11
#13 0x7fbefc6e4d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#14 0x7fbefc6e4e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#15 0x55ca2080fd64 in _start (/home/ffmpeg-debug/ffmpeg_g+0x6fbd64)
(BuildId: 57eb6649ff2e46e9c688b47e4f433eb0b6bf07e4)
0x62e00000a6da is located 0 bytes to the right of 41690-byte region
[0x62e000000400,0x62e00000a6da)
allocated by thread T0 here:
#0 0x55ca20895bb6 in __interceptor_realloc (/home/ffmpeg-
debug/ffmpeg_g+0x781bb6) (BuildId:
57eb6649ff2e46e9c688b47e4f433eb0b6bf07e4)
#1 0x55ca242b9339 in av_buffer_realloc /home/ffmpeg-
debug/libavutil/buffer.c:192:25
#2 0x55ca242b9190 in av_buffer_realloc /home/ffmpeg-
debug/libavutil/buffer.c:214:15
#3 0x55ca224e1ab9 in av_grow_packet /home/ffmpeg-
debug/libavcodec/packet.c:151:19
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ffmpeg-
debug/libavcodec/bytestream.h:99:1 in bytestream_get_byte
Shadow bytes around the buggy address:
0x0c5c7fff9480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff9490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff94a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff94b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff94c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5c7fff94d0: 00 00 00 00 00 00 00 00 00 00 00[02]fa fa fa fa
0x0c5c7fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==21==ABORTING
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/11133>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list