[FFmpeg-trac] #11395(avfilter:new): null pointer deref similar to https://trac.ffmpeg.org/ticket/11392 when using the aeval filter in filtergraphs

FFmpeg trac at avcodec.org
Fri Jan 3 18:06:20 EET 2025 

#11395: null pointer deref similar to https://trac.ffmpeg.org/ticket/11392 when
using the aeval filter in filtergraphs
-------------------------------------+-------------------------------------
             Reporter:  somehacker   |                     Type:  defect
               Status:  new          |                 Priority:  important
            Component:  avfilter     |                  Version:  git-
             Keywords:  expression   |  master
  filters                            |               Blocked By:
             Blocking:               |  Reproduced by developer:  1
Analyzed by developer:  1            |
-------------------------------------+-------------------------------------
 Summary of the bug:

 Hi! I found another potential null pointer deref.

 How to reproduce:
 {{{
 % ./ffmpeg -i input -vf "aeval=:1" output
 ffmpeg version git-2025-01-01-df09465 Copyright (c) 2000-2024 the FFmpeg
 developers
   built with gcc 13 (Ubuntu 13.3.0-6ubuntu2~24.04)
   configuration: --disable-x86asm --enable-debug=3 --disable-optimizations
   libavutil      59. 53.100 / 59. 53.100
   libavcodec     61. 28.100 / 61. 28.100
   libavformat    61.  9.102 / 61.  9.102
   libavdevice    61.  4.100 / 61.  4.100
   libavfilter    10.  6.101 / 10.  6.101
   libswscale      8. 13.100 /  8. 13.100
   libswresample   5.  4.100 /  5.  4.100

 built on:

 No LSB modules are available.
 Distributor ID: Ubuntu
 Description:    Ubuntu 24.04.1 LTS
 Release:        24.04
 Codename:       noble
 }}}

 Here is the ASAN output from the debug binary (ffmpeg_g). The contents of
 the input file are not important since this bug occurs with any input
 file. I found this bug via fuzzing and once again if you are to read you
 can read about it here:
 https://personnumber3377.github.io/projects/fuzzing_ffmpeg_avfilter_graph_parse_ptr.html

 {{{
 ffmpeg version git-2025-01-01-df09465 Copyright (c) 2000-2024 the FFmpeg
 developers
   built with gcc 13 (Ubuntu 13.3.0-6ubuntu2~24.04)
   configuration: --disable-x86asm --enable-debug=3 --disable-optimizations
   libavutil      59. 53.100 / 59. 53.100
   libavcodec     61. 28.100 / 61. 28.100
   libavformat    61.  9.102 / 61.  9.102
   libavdevice    61.  4.100 / 61.  4.100
   libavfilter    10.  6.101 / 10.  6.101
   libswscale      8. 13.100 /  8. 13.100
   libswresample   5.  4.100 /  5.  4.100
 Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'sample.mp4':
   Metadata:
     major_brand     : mp42
     minor_version   : 0
     compatible_brands: mp42mp41isomavc1
     creation_time   : 2015-08-07T09:13:02.000000Z
   Duration: 00:00:30.53, start: 0.000000, bitrate: 411 kb/s
   Stream #0:0[0x1](und): Video: h264 (Constrained Baseline) (avc1 /
 0x31637661), yuv420p(progressive), 480x270 [SAR 1:1 DAR 16:9], 301 kb/s,
 30 fps, 30 tbr, 30 tbn (default)
     Metadata:
       creation_time   : 2015-08-07T09:13:02.000000Z
       handler_name    : L-SMASH Video Handler
       vendor_id       : [0][0][0][0]
       encoder         : AVC Coding
   Stream #0:1[0x2](und): Audio: aac (LC) (mp4a / 0x6134706D), 48000 Hz,
 stereo, fltp, 112 kb/s (default)
     Metadata:
       creation_time   : 2015-08-07T09:13:02.000000Z
       handler_name    : L-SMASH Audio Handler
       vendor_id       : [0][0][0][0]
 libavutil/eval.c:718:25: runtime error: null pointer passed as argument 1,
 which is declared to never be null
 AddressSanitizer:DEADLYSIGNAL
 =================================================================
 ==3568872==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
 (pc 0x7f4b2f59875d bp 0x7ffebc34a090 sp 0x7ffebc349818 T0)
 ==3568872==The signal is caused by a READ memory access.
 ==3568872==Hint: address points to the zero page.
     #0 0x7f4b2f59875d in __strlen_avx2 ../sysdeps/x86_64/multiarch/strlen-
 avx2.S:76
     #1 0x7f4b302eb826 in strlen
 ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389
     #2 0x55fd83dc02f6 in av_expr_parse libavutil/eval.c:718
     #3 0x55fd7d75f6b8 in parse_channel_expressions libavfilter/aeval.c:156
     #4 0x55fd7d75fd76 in init libavfilter/aeval.c:185
     #5 0x55fd7c67e25e in avfilter_init_dict libavfilter/avfilter.c:939
     #6 0x55fd7c751af9 in avfilter_graph_segment_init
 libavfilter/graphparser.c:634
     #7 0x55fd7c7558ce in avfilter_graph_segment_apply
 libavfilter/graphparser.c:905
     #8 0x55fd7c3f65d5 in graph_parse fftools/ffmpeg_filter.c:595
     #9 0x55fd7c4001b6 in fg_create fftools/ffmpeg_filter.c:1104
     #10 0x55fd7c401676 in fg_create_simple fftools/ffmpeg_filter.c:1203
     #11 0x55fd7c441846 in ost_bind_filter fftools/ffmpeg_mux_init.c:999
     #12 0x55fd7c44c333 in ost_add fftools/ffmpeg_mux_init.c:1536
     #13 0x55fd7c44e7eb in map_auto_video fftools/ffmpeg_mux_init.c:1640
     #14 0x55fd7c454848 in create_streams fftools/ffmpeg_mux_init.c:1969
     #15 0x55fd7c46bcde in of_open fftools/ffmpeg_mux_init.c:3335
     #16 0x55fd7c47be1b in open_files fftools/ffmpeg_opt.c:1363
     #17 0x55fd7c47c626 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1419
     #18 0x55fd7c4db981 in main fftools/ffmpeg.c:974
     #19 0x7f4b2f4371c9 in __libc_start_call_main
 ../sysdeps/nptl/libc_start_call_main.h:58
     #20 0x7f4b2f43728a in __libc_start_main_impl ../csu/libc-start.c:360
     #21 0x55fd7c397ba4 in _start
 (/home/oof/ffmpegfuzzerthing/myfork/backupshit/new/FFmpeg/ffmpeg_g+0xbef5ba4)
 (BuildId: f16d7ec11e94c65e71ebe53cf79988601733f849)

 AddressSanitizer can not provide additional info.
 SUMMARY: AddressSanitizer: SEGV ../sysdeps/x86_64/multiarch/strlen-
 avx2.S:76 in __strlen_avx2
 ==3568872==ABORTING
 }}}

 Thanks in advance!
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/11395>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list