[FFmpeg-trac] #11418(undetermined:new): stack-buffer-overflow on libavcodec/aacenc_tns.c
FFmpeg
trac at avcodec.org
Tue Jan 14 07:45:52 EET 2025
#11418: stack-buffer-overflow on libavcodec/aacenc_tns.c
-------------------------------------+-------------------------------------
Reporter: 0x20z | Type: defect
Status: new | Priority: important
Component: | Version: git-
undetermined | master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Summary of the bug:
{{{
I have discovered a stack-buffer-overflow vulnerability. The POC file is
attached to the session, and the version of ffmpeg is the main branch.
Please confirm.
}}}
How to reproduce:
{{{
git clone https://github.com/FFmpeg/FFmpeg.git
cd FFmpeg
./configure --cc=clang --cxx=clang++ --toolchain=clang-asan --extra-
cflags="-I$HOME/ffmpeg_build/include -O0 -fno-omit-frame-pointer -g"
--extra-cxxflags="-O0 -fno-omit-frame-pointer -g" --extra-
ldflags="-L$HOME/ffmpeg_build/include -fsanitize=address
-fsanitize=undefined -lubsan" --disable-optimizations --disable-stripping
--enable-cross-compile
make -j30
./ffmpeg -i poc -aac_pred true -profile:a aac_low output.mpd
}}}
log:
{{{
=================================================================
==1108156==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7f286b5fe998 at pc 0x572aadc11f35 bp 0x7f286b5fe8e0 sp 0x7f286b5fe8d0
READ of size 4 at 0x7f286b5fe998 thread T1 (enc0:0:aac)
#0 0x572aadc11f34 in ff_aac_search_for_tns libavcodec/aacenc_tns.c:204
#1 0x572aacede67e in aac_encode_frame libavcodec/aacenc.c:1020
#2 0x572aaaa197e2 in ff_encode_encode_cb libavcodec/encode.c:254
#3 0x572aaaa1b896 in encode_simple_internal libavcodec/encode.c:340
#4 0x572aaaa1bbfb in encode_simple_receive_packet
libavcodec/encode.c:354
#5 0x572aaaa1cb13 in encode_receive_packet_internal
libavcodec/encode.c:388
#6 0x572aaaa1e97e in avcodec_send_frame libavcodec/encode.c:531
#7 0x572aa7edbe65 in encode_frame fftools/ffmpeg_enc.c:643
#8 0x572aa7edf861 in frame_encode fftools/ffmpeg_enc.c:812
#9 0x572aa7ee0a09 in encoder_thread fftools/ffmpeg_enc.c:899
#10 0x572aa7fb17b2 in task_wrapper fftools/ffmpeg_sched.c:2534
#11 0x7f286f094ac2 in start_thread nptl/pthread_create.c:442
#12 0x7f286f12684f (/usr/lib/x86_64-linux-gnu/libc.so.6+0x12684f)
Address 0x7f286b5fe998 is located in stack of thread T1 (enc0:0:aac) at
offset 40 in frame
#0 0x572aadc1038a in ff_aac_search_for_tns libavcodec/aacenc_tns.c:162
This frame has 2 object(s):
[32, 40) 'en' (line 183) <== Memory access at offset 40 overflows this
variable
[64, 320) 'coefs' (line 165)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
Thread T1 (enc0:0:aac) created by T0 here:
#0 0x7f286fc58685 in __interceptor_pthread_create
../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x572aa7f8ad4b in task_start fftools/ffmpeg_sched.c:414
#2 0x572aa7fa09d7 in sch_start fftools/ffmpeg_sched.c:1615
#3 0x572aa8006dea in transcode fftools/ffmpeg.c:864
#4 0x572aa80081a8 in main fftools/ffmpeg.c:992
#5 0x7f286f029d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: stack-buffer-overflow
libavcodec/aacenc_tns.c:204 in ff_aac_search_for_tns
}}}
Found by:
{{{
0x20z
}}}
Thank you for your time and attention
--
Ticket URL: <https://trac.ffmpeg.org/ticket/11418>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list