#10424 closed defect (fixed)
NULL deference in read_uslt after allocation failure
Reported by: | catenacyber | Owned by: | |
---|---|---|---|
Priority: | important | Component: | avformat |
Version: | git-master | Keywords: | |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | yes |
Description
Summary of the bug:
Stack trace is
#0 0x5f3063 in read_uslt /src/ffmpeg/libavformat/id3v2.c:387:40
#1 0x5f3063 in id3v2_parse /src/ffmpeg/libavformat/id3v2.c:1046:17
#2 0x5f3063 in id3v2_read_internal /src/ffmpeg/libavformat/id3v2.c:1116:13
#3 0x5f114a in ff_id3v2_read_dict /src/ffmpeg/libavformat/id3v2.c:1133:5
#4 0x579cb0 in avformat_open_input /src/ffmpeg/libavformat/demux.c:311:9
#5 0x4e9dd1 in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dem_fuzzer.c:201:11
Allocation failure stack trace is
#4 0x934452 in av_realloc /src/ffmpeg/libavutil/mem.c:162
#5 0x934452 in av_reallocp /src/ffmpeg/libavutil/mem.c:196
#6 0x543671 in dyn_buf_write /src/ffmpeg/libavformat/aviobuf.c:1409
#7 0x533f37 in writeout /src/ffmpeg/libavformat/aviobuf.c:163
#8 0x533f37 in flush_buffer /src/ffmpeg/libavformat/aviobuf.c:188
#9 0x54232e in avio_flush /src/ffmpeg/libavformat/aviobuf.c:247
#10 0x54232e in avio_close_dyn_buf /src/ffmpeg/libavformat/aviobuf.c:1537
#11 0x5f677c in decode_str /src/ffmpeg/libavformat/id3v2.c:311
#12 0x5f2f91 in read_uslt /src/ffmpeg/libavformat/id3v2.c:380
#13 0x5f2f91 in id3v2_parse /src/ffmpeg/libavformat/id3v2.c:1046
#14 0x5f2f91 in id3v2_read_internal /src/ffmpeg/libavformat/id3v2.c:1116
#15 0x5f114a in ff_id3v2_read_dict /src/ffmpeg/libavformat/id3v2.c:1133
#16 0x579cb0 in avformat_open_input /src/ffmpeg/libavformat/demux.c:311
#17 0x4e9dd1 in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dem_fuzzer.c:201
How to reproduce:
Run base64 encoded input SUQzAwAAACAAUVVTTFQAAElEAAAA6QAAAP8GAwAAAAAAAAAAAAAAAAIAREkCUQIAAAAA8AAAAAAAADACsA in ffmpeg_dem_FRM_fuzzer with nallocfuzz cf https://github.com/google/oss-fuzz/pull/9902
Change History (2)
comment:1 by , 11 months ago
Analyzed by developer: | set |
---|---|
Component: | avutil → avformat |
Priority: | minor → important |
Resolution: | → fixed |
Status: | new → closed |
comment:2 by , 11 months ago
Thanks James for the fix.
If this is important, there are likely other similar NULL derefences that you can find with nallocfuzz
like
#1 0x94f053 in av_get_pix_fmt /src/ffmpeg/libavutil/pixdesc.c:2872:10
#2 0x7453a9 in rawvideo_read_header /src/ffmpeg/libavformat/rawvideodec.c:59:24
#3 0x579cfb in avformat_open_input /src/ffmpeg/libavformat/demux.c:314:20
#4 0x4e9dd1 in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dem_fuzzer.c:201:11
after failed
#4 0x9354ac in av_realloc /src/ffmpeg/libavutil/mem.c:162
#5 0x9354ac in av_strdup /src/ffmpeg/libavutil/mem.c:275
#6 0x944444 in set_string /src/ffmpeg/libavutil/opt.c:226
#7 0x944444 in av_opt_set_defaults2 /src/ffmpeg/libavutil/opt.c:1512
#8 0x943f13 in av_opt_set_defaults /src/ffmpeg/libavutil/opt.c:1461
#9 0x579b99 in avformat_open_input /src/ffmpeg/libavformat/demux.c:303
#10 0x4e9dd1 in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dem_fuzzer.c:201
Fixed in 25ce1c8333337ca27cd0ca54da2179f122a0dc83.