Context Navigation

#10677 new defect

Use of unitizlised variables when parsing invalid pan filters

Reported by:	alexet	Owned by:
Priority:	minor	Component:	undetermined
Version:	5.1.2	Keywords:
Cc:		Blocked By:
Blocking:		Reproduced by developer:	no
Analyzed by developer:	no

Description

Summary of the bug:

In af_pan.c there are quite a few uses of sscanf where the return value is only checked against zero which doesn't account for the possibility of -1 when the end of the string is reached.

Creating truncated pan filters triggers this code and therefore the output arguments to sscanf are left uninitialized. In the examples I can create the stack happens to be zero so nothing bad can happen.

How to reproduce:

This one we skip an uninitialized amount of bytes into a string (it happens to be zero so no actual issues)

valgrind ffmpeg -i video.mp4 -af "pan=mono|c0=" -c:v copy output.mp4

==148740== Use of uninitialised value of size 8
==148740==    at 0x484E399: rawmemchr (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==148740==    by 0x6FE2555: _IO_str_init_static_internal (strops.c:41)
==148740==    by 0x6FADC21: _IO_strfile_read (strfile.h:92)
==148740==    by 0x6FADC21: __isoc99_sscanf (isoc99_sscanf.c:28)
==148740==    by 0x498D5C3: ??? (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==148740==    by 0x498D9EF: ??? (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==148740==    by 0x4A52DFC: avfilter_init_dict (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==148740==    by 0x4A53057: avfilter_init_str (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==148740==    by 0x4A809E5: ??? (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==148740==    by 0x4A81417: avfilter_graph_parse2 (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==148740==    by 0x116C3A: ??? (in /usr/bin/ffmpeg)
==148740==    by 0x138CF8: ??? (in /usr/bin/ffmpeg)
==148740==    by 0x139875: ??? (in /usr/bin/ffmpeg)
==148740== 
==148740== Conditional jump or move depends on uninitialised value(s)
==148740==    at 0x6FB92D8: __vfscanf_internal (vfscanf-internal.c:628)
==148740==    by 0x6FADC60: __isoc99_sscanf (isoc99_sscanf.c:31)
==148740==    by 0x498D5C3: ??? (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==148740==    by 0x498D9EF: ??? (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==148740==    by 0x4A52DFC: avfilter_init_dict (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==148740==    by 0x4A53057: avfilter_init_str (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==148740==    by 0x4A809E5: ??? (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==148740==    by 0x4A81417: avfilter_graph_parse2 (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==148740==    by 0x116C3A: ??? (in /usr/bin/ffmpeg)
==148740==    by 0x138CF8: ??? (in /usr/bin/ffmpeg)
==148740==    by 0x139875: ??? (in /usr/bin/ffmpeg)
==148740==    by 0x13C563: ??? (in /usr/bin/ffmpeg)

In this second case we end up with strncmp on an unitialised char array (again the char array is zero)

valgrind ffmpeg -i video.mp4 -af "pan=mono|c0=1*" -c:v copy output.mp4

==151668== Conditional jump or move depends on uninitialised value(s)
==151668==    at 0x484A40C: strncmp (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==151668==    by 0x6CA4103: av_channel_from_string (in /usr/lib/x86_64-linux-gnu/libavutil.so.57.28.100)
==151668==    by 0x498D5EE: ??? (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==151668==    by 0x498D9EF: ??? (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==151668==    by 0x4A52DFC: avfilter_init_dict (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==151668==    by 0x4A53057: avfilter_init_str (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==151668==    by 0x4A809E5: ??? (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==151668==    by 0x4A81417: avfilter_graph_parse2 (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==151668==    by 0x116C3A: ??? (in /usr/bin/ffmpeg)
==151668==    by 0x138CF8: ??? (in /usr/bin/ffmpeg)
==151668==    by 0x139875: ??? (in /usr/bin/ffmpeg)
==151668==    by 0x13C563: ??? (in /usr/bin/ffmpeg)
==151668== 
==151668== Conditional jump or move depends on uninitialised value(s)
==151668==    at 0x484ACAC: strcmp (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==151668==    by 0x6CA413C: av_channel_from_string (in /usr/lib/x86_64-linux-gnu/libavutil.so.57.28.100)
==151668==    by 0x498D5EE: ??? (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==151668==    by 0x498D9EF: ??? (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==151668==    by 0x4A52DFC: avfilter_init_dict (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==151668==    by 0x4A53057: avfilter_init_str (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==151668==    by 0x4A809E5: ??? (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==151668==    by 0x4A81417: avfilter_graph_parse2 (in /usr/lib/x86_64-linux-gnu/libavfilter.so.8.44.100)
==151668==    by 0x116C3A: ??? (in /usr/bin/ffmpeg)
==151668==    by 0x138CF8: ??? (in /usr/bin/ffmpeg)
==151668==    by 0x139875: ??? (in /usr/bin/ffmpeg)
==151668==    by 0x13C563: ??? (in /usr/bin/ffmpeg)

Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.

Change History (1)

comment:1 by Cigaes, 5 months ago

Hi. Thanks for the report. See the patch on the mailing-list:
https://ffmpeg.org/pipermail/ffmpeg-devel/2023-December/317610.html

Note: See TracTickets for help on using tickets.

Download in other formats: