Opened 13 months ago
Closed 13 months ago
#10304 closed defect (fixed)
Segmentation Violation in ffmpeg (libavformat/concat.c:142 in concat_read)
| Reported by: | Youngseok Choi | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | avformat |
| Version: | git-master | Keywords: | fuzzing, SIGSEGV |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | yes | |
| Analyzed by developer: | yes |
Description
Hi, our fuzzer found a new SEGV in ffmpeg.
Command to Reproduce
ffmpeg -i concatf:concatf:poc_file
poc_file is attached.
Backtrace (Address Sanitizer)
==5776==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x555556a5ba8f bp 0x7fffffffc300 sp 0x7fffffffc2c0 T0)
==5776==The signal is caused by a READ memory access.
==5776==Hint: address points to the zero page.
#0 0x555556a5ba8e in concat_read libavformat/concat.c:142
#1 0x555556554f31 in retry_transfer_wrapper libavformat/avio.c:370
#2 0x555556555163 in ffurl_read libavformat/avio.c:405
#3 0x55555655a09f in read_packet_wrapper libavformat/aviobuf.c:525
#4 0x55555655a785 in fill_buffer libavformat/aviobuf.c:569
#5 0x55555655b25a in avio_read libavformat/aviobuf.c:664
#6 0x55555655fbba in avio_read_to_bprint libavformat/aviobuf.c:1352
#7 0x555556a5c340 in concatf_open libavformat/concat.c:236
#8 0x555556553dc0 in ffurl_connect libavformat/avio.c:209
#9 0x555556554e2d in ffurl_open_whitelist libavformat/avio.c:347
#10 0x55555655ef0a in ffio_open_whitelist libavformat/aviobuf.c:1230
#11 0x5555568b6280 in io_open_default libavformat/options.c:151
#12 0x5555565aae95 in init_input libavformat/demux.c:174
#13 0x5555565ab937 in avformat_open_input libavformat/demux.c:254
#14 0x555555a95532 in ifile_open fftools/ffmpeg_demux.c:1051
#15 0x555555adb403 in open_files fftools/ffmpeg_opt.c:1244
#16 0x555555adb778 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1283
#17 0x555555b195ba in main fftools/ffmpeg.c:4165
#18 0x7ffff5601c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#19 0x555555a84499 in _start (/home/youngseok/subjects/latest_asan_sources/ffmpeg/ffmpeg_g+0x530499)
Assembler code around pc (gdb)
Dump of assembler code from 0x555556a5ba6f to 0x555556a5baaf: 0x0000555556a5ba6f <concat_read+191>: mov %rax,%rdx 0x0000555556a5ba72 <concat_read+194>: mov %rdx,%rcx 0x0000555556a5ba75 <concat_read+197>: shr $0x3,%rcx 0x0000555556a5ba79 <concat_read+201>: add $0x7fff8000,%rcx 0x0000555556a5ba80 <concat_read+208>: movzbl (%rcx),%ecx 0x0000555556a5ba83 <concat_read+211>: test %cl,%cl 0x0000555556a5ba85 <concat_read+213>: je 0x555556a5ba8f <concat_read+223> 0x0000555556a5ba87 <concat_read+215>: mov %rdx,%rdi 0x0000555556a5ba8a <concat_read+218>: callq 0x555555a83ea0 <__asan_report_load8@plt> => 0x0000555556a5ba8f <concat_read+223>: mov (%rax),%rax 0x0000555556a5ba92 <concat_read+226>: mov -0x34(%rbp),%edx 0x0000555556a5ba95 <concat_read+229>: mov -0x30(%rbp),%rcx 0x0000555556a5ba99 <concat_read+233>: mov %rcx,%rsi 0x0000555556a5ba9c <concat_read+236>: mov %rax,%rdi 0x0000555556a5ba9f <concat_read+239>: callq 0x55555655509c <ffurl_read> 0x0000555556a5baa4 <concat_read+244>: mov %eax,-0x20(%rbp) 0x0000555556a5baa7 <concat_read+247>: cmpl $0xdfb9b0bb,-0x20(%rbp) 0x0000555556a5baae <concat_read+254>: jne 0x555556a5bb4a <concat_read+410>
Registers Info
rax 0x0 0
rbx 0x7fffffffc3f0 140737488339952
rcx 0x0 0
rdx 0x0 0
rsi 0x62d00000a400 108645492761600
rdi 0x612000000640 106790066849344
rbp 0x7fffffffc250 0x7fffffffc250
rsp 0x7fffffffc210 0x7fffffffc210
r8 0x0 0
r9 0x0 0
r10 0x7fffffffbe38 140737488338488
r11 0x0 0
r12 0xffffffff87e 17592186042494
r13 0x7fffffffc850 140737488341072
r14 0x7fffffffc3f0 140737488339952
r15 0x7fffffffd490 140737488344208
rip 0x555556a5ba8f 0x555556a5ba8f <concat_read+223>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0xffff 65535
fstat 0xffff 65535
ftag 0xaaaa 43690
fiseg 0x1 1
fioff 0x0 0
foseg 0x5555 21845
fooff 0xa 10
fop 0x7ff 2047
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
ymm0 {v8_float = {0xffffffff, 0x0, 0xffffffff, 0xffffffff, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x7fffffffffffffff, 0x0, 0x0}, v32_int8 = {
0x63, 0x6f, 0x6e, 0x63, 0x61, 0x74, 0x66, 0x2c, 0x63, 0x6f, 0x6e, 0x63, 0x61, 0x74, 0x2c, 0x66, 0x0 <repeats 16 times>}, v16_int16 = {0x6f63,
0x636e, 0x7461, 0x2c66, 0x6f63, 0x636e, 0x7461, 0x662c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x636e6f63, 0x2c667461, 0x636e6f63,
0x662c7461, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x2c667461636e6f63, 0x662c7461636e6f63, 0x0, 0x0}, v2_int128 = {0x662c7461636e6f632c667461636e6f63,
0x0}}
ymm1 {v8_float = {0xffffffff, 0x0, 0xffffffff, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x61, 0x74, 0x2c,
0x66, 0x69, 0x6c, 0x65, 0x2c, 0x73, 0x75, 0x62, 0x66, 0x69, 0x6c, 0x65, 0x0 <repeats 17 times>}, v16_int16 = {0x7461, 0x662c, 0x6c69, 0x2c65,
0x7573, 0x6662, 0x6c69, 0x65, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x662c7461, 0x2c656c69, 0x66627573, 0x656c69, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0x2c656c69662c7461, 0x656c6966627573, 0x0, 0x0}, v2_int128 = {0x656c69666275732c656c69662c7461, 0x0}}
ymm2 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0x0, 0x0, 0xff, 0xff, 0xff, 0x0, 0xff, 0xff, 0x0 <repeats 17 times>}, v16_int16 = {0xff00, 0xffff, 0xffff, 0xff, 0xff00, 0xffff, 0xff00,
0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xffffff00, 0xffffff, 0xffffff00, 0xffff00, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {
0xffffffffffff00, 0xffff00ffffff00, 0x0, 0x0}, v2_int128 = {0xffff00ffffff0000ffffffffffff00, 0x0}}
---Type <return> to continue, or q <return> to quit---
ymm3 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0xff, 0x0 <repeats 30 times>},
v16_int16 = {0xff00, 0x0 <repeats 15 times>}, v8_int32 = {0xff00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xff00, 0x0, 0x0, 0x0},
v2_int128 = {0xff00, 0x0}}
ymm4 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
ymm5 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
ymm6 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
ymm7 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
ymm8 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xd0, 0x23, 0xfd, 0xf7, 0xff, 0x7f,
0x0, 0x0, 0xc0, 0x28, 0xfd, 0xf7, 0xff, 0x7f, 0x0 <repeats 18 times>}, v16_int16 = {0x23d0, 0xf7fd, 0x7fff, 0x0, 0x28c0, 0xf7fd, 0x7fff, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xf7fd23d0, 0x7fff, 0xf7fd28c0, 0x7fff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x7ffff7fd23d0,
0x7ffff7fd28c0, 0x0, 0x0}, v2_int128 = {0x7ffff7fd28c000007ffff7fd23d0, 0x0}}
ymm9 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
ymm10 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
ymm11 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
ymm12 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
ymm13 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
ymm14 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
ymm15 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
Environment
Built with address sanitizer.
ffmpeg version N-110167-g97c95961f0 Copyright (c) 2000-2023 the FFmpeg developers built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04) configuration: --prefix=/home/youngseok/subjects/latest_asan_install/ffmpeg --extra-cflags='-fsanitize=address -g -O0' --extra-cxxflags='-fsanitize=address -g -O0' --extra-ldflags='-fsanitize=address -g -O0' --disable-optimizations --disable-stripping
Attachments (1)
Change History (3)
by , 13 months ago
comment:1 by , 13 months ago
| Component: | ffmpeg → undetermined |
|---|---|
| Keywords: | SIGSEGV added |
comment:2 by , 13 months ago
| Analyzed by developer: | set |
|---|---|
| Component: | undetermined → avformat |
| Priority: | normal → important |
| Reproduced by developer: | set |
| Resolution: | → fixed |
| Status: | new → closed |
Fixed in 19c2dc677f81c940aebe63ed09dacf5c725f0b35.
Note:
See TracTickets
for help on using tickets.
poc_file used in command input