Opened 7 weeks ago
Closed 7 weeks ago
#11133 closed defect (fixed)
heap-buffer-overflow in libavcodec/bytestream.h:99:1
| Reported by: | kmfl | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | avcodec |
| Version: | git-master | Keywords: | |
| Cc: | kmfl | Blocked By: | |
| Blocking: | Reproduced by developer: | yes | |
| Analyzed by developer: | yes |
Description
Summary of the bug:
An heap-buffer-overflow bug was found in the latest version, it may cause information leaks or arbitrary code execution
How to reproduce:
/home/ffmpeg-debug/ffmpeg_g -i ./heap_overflow_ffmpeg test ffmpeg version N-116549-g94165d1b79 Copyright (c) 2000-2024 the FFmpeg developers built with Ubuntu clang version 15.0.7 configuration: --disable-shared --pkg-config-flags=--static --extra-libs='-lpthread -lm' --enable-gpl --enable-libass --enable-libfreetype --enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libx264 --enable-libx265 --enable-nonfree --enable-debug --cc=clang-15 --cxx=clang++-15 --extra-cflags='-fsanitize=address' --extra-cxxflags='-fsanitize=address' --extra-ldflags='-fsanitize=address' libavutil 59. 32.100 / 59. 32.100 libavcodec 61. 11.100 / 61. 11.100 libavformat 61. 5.101 / 61. 5.101 libavdevice 61. 2.100 / 61. 2.100 libavfilter 10. 2.102 / 10. 2.102 libswscale 8. 2.100 / 8. 2.100 libswresample 5. 2.100 / 5. 2.100 libpostproc 58. 2.100 / 58. 2.100 Ignoring attempt to set invalid timebase 1/0 for st:0 Truncating packet of size 13303840 to 39173 [genh @ 0x617000000080] Packet corrupt (stream = 0, dts = NOPTS). Aborted
ASAN output:
=================================================================
==21==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62e00000a6da at pc 0x55ca233d5857 bp 0x7ffe3caa63d0 sp 0x7ffe3caa63c8
READ of size 1 at 0x62e00000a6da thread T0
#0 0x55ca233d5856 in bytestream_get_byte /home/ffmpeg-debug/libavcodec/bytestream.h:99:1
#1 0x55ca233d5856 in bytestream2_get_byteu /home/ffmpeg-debug/libavcodec/bytestream.h:99:1
#2 0x55ca233d5856 in adpcm_decode_frame /home/ffmpeg-debug/libavcodec/adpcm.c:2136:5
#3 0x55ca21bbde79 in decode_simple_internal /home/ffmpeg-debug/libavcodec/decode.c:429:20
#4 0x55ca21bbde79 in decode_simple_receive_frame /home/ffmpeg-debug/libavcodec/decode.c:600:15
#5 0x55ca21bbde79 in decode_receive_frame_internal /home/ffmpeg-debug/libavcodec/decode.c:631:15
#6 0x55ca21bbd73b in avcodec_send_packet /home/ffmpeg-debug/libavcodec/decode.c:721:15
#7 0x55ca21413f0c in try_decode_frame /home/ffmpeg-debug/libavformat/demux.c:2156:19
#8 0x55ca2140cfd0 in avformat_find_stream_info /home/ffmpeg-debug/libavformat/demux.c:2840:9
#9 0x55ca208db180 in ifile_open /home/ffmpeg-debug/fftools/ffmpeg_demux.c:1771:15
#10 0x55ca2092ff26 in open_files /home/ffmpeg-debug/fftools/ffmpeg_opt.c:1188:15
#11 0x55ca2092ff26 in ffmpeg_parse_options /home/ffmpeg-debug/fftools/ffmpeg_opt.c:1228:11
#12 0x55ca2095abff in main /home/ffmpeg-debug/fftools/ffmpeg.c:972:11
#13 0x7fbefc6e4d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#14 0x7fbefc6e4e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#15 0x55ca2080fd64 in _start (/home/ffmpeg-debug/ffmpeg_g+0x6fbd64) (BuildId: 57eb6649ff2e46e9c688b47e4f433eb0b6bf07e4)
0x62e00000a6da is located 0 bytes to the right of 41690-byte region [0x62e000000400,0x62e00000a6da)
allocated by thread T0 here:
#0 0x55ca20895bb6 in __interceptor_realloc (/home/ffmpeg-debug/ffmpeg_g+0x781bb6) (BuildId: 57eb6649ff2e46e9c688b47e4f433eb0b6bf07e4)
#1 0x55ca242b9339 in av_buffer_realloc /home/ffmpeg-debug/libavutil/buffer.c:192:25
#2 0x55ca242b9190 in av_buffer_realloc /home/ffmpeg-debug/libavutil/buffer.c:214:15
#3 0x55ca224e1ab9 in av_grow_packet /home/ffmpeg-debug/libavcodec/packet.c:151:19
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ffmpeg-debug/libavcodec/bytestream.h:99:1 in bytestream_get_byte
Shadow bytes around the buggy address:
0x0c5c7fff9480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff9490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff94a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff94b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff94c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5c7fff94d0: 00 00 00 00 00 00 00 00 00 00 00[02]fa fa fa fa
0x0c5c7fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==21==ABORTING
Attachments (1)
Change History (2)
by , 7 weeks ago
| Attachment: | heap_overflow_ffmpeg added |
|---|
comment:1 by , 7 weeks ago
| Analyzed by developer: | set |
|---|---|
| Priority: | critical → important |
| Reproduced by developer: | set |
| Resolution: | → fixed |
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Poc to trigger this bug