Opened 3 days ago

#11389 new defect

heap-buffer-overflow at libavformat/dump.c:792:34 on ffmpeg

Reported by: 0x20z Owned by:
Priority: important Component: avformat
Version: git-master Keywords: bugs
Cc: 0x20z Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:
Dear developers,
I discovered a heap overflow vulnerability while using format conversion. The POC file is attached to the session, and the version of ffmpeg is N-118197-gbb85423142, master branch. please confirm.

How to reproduce:

git clone https://github.com/FFmpeg/FFmpeg.git
cd FFmpeg
./configure --cc=clang --cxx=clang++ --toolchain=clang-asan --extra-cflags="-I$HOME/ffmpeg_build/include -O0 -fno-omit-frame-pointer -g"   --extra-cxxflags="-O0 -fno-omit-frame-pointer -g" --extra-ldflags="-L$HOME/ffmpeg_build/include -fsanitize=address -fsanitize=undefined -lubsan" --disable-optimizations --disable-stripping --enable-cross-compile
make -j30

ASAN log:

=================================================================
==1366945==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x613000001db8 at pc 0x5c82931d7ca9 bp 0x7ffc11d48a90 sp 0x7ffc11d48a88
READ of size 8 at 0x613000001db8 thread T0
    #0 0x5c82931d7ca8  (FFmpeg/ffmpeg+0x13f0ca8) (BuildId: d9813d42ed110d0d0780865381db8c33a24a231c)
    #1 0x5c82927865a3  (FFmpeg/ffmpeg+0x99f5a3) (BuildId: d9813d42ed110d0d0780865381db8c33a24a231c)
    #2 0x5c82927c8e0b  (FFmpeg/ffmpeg+0x9e1e0b) (BuildId: d9813d42ed110d0d0780865381db8c33a24a231c)
    #3 0x5c82927f60ef  (FFmpeg/ffmpeg+0xa0f0ef) (BuildId: d9813d42ed110d0d0780865381db8c33a24a231c)
    #4 0x7ee34e629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7ee34e629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #6 0x5c82926b7ce4  (FFmpeg/ffmpeg+0x8d0ce4) (BuildId: d9813d42ed110d0d0780865381db8c33a24a231c)

0x613000001db8 is located 0 bytes to the right of 376-byte region [0x613000001c40,0x613000001db8)
allocated by thread T0 here:
    #0 0x5c829273af56 in realloc (FFmpeg/ffmpeg+0x953f56) (BuildId: d9813d42ed110d0d0780865381db8c33a24a231c)
    #1 0x5c82934420cd  (FFmpeg/ffmpeg+0x165b0cd) (BuildId: d9813d42ed110d0d0780865381db8c33a24a231c)
    #2 0x5c82931b05e8  (FFmpeg/ffmpeg+0x13c95e8) (BuildId: d9813d42ed110d0d0780865381db8c33a24a231c)
    #3 0x5c8292783233  (FFmpeg/ffmpeg+0x99c233) (BuildId: d9813d42ed110d0d0780865381db8c33a24a231c)
    #4 0x5c82927c8e0b  (FFmpeg/ffmpeg+0x9e1e0b) (BuildId: d9813d42ed110d0d0780865381db8c33a24a231c)
    #5 0x5c82927f60ef  (FFmpeg/ffmpeg+0xa0f0ef) (BuildId: d9813d42ed110d0d0780865381db8c33a24a231c)
    #6 0x7ee34e629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (FFmpeg/ffmpeg+0x13f0ca8) (BuildId: d9813d42ed110d0d0780865381db8c33a24a231c) 
Shadow bytes around the buggy address:
  0x0c267fff8360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff8370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c267fff8380: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c267fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff83b0: 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
  0x0c267fff83c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff83d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff83e0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff83f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c267fff8400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1366945==ABORTING

ffmpeg version:

# ./ffmpeg -version
ffmpeg version N-118197-gbb85423142 Copyright (c) 2000-2024 the FFmpeg developers
built with Ubuntu clang version 14.0.0-1ubuntu1.1
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan --enable-cross-compile
libavutil      59. 53.100 / 59. 53.100
libavcodec     61. 28.100 / 61. 28.100
libavformat    61.  9.102 / 61.  9.102
libavdevice    61.  4.100 / 61.  4.100
libavfilter    10.  6.101 / 10.  6.101
libswscale      8. 13.100 /  8. 13.100
libswresample   5.  4.100 /  5.  4.100

Found by:

Found by 0x20z

Thank you for your time and attention

Attachments (1)

poc1 (16.0 KB ) - added by 0x20z 3 days ago.

Download all attachments as: .zip

Change History (1)

by 0x20z, 3 days ago

Attachment: poc1 added
Note: See TracTickets for help on using tickets.