Opened 2 weeks ago

Closed 2 weeks ago

#11395 closed defect (fixed)

null pointer deref similar to https://trac.ffmpeg.org/ticket/11392 when using the aeval filter in filtergraphs

Reported by: somehacker Owned by:
Priority: important Component: avfilter
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: yes

Description

Summary of the bug:

Hi! I found another potential null pointer deref.

How to reproduce:

% ./ffmpeg -i input -vf "aeval=:1" output
ffmpeg version git-2025-01-01-df09465 Copyright (c) 2000-2024 the FFmpeg developers
  built with gcc 13 (Ubuntu 13.3.0-6ubuntu2~24.04)
  configuration: --disable-x86asm --enable-debug=3 --disable-optimizations
  libavutil      59. 53.100 / 59. 53.100
  libavcodec     61. 28.100 / 61. 28.100
  libavformat    61.  9.102 / 61.  9.102
  libavdevice    61.  4.100 / 61.  4.100
  libavfilter    10.  6.101 / 10.  6.101
  libswscale      8. 13.100 /  8. 13.100
  libswresample   5.  4.100 /  5.  4.100

built on:

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 24.04.1 LTS
Release:        24.04
Codename:       noble

Here is the ASAN output from the debug binary (ffmpeg_g). The contents of the input file are not important since this bug occurs with any input file. I found this bug via fuzzing and once again if you are to read you can read about it here: https://personnumber3377.github.io/projects/fuzzing_ffmpeg_avfilter_graph_parse_ptr.html

ffmpeg version git-2025-01-01-df09465 Copyright (c) 2000-2024 the FFmpeg developers
  built with gcc 13 (Ubuntu 13.3.0-6ubuntu2~24.04)
  configuration: --disable-x86asm --enable-debug=3 --disable-optimizations
  libavutil      59. 53.100 / 59. 53.100
  libavcodec     61. 28.100 / 61. 28.100
  libavformat    61.  9.102 / 61.  9.102
  libavdevice    61.  4.100 / 61.  4.100
  libavfilter    10.  6.101 / 10.  6.101
  libswscale      8. 13.100 /  8. 13.100
  libswresample   5.  4.100 /  5.  4.100
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'sample.mp4':
  Metadata:
    major_brand     : mp42
    minor_version   : 0
    compatible_brands: mp42mp41isomavc1
    creation_time   : 2015-08-07T09:13:02.000000Z
  Duration: 00:00:30.53, start: 0.000000, bitrate: 411 kb/s
  Stream #0:0[0x1](und): Video: h264 (Constrained Baseline) (avc1 / 0x31637661), yuv420p(progressive), 480x270 [SAR 1:1 DAR 16:9], 301 kb/s, 30 fps, 30 tbr, 30 tbn (default)
    Metadata:
      creation_time   : 2015-08-07T09:13:02.000000Z
      handler_name    : L-SMASH Video Handler
      vendor_id       : [0][0][0][0]
      encoder         : AVC Coding
  Stream #0:1[0x2](und): Audio: aac (LC) (mp4a / 0x6134706D), 48000 Hz, stereo, fltp, 112 kb/s (default)
    Metadata:
      creation_time   : 2015-08-07T09:13:02.000000Z
      handler_name    : L-SMASH Audio Handler
      vendor_id       : [0][0][0][0]
libavutil/eval.c:718:25: runtime error: null pointer passed as argument 1, which is declared to never be null
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3568872==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4b2f59875d bp 0x7ffebc34a090 sp 0x7ffebc349818 T0)
==3568872==The signal is caused by a READ memory access.
==3568872==Hint: address points to the zero page.
    #0 0x7f4b2f59875d in __strlen_avx2 ../sysdeps/x86_64/multiarch/strlen-avx2.S:76
    #1 0x7f4b302eb826 in strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389
    #2 0x55fd83dc02f6 in av_expr_parse libavutil/eval.c:718
    #3 0x55fd7d75f6b8 in parse_channel_expressions libavfilter/aeval.c:156
    #4 0x55fd7d75fd76 in init libavfilter/aeval.c:185
    #5 0x55fd7c67e25e in avfilter_init_dict libavfilter/avfilter.c:939
    #6 0x55fd7c751af9 in avfilter_graph_segment_init libavfilter/graphparser.c:634
    #7 0x55fd7c7558ce in avfilter_graph_segment_apply libavfilter/graphparser.c:905
    #8 0x55fd7c3f65d5 in graph_parse fftools/ffmpeg_filter.c:595
    #9 0x55fd7c4001b6 in fg_create fftools/ffmpeg_filter.c:1104
    #10 0x55fd7c401676 in fg_create_simple fftools/ffmpeg_filter.c:1203
    #11 0x55fd7c441846 in ost_bind_filter fftools/ffmpeg_mux_init.c:999
    #12 0x55fd7c44c333 in ost_add fftools/ffmpeg_mux_init.c:1536
    #13 0x55fd7c44e7eb in map_auto_video fftools/ffmpeg_mux_init.c:1640
    #14 0x55fd7c454848 in create_streams fftools/ffmpeg_mux_init.c:1969
    #15 0x55fd7c46bcde in of_open fftools/ffmpeg_mux_init.c:3335
    #16 0x55fd7c47be1b in open_files fftools/ffmpeg_opt.c:1363
    #17 0x55fd7c47c626 in ffmpeg_parse_options fftools/ffmpeg_opt.c:1419
    #18 0x55fd7c4db981 in main fftools/ffmpeg.c:974
    #19 0x7f4b2f4371c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #20 0x7f4b2f43728a in __libc_start_main_impl ../csu/libc-start.c:360
    #21 0x55fd7c397ba4 in _start (/home/oof/ffmpegfuzzerthing/myfork/backupshit/new/FFmpeg/ffmpeg_g+0xbef5ba4) (BuildId: f16d7ec11e94c65e71ebe53cf79988601733f849)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../sysdeps/x86_64/multiarch/strlen-avx2.S:76 in __strlen_avx2
==3568872==ABORTING

Thanks in advance!

Change History (1)

comment:1 by James, 2 weeks ago

Keywords: expression filters removed
Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.