Context Navigation

#11407 closed defect (invalid)

heap-buffer-overflow vulnerability find in in function mov_read_trun at /ffmpeg/libavformat/mov.c:5944

Reported by:	SuTong	Owned by:
Priority:	important	Component:	avformat
Version:	git-master	Keywords:
Cc:		Blocked By:
Blocking:		Reproduced by developer:	no
Analyzed by developer:	no

Description

Summary of the bug: heap-buffer-overflow vulnerability in the latest version of ffmpeg
How to reproduce:

% ffmpeg -y -i ./poc -c:v mpeg4 -c:a copy -f mp4 /dev/null 

>>   built with gcc 9 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
>>   configuration: --cc=gcc --cxx=g++ --extra-cflags=-g --extra-cxxflags=-g --disable-x86asm

gdb information:

# gdb --args ./ffmpeg_g -y -i ./id\:000000\,sig\:06\,src\:000027\,time\:8201187\,execs\:182576\,op\:havoc\,rep\:2 -c:v mpeg4 -c:a copy -f mp4 /dev/null
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04.2) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./ffmpeg_g...
(gdb) r
Starting program: /fuzz/oss-ffmpeg/ffmpeg-gdb/ffmpeg/ffmpeg_g -y -i ./id:000000,sig:06,src:000027,time:8201187,execs:182576,op:havoc,rep:2 -c:v mpeg4 -c:a copy -f mp4 /dev/null
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffmpeg version N-118236-g07e54f9b5c Copyright (c) 2000-2025 the FFmpeg developers
  built with gcc 9 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
  configuration: --cc=gcc --cxx=g++ --extra-cflags=-g --extra-cxxflags=-g --disable-x86asm
  libavutil      59. 54.101 / 59. 54.101
  libavcodec     61. 29.100 / 61. 29.100
  libavformat    61.  9.104 / 61.  9.104
  libavdevice    61.  4.100 / 61.  4.100
  libavfilter    10.  6.101 / 10.  6.101
  libswscale      8. 13.100 /  8. 13.100
  libswresample   5.  4.100 /  5.  4.100
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x562b2c87c980] Broken file, trak/mdat not at top-level
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x562b2c87c980] overread end of atom 'stsd' by 19133 bytes
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x562b2c87c980] Duplicated STTS atom

Program received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:440
440     ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
(gdb) bt
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:440
#1  0x0000562b12d964e9 in memmove (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:40
#2  mov_read_trun (c=c@entry=0x562b2c87d640, pb=pb@entry=0x562b2c8856c0, atom=...) at libavformat/mov.c:5944
#3  0x0000562b12d8d71c in mov_read_default (c=c@entry=0x562b2c87d640, pb=pb@entry=0x562b2c8856c0, atom=...) at libavformat/mov.c:9488
#4  0x0000562b12d8d71c in mov_read_default (c=0x562b2c87d640, pb=0x562b2c8856c0, atom=...) at libavformat/mov.c:9488
#5  0x0000562b12d8d71c in mov_read_default (c=c@entry=0x562b2c87d640, pb=pb@entry=0x562b2c8856c0, atom=...) at libavformat/mov.c:9488
#6  0x0000562b12da2afe in mov_read_header (s=0x562b2c87c980) at libavformat/mov.c:10519
#7  0x0000562b12d23fa9 in avformat_open_input (ps=ps@entry=0x7ffcd75c6bc0, 
    filename=filename@entry=0x7ffcd75c83ef "/out/0103-paflpp-ffmpeg_DEMUXER_fuzzer-pcguard/clien1/crashes/id:000000,sig:06,src:000027,time:8201187,execs:182576,op:havoc,rep:2", 
    fmt=fmt@entry=0x0, options=0x562b2c87c558) at libavformat/demux.h:140
#8  0x0000562b12a60afb in ifile_open (o=o@entry=0x7ffcd75c6f60, filename=<optimized out>, sch=sch@entry=0x562b2c87c040) at fftools/ffmpeg_demux.c:1727
#9  0x0000562b12a77ebd in open_files (inout=inout@entry=0x562b138902a1 "input", sch=sch@entry=0x562b2c87c040, open_file=0x562b12a60410 <ifile_open>, l=<optimized out>, l=<optimized out>)
    at fftools/ffmpeg_opt.c:1363
#10 0x0000562b12a79ea6 in ffmpeg_parse_options (argc=<optimized out>, argv=<optimized out>, sch=0x562b2c87c040) at fftools/ffmpeg_opt.c:1412
#11 0x0000562b12a593e8 in main (argc=11, argv=0x7ffcd75c7c38) at fftools/ffmpeg.c:974

Attachments (1)

poc_1 (33.3 KB ) - added by SuTong 2 weeks ago.

Download all attachments as: .zip

Change History (4)

by SuTong, 2 weeks ago

Attachment:	poc_1 added

follow-up: 2 comment:1 by James, 11 days ago

I can't reproduce with current git head. Can you confirm if it's fixed for you?

in reply to: 1 comment:2 by SuTong, 10 days ago

Replying to James:

I can't reproduce with current git head. Can you confirm if it's fixed for you?

Yes, this issue was fixed on January 10th. The mov.c file has now been reverted to commit #292c1df7c, which was made in 2024, and it will not be triggered in the current latest commit. Thank you. For more details, please refer to https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/292c1df7c159c8a1a7afe52613d164ff417e81ce

Last edited 10 days ago by SuTong (previous) (diff)

comment:3 by James, 10 days ago

Component:	undetermined → avformat
Resolution:	→ invalid
Status:	new → closed

Note: See TracTickets for help on using tickets.

Download in other formats: