Opened 12 hours ago
#11418 new defect
stack-buffer-overflow on libavcodec/aacenc_tns.c
Reported by: | 0x20z | Owned by: | |
---|---|---|---|
Priority: | important | Component: | undetermined |
Version: | git-master | Keywords: | |
Cc: | 0x20z | Blocked By: | |
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
Summary of the bug:
I have discovered a stack-buffer-overflow vulnerability. The POC file is attached to the session, and the version of ffmpeg is the main branch. Please confirm.
How to reproduce:
git clone https://github.com/FFmpeg/FFmpeg.git cd FFmpeg ./configure --cc=clang --cxx=clang++ --toolchain=clang-asan --extra-cflags="-I$HOME/ffmpeg_build/include -O0 -fno-omit-frame-pointer -g" --extra-cxxflags="-O0 -fno-omit-frame-pointer -g" --extra-ldflags="-L$HOME/ffmpeg_build/include -fsanitize=address -fsanitize=undefined -lubsan" --disable-optimizations --disable-stripping --enable-cross-compile make -j30 ./ffmpeg -i poc -aac_pred true -profile:a aac_low output.mpd
log:
================================================================= ==1108156==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f286b5fe998 at pc 0x572aadc11f35 bp 0x7f286b5fe8e0 sp 0x7f286b5fe8d0 READ of size 4 at 0x7f286b5fe998 thread T1 (enc0:0:aac) #0 0x572aadc11f34 in ff_aac_search_for_tns libavcodec/aacenc_tns.c:204 #1 0x572aacede67e in aac_encode_frame libavcodec/aacenc.c:1020 #2 0x572aaaa197e2 in ff_encode_encode_cb libavcodec/encode.c:254 #3 0x572aaaa1b896 in encode_simple_internal libavcodec/encode.c:340 #4 0x572aaaa1bbfb in encode_simple_receive_packet libavcodec/encode.c:354 #5 0x572aaaa1cb13 in encode_receive_packet_internal libavcodec/encode.c:388 #6 0x572aaaa1e97e in avcodec_send_frame libavcodec/encode.c:531 #7 0x572aa7edbe65 in encode_frame fftools/ffmpeg_enc.c:643 #8 0x572aa7edf861 in frame_encode fftools/ffmpeg_enc.c:812 #9 0x572aa7ee0a09 in encoder_thread fftools/ffmpeg_enc.c:899 #10 0x572aa7fb17b2 in task_wrapper fftools/ffmpeg_sched.c:2534 #11 0x7f286f094ac2 in start_thread nptl/pthread_create.c:442 #12 0x7f286f12684f (/usr/lib/x86_64-linux-gnu/libc.so.6+0x12684f) Address 0x7f286b5fe998 is located in stack of thread T1 (enc0:0:aac) at offset 40 in frame #0 0x572aadc1038a in ff_aac_search_for_tns libavcodec/aacenc_tns.c:162 This frame has 2 object(s): [32, 40) 'en' (line 183) <== Memory access at offset 40 overflows this variable [64, 320) 'coefs' (line 165) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) Thread T1 (enc0:0:aac) created by T0 here: #0 0x7f286fc58685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216 #1 0x572aa7f8ad4b in task_start fftools/ffmpeg_sched.c:414 #2 0x572aa7fa09d7 in sch_start fftools/ffmpeg_sched.c:1615 #3 0x572aa8006dea in transcode fftools/ffmpeg.c:864 #4 0x572aa80081a8 in main fftools/ffmpeg.c:992 #5 0x7f286f029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: stack-buffer-overflow libavcodec/aacenc_tns.c:204 in ff_aac_search_for_tns
Found by:
0x20z
Thank you for your time and attention
Attachments (1)
Note:
See TracTickets
for help on using tickets.