Package: ffmpeg2theora Version: 0.30-1+b2 Severity: important Tags: security
use uninitialized stack value as a pointer while running ffmpeg2theora with "poc" option Running 'ffmpeg2theora poc' with the attached file uses uninitialized stack value as a pointer which may allow a remote attacker to cause unspecified impact including denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow ------------------------------------------- june@yuweol:~/poc/ffmpeg2theora/crash3$ ffmpeg2theora poc [h263 @ 0x557eb7fb5840] Format h263 detected only with low score of 25, misdetection possible! Input #0, h263, from 'poc': Duration: N/A, bitrate: N/A Stream #0:0: Video: h263, yuv420p, 176x144 [SAR 12:11 DAR 4:3], 29.97 tbr, 1200k tbn, 29.97 tbc Pixel Aspect Ratio: 1.09/1 Frame Aspect Ratio: 1.33/1 WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track. [h263 @ 0x557eb7fb6880] I cbpc damaged at 0 0 [h263 @ 0x557eb7fb6880] Error at MB: 0 [h263 @ 0x557eb7fb6880] concealing 99 DC, 99 AC, 99 MV errors in I frame 0:00:00.03 audio: 0kbps video: 16kbps, time elapsed: 00:00:00 Segmentation fault ------------------------------------------- Starting program: /usr/bin/ffmpeg2theora poc [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [h263 @ 0x555555811820] Format h263 detected only with low score of 25, misdetection possible! Input #0, h263, from 'poc': Duration: N/A, bitrate: N/A Stream #0:0: Video: h263, yuv420p, 176x144 [SAR 12:11 DAR 4:3], 29.97 tbr, 1200k tbn, 29.97 tbc ************************************************************ Breakpoint 1, 0x0000555555563ab8 in ?? () (gdb) x/2x $rbp - 0x368 0x7fffffffca18: 0xf493f960 0x00007fff ************************************************************ - This is entry point of function,local variable $rbp - 0x368 is 0x7ffff693f960. ************************************************************ (gdb) c Continuing. Pixel Aspect Ratio: 1.09/1 Frame Aspect Ratio: 1.33/1 WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track. [h263 @ 0x555555812860] I cbpc damaged at 0 0 [h263 @ 0x555555812860] Error at MB: 0 [h263 @ 0x555555812860] concealing 99 DC, 99 AC, 99 MV errors in I frame 0:00:00.03 audio: 0kbps video: 16kbps, time elapsed: 00:01:55 Program received signal SIGSEGV, Segmentation fault. clear_context (s=0x7ffff493f960) at libswresample/swresample.c:116 116 s->in_buffer_index= 0; ************************************************************ - the value 7ffff493f960 which is same as the above uninitialized value was passed to clear_context function as a parameter. ************************************************************ (gdb) bt #0 clear_context (s=0x7ffff493f960) at libswresample/swresample.c:116 #1 0x00005555555648e6 in ?? () #2 0x000055555555c8da in main () (gdb) f 1 #1 0x00005555555648e6 in ?? () (gdb) x/5i $rip-16 0x5555555648d6: mov -0x368(%rbp),%edi 0x5555555648dc: test %rdi,%rdi 0x5555555648df: je 0x5555555648e6 0x5555555648e1: callq 0x55555555b650 <swr_close@plt> => 0x5555555648e6: mov -0x38(%rbp),%rax (gdb) x/2x $rbp - 0x368 0x7fffffffca18: 0xf493f960 0x00007fff ************************************************************ - argument %rdi comes from -0x368(%rbp) which is same position when we check at the entry point of this function ------------------------------------------- This bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ffmpeg2theora depends on: ii libavcodec57 7:3.3.4-2+b2 ii libavdevice57 7:3.3.4-2+b2 ii libavfilter6 7:3.3.4-2+b2 ii libavformat57 7:3.3.4-2+b2 ii libavutil55 7:3.3.4-2+b2 ii libc6 2.24-17 ii libkate1 0.4.1-7+b1 ii libogg0 1.3.2-1+b1 ii liboggkate1 0.4.1-7+b1 ii libpostproc54 7:3.3.4-2+b2 ii libswresample2 7:3.3.4-2+b2 ii libswscale4 7:3.3.4-2+b2 ii libtheora0 1.1.1+dfsg.1-14+b1 ii libvorbis0a 1.3.5-4 ii libvorbisenc2 1.3.5-4 ffmpeg2theora recommends no packages. ffmpeg2theora suggests no packages. -- no debconf information
poc
Description: Binary data